Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am infected with the ZeroAccess Rootkit


  • This topic is locked This topic is locked
72 replies to this topic

#1 signofzeta

signofzeta

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 31 March 2012 - 09:24 PM

I found out that the Security Center Service won't start, so I sought help here.

http://www.techspot.com/vb/topic177460.html

After a month and a bit, and whatever the instructions told me to do in that thread, I found that ComboFix found a ZeroAccess Rootkit, and that it won't get rid of the Rootkit. The result there is to reformat the computer and reinstall OS.

Now what I ask here is, does anybody know how to salvage this operation, or is my computer toast?

Ok, since Combofix is downloaded from this site, perhaps you can shed some light on it. This is what happened, the multiple times I ran ComboFix,

I'm running combofix again, to see if there is anything different since the last time I ran it.

The blue screen says:

-Scanning for infected files...
-This typically doesn't take more than 10 minutes
-However, scan times for badly infected machines may easily double.

The blue screen doesn't say anything else other than the 3 lines above.

I am going to tell you the windows that pop up, and what options I could click on, and what I did.

First popup screen titled ComboFix - ZeroAccess

-It says I am infected with Zero Access and it is inserted nito TCP/IP stack.
-There is only one thing to click, and that is OK
-I click OK

The blue screen hasn't changed.

Another popup has appeared whose title is ROOTKIT.

-The contents of this message says "rootkit has appeared so this make take longer"
-The only option to click is OK, which I didn't, because I was typing this and I was too slow to react, and the screen changed
-Even if I did click on OK, it wouldn't matter anyway, since the last time I did this, I clicked OK.

Blue screen still stays the same

Final popup message saying Rootkit !!

-It says that Combofix detected a presence of rootkit activiy and needs to restart the machine
-The option I can only click on is OK
-I click on OK

I let my machine reboot in normal mode

My machine loaded up the desktop, and all the normal stuff

Combofix didn't automatically start up to finish what it was doing, nor did a txt file pop up. txt file isn't found in the C:\ folder or any subfolders.


So it seems that after Combofix tells me to reboot the machine, which it did, and my computer loads up the desktop after the reboot, my computer acted as if nothing happened, and that I didn't run Combofix, which I clearly did.

So far, from that thread, every instruction worked, and I could post logs, so perhaps, if you could solve this Combofix ZeroAccess Rootkit problem, and the fact that Combofix didn't produce me a log, perhaps, after you fix it, and Combofix finally gives me a log, I could post that log in that original thread that went in circles.

What I did before this is all posted in that thread in the link, and that right before I started this thread, I ran Malwarebytes quick scan, and it found nothing.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Anyway, if you could restart the whole cleaning process from scratch, what should I do? All you need to know is that my computer has a ZeroAccess Rootkit, and that Combofix can't fix it.

More information about this is that I am using Windows Vista Home 32bit. Even more information is posted in that thread, which stems from the fact that Windows Firewall won't turn on, nor does Windows Defender update. Could this be related to the ZeroAccess Rootkit?

(Moderator edit: moved at CatByte's request. jgw)

Edited by jgweed, 01 April 2012 - 07:58 AM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:55 PM

Posted 31 March 2012 - 10:35 PM

The infection is still active on your computer and there are several other issues that need attention. However, we don't recommend that you have a thread open on more than one forum.

Helpers are volunteers who donate their time to assist others freely, to use the time of two helpers in two forums takes the helper(s) away from assisting another person.

If you would like assistance here, then please close your thread at the other forum, if not, then please continue on with the helper there.

thank-you

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 signofzeta

signofzeta
  • Topic Starter

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 01 April 2012 - 12:03 AM

When someone says to reinstall and reformat the OS, it is usually game over, so I am posting this here to shed some light on other ways to get around this mess, and I'm sure the help there is done, and that it won't go any further, so I am seeking help here.

You can use that thread to look at the logs and what kind of scans I did during the cleaning process, because I don't want to not tell you what changes I made to my machine, and how I can get around this "Combofix can't get rid of Rootkit ZeroAccess", and "Combofix can't produce a log" mess.

Anyway, tell me if I am allowed to do these things to my computer during the cleaning process in case it takes very long.

1. Open Word documents and Excel Spreadsheets, so I can do my school work.
2. Run old offline games that I have installed via CD (this means that they never use the Internet).
3. Shut down the computer from time to time.
4. Hibernate the computer from time to time.

Edited by signofzeta, 01 April 2012 - 12:42 AM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:55 PM

Posted 01 April 2012 - 06:52 AM

Hi,

You mentioned you would continue with the other thread by posting a ComboFix log there when you are able to get it to run.

If you would like help here then please close the thread at the other forum.

Thank-you.

Yes you can use the computer for all the activities you describe, just be cautious about saving anything to a USB and transferring to another computer, a .doc file should be fine.

I will have a mod move this thread to the virus removal forum then if you choose to continue here.


Please run the following:


For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 signofzeta

signofzeta
  • Topic Starter

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 01 April 2012 - 03:12 PM

Ok just to let you know, that other thread is officially close, and I will get help here from now on, until the computer is clean.

--------------------------------------------------------------------------------------------------------------------------------------------------------

FRST log

Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 14-03-2012
Ran by SYSTEM at 01-04-2012 14:53:35
Running from F:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL [33128 2008-11-04] (Microsoft Corporation)
HKLM\...\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" [104936 2008-07-18] (CyberLink)
HKLM\...\Run: [P2Go_Menu] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [210216 2008-06-13] (CyberLink Corp.)
HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2010-06-22] (Google)
HKLM\...\Run: [HControlUser] "C:\Program Files\ATK Hotkey\HcontrolUser.exe" [98304 2008-01-11] ()
HKLM\...\Run: [ATKOSD2] C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe [7651328 2008-07-15] (ASUS)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1029416 2007-12-06] (Synaptics, Inc.)
HKLM\...\Run: [ADSMTray] C:\Program Files\ASUS\ASUS Data Security Manager\ADSMTray.exe [266240 2008-03-31] (ASUSTek Computer Inc.)
HKLM\...\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMedia.exe [159744 2008-06-24] (ASUS)
HKLM\...\Run: [ASUSTPE] C:\Windows\system32\ASUSTPE.exe [106496 2007-10-11] (ASUS)
HKLM\...\Run: [ASUS Camera ScreenSaver] C:\Windows\AsScrProlog.exe [47672 2009-04-07] ()
HKLM\...\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe [33136 2009-04-07] ()
HKLM\...\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" [37888 2009-07-01] ()
HKLM\...\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fsui.exe" -autorun [647528 2010-04-28] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [249064 2010-10-29] (Sun Microsystems, Inc.)
HKLM\...\Run: [MaxMenuMgr] "C:\seagate\FreeAgent Status\StxMenuMgr.exe" [185640 2009-09-25] (Seagate LLC)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13789728 2009-07-01] (NVIDIA Corporation)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)
HKLM\...\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [981680 2012-01-13] (Malwarebytes Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [35736 2011-01-30] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-11-10] (Adobe Systems Incorporated)
HKLM\...\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" [17408 2010-07-04] ()
HKLM\...\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min [258512 2011-12-15] (Avira Operations GmbH & Co. KG)
HKU\Administrator\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Administrator\...\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2008-06-09] (Hewlett-Packard Company)
HKU\Administrator\...\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-04-07] (Google Inc.)
HKU\Administrator\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3872080 2010-04-16] (Microsoft Corporation)
HKU\Administrator\...\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun [691656 2009-04-23] (DT Soft Ltd)
HKU\Administrator\...\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent [x]
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\George\...\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2008-06-09] (Hewlett-Packard Company)
HKU\George\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-04-07] (Google Inc.)
HKU\George\...\Policies\system: [DisableCMD] 0
HKU\George\...\Policies\system: [DisableRegistryTools] 0
HKU\Administrator\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Administrator\...\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2008-06-09] (Hewlett-Packard Company)
HKU\Administrator\...\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-04-07] (Google Inc.)
HKU\Administrator\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3872080 2010-04-16] (Microsoft Corporation)
HKU\Administrator\...\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun [691656 2009-04-23] (DT Soft Ltd)
HKU\Administrator\...\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent [x]
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\George\...\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2008-06-09] (Hewlett-Packard Company)
HKU\George\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-04-07] (Google Inc.)
HKU\George\...\Policies\system: [DisableCMD] 0
HKU\George\...\Policies\system: [DisableRegistryTools] 0
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
Lsa: [Notification Packages] scecli
C:\Program Files\ASUS\ASUS Data Security Manager\ASPWDFLT

================================ Services (Whitelisted) ==================

2 ADSMService; C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe [225280 2008-03-31] (ASUSTek Computer Inc.)
2 AntiVirSchedulerService; "C:\Program Files\Avira\AntiVir Desktop\sched.exe" [86224 2011-12-15] (Avira Operations GmbH & Co. KG)
2 AntiVirService; "C:\Program Files\Avira\AntiVir Desktop\avguard.exe" [110032 2011-12-15] (Avira Operations GmbH & Co. KG)
2 ASLDRService; C:\Program Files\ATK Hotkey\ASLDRSrv.exe [94208 2007-10-02] ()
2 ATKGFNEXSrv; C:\Program Files\ATKGFNEX\GFNEXSrv.exe [94208 2007-08-07] ()
2 FreeAgentGoNext Service; C:\seagate\Sync\FreeAgentService.exe [189736 2009-09-25] (Seagate Technology LLC)
3 GoogleDesktopManager-051210-111108; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [30192 2010-06-22] (Google)
2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [135664 2010-10-06] (Google Inc.)
3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [135664 2010-10-06] (Google Inc.)
2 NMSAccessU; C:\Program Files\CDBurnerXP\NMSAccessU.exe [71096 2009-07-13] ()
2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75064 2010-01-20] ()
2 PnkBstrB; C:\Windows\system32\PnkBstrB.exe [189744 2012-02-09] ()
3 DAUpdaterSvc; C:\DragonAgeOrigins\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [x]

========================== Drivers (Whitelisted) =============

0 AsDsm; C:\Windows\System32\Drivers\AsDsm.sys [29752 2007-08-10] (Windows ® Codename Longhorn DDK provider)
2 ASMMAP; \??\C:\Program Files\ATKGFNEX\ASMMAP.sys [13880 2007-07-24] ()
2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [74640 2011-12-15] (Avira GmbH)
1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [137416 2012-02-16] (Avira GmbH)
1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [36000 2011-12-15] (Avira GmbH)
2 DgiVecp; \??\C:\Windows\system32\Drivers\DgiVecp.sys [38400 2009-10-12] (Samsung Electronics Co., Ltd.)
3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [25280 2009-08-01] (LogMeIn, Inc.)
3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15928 2008-06-02] ( )
0 lullaby; C:\Windows\System32\DRIVERS\lullaby.sys [15416 2008-05-29] (Windows ® Codename Longhorn DDK provider)
4 Mraid35x; C:\Windows\System32\drivers\mraid35x.sys [33384 2006-11-02] (LSI Logic Corporation)
3 MTsensor; C:\Windows\System32\DRIVERS\ATKACPI.sys [7680 2006-12-13] (ATK0100)
3 SiSGbeLH; C:\Windows\System32\DRIVERS\SiSGB6.sys [48128 2008-09-08] (Silicon Integrated Systems Corp.)
4 SiSRaid2; C:\Windows\System32\drivers\sisraid2.sys [41016 2008-01-20] (Microsoft Corporation)
3 smserial; C:\Windows\System32\DRIVERS\smserial.sys [1010560 2006-11-01] (Motorola Inc.)
3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1752704 2008-08-10] ()
0 sptd; C:\Windows\System32\Drivers\sptd.sys [721904 2009-07-17] (Duplex Secure Ltd.)
1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2010-06-17] (Avira GmbH)
2 SSPORT; \??\C:\Windows\system32\Drivers\SSPORT.sys [5120 2009-10-12] (Samsung Electronics)
4 UlSata; C:\Windows\System32\drivers\ulsata.sys [98408 2006-11-02] (Promise Technology, Inc.)
4 ulsata2; C:\Windows\System32\drivers\ulsata2.sys [115816 2008-01-20] (Promise Technology, Inc.)
3 WmFilter; C:\Windows\System32\drivers\WmFilter.sys [21216 2003-05-14] (Logitech Inc.)
3 xnacc; C:\Windows\System32\DRIVERS\xnacc.sys [521216 2008-01-20] (Microsoft Corporation)
3 xusb21; C:\Windows\System32\DRIVERS\xusb21.sys [56448 2009-04-08] (Microsoft Corporation)
3 catchme; \??\C:\Users\George\AppData\Local\Temp\catchme.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-03-31 11:13 - 2012-03-31 11:25 - 0000000 ___SD C:\Poopyhead
2012-03-31 11:10 - 2012-03-31 11:10 - 4452445 ____R (Swearware) C:\Users\George\Desktop\Poopyhead.exe
2012-03-31 11:10 - 2012-03-31 11:10 - 4452445 ____R (Swearware) C:\Documents and Settings\George\Desktop\Poopyhead.exe
2012-03-12 18:30 - 2012-03-12 18:30 - 0002934 ____A C:\Users\George\Desktop\FSS.txt
2012-03-12 18:30 - 2012-03-12 18:30 - 0002934 ____A C:\Documents and Settings\George\Desktop\FSS.txt
2012-03-12 18:28 - 2012-03-12 18:28 - 0337137 ____A C:\Users\George\Desktop\FSS.exe
2012-03-12 18:28 - 2012-03-12 18:28 - 0337137 ____A C:\Documents and Settings\George\Desktop\FSS.exe
2012-03-02 20:31 - 2012-03-02 20:37 - 0000000 ___SD C:\mandrake
2012-03-02 20:25 - 2012-03-02 20:25 - 0294400 ____A C:\Users\George\Desktop\exeHelper.com
2012-03-02 20:25 - 2012-03-02 20:25 - 0294400 ____A C:\Documents and Settings\George\Desktop\exeHelper.com
2012-03-02 20:24 - 2012-03-02 20:24 - 1008141 ____A C:\Users\George\Desktop\rkill.exe
2012-03-02 20:24 - 2012-03-02 20:24 - 1008141 ____A C:\Documents and Settings\George\Desktop\rkill.exe
2012-03-02 20:09 - 2012-03-02 20:16 - 0000000 ___SD C:\friday32470f
2012-03-02 19:51 - 2012-03-31 11:13 - 0000000 ___SD C:\32788R22FWJFW


============ 3 Months Modified Files and Folders ===============

2012-04-01 14:52 - 2012-04-01 14:52 - 0000000 ____D C:\FRST
2012-04-01 11:47 - 2008-04-13 19:50 - 0000012 ____A C:\Windows\bthservsdp.dat
2012-04-01 11:47 - 2006-11-02 05:01 - 0032618 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-04-01 11:47 - 2006-11-02 05:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-01 11:47 - 2006-11-02 04:47 - 0003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-01 11:47 - 2006-11-02 04:47 - 0003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-01 11:45 - 2010-10-06 09:51 - 0000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-04-01 11:45 - 2009-06-07 16:08 - 0048734 ____A C:\Users\All Users\nvModes.001
2012-04-01 11:45 - 2009-06-07 16:08 - 0048734 ____A C:\ProgramData\nvModes.001
2012-04-01 11:45 - 2009-06-07 16:08 - 0048734 ____A C:\Documents and Settings\All Users\nvModes.001
2012-04-01 11:45 - 2009-06-07 16:06 - 0048734 ____A C:\Users\All Users\nvModes.dat
2012-04-01 11:45 - 2009-06-07 16:06 - 0048734 ____A C:\ProgramData\nvModes.dat
2012-04-01 11:45 - 2009-06-07 16:06 - 0048734 ____A C:\Documents and Settings\All Users\nvModes.dat
2012-04-01 11:45 - 2009-04-07 06:32 - 2089889 ____A C:\Windows\WindowsUpdate.log
2012-03-31 17:56 - 2010-10-06 09:50 - 0000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-03-31 11:35 - 2006-11-02 02:33 - 0818290 ____A C:\Windows\System32\PerfStringBackup.INI
2012-03-31 11:30 - 2009-06-07 19:42 - 0000420 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{25D39F52-AFBC-4213-A160-F2C344AEDA86}.job
2012-03-31 11:30 - 2009-04-07 08:17 - 0045056 ____A C:\Windows\System32\acovcnt.exe
2012-03-31 11:28 - 2012-02-26 22:24 - 3220463616 __ASH C:\hiberfil.sys
2012-03-31 11:28 - 2009-06-07 14:49 - 0000000 ____D C:\Program Files\Microsoft Silverlight
2012-03-31 11:28 - 2008-01-20 18:47 - 0426860 ____A C:\Windows\PFRO.log
2012-03-31 11:25 - 2012-03-31 11:13 - 0000000 ___SD C:\Poopyhead
2012-03-31 11:13 - 2012-03-02 19:51 - 0000000 ___SD C:\32788R22FWJFW
2012-03-31 11:10 - 2012-03-31 11:10 - 4452445 ____R (Swearware) C:\Users\George\Desktop\Poopyhead.exe
2012-03-31 11:10 - 2012-03-31 11:10 - 4452445 ____R (Swearware) C:\Documents and Settings\George\Desktop\Poopyhead.exe
2012-03-20 00:42 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Microsoft.NET
2012-03-13 00:20 - 2009-04-07 06:41 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-03-13 00:20 - 2009-04-07 06:41 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-03-13 00:20 - 2009-04-07 06:41 - 0000000 ____D C:\Documents and Settings\All Users\Microsoft Help
2012-03-12 18:50 - 2011-03-05 12:20 - 0000000 ____D C:\Users\George\Desktop\AV logs
2012-03-12 18:50 - 2011-03-05 12:20 - 0000000 ____D C:\Documents and Settings\George\Desktop\AV logs
2012-03-12 18:30 - 2012-03-12 18:30 - 0002934 ____A C:\Users\George\Desktop\FSS.txt
2012-03-12 18:30 - 2012-03-12 18:30 - 0002934 ____A C:\Documents and Settings\George\Desktop\FSS.txt
2012-03-12 18:28 - 2012-03-12 18:28 - 0337137 ____A C:\Users\George\Desktop\FSS.exe
2012-03-12 18:28 - 2012-03-12 18:28 - 0337137 ____A C:\Documents and Settings\George\Desktop\FSS.exe
2012-03-02 20:37 - 2012-03-02 20:31 - 0000000 ___SD C:\mandrake
2012-03-02 20:30 - 2012-02-26 20:09 - 0001656 ____A C:\Users\George\Desktop\exehelperlog.txt
2012-03-02 20:30 - 2012-02-26 20:09 - 0001656 ____A C:\Documents and Settings\George\Desktop\exehelperlog.txt
2012-03-02 20:29 - 2011-02-28 17:43 - 0000413 ____A C:\rkill.log
2012-03-02 20:25 - 2012-03-02 20:25 - 0294400 ____A C:\Users\George\Desktop\exeHelper.com
2012-03-02 20:25 - 2012-03-02 20:25 - 0294400 ____A C:\Documents and Settings\George\Desktop\exeHelper.com
2012-03-02 20:24 - 2012-03-02 20:24 - 1008141 ____A C:\Users\George\Desktop\rkill.exe
2012-03-02 20:24 - 2012-03-02 20:24 - 1008141 ____A C:\Documents and Settings\George\Desktop\rkill.exe
2012-03-02 20:16 - 2012-03-02 20:09 - 0000000 ___SD C:\friday32470f
2012-02-29 06:39 - 2009-06-07 15:04 - 0000000 ____D C:\Program Files\Mozilla Firefox
2012-02-26 22:16 - 2011-02-12 12:30 - 1385110 ____A C:\Windows\ntbtlog.txt
2012-02-26 22:13 - 2012-02-26 22:01 - 0000000 ___SD C:\friday15101f
2012-02-26 21:13 - 2012-02-26 21:07 - 0000000 ___SD C:\friday1938f
2012-02-26 21:01 - 2012-02-26 20:49 - 0076562 ____A C:\TDSSKiller.2.7.14.0_26.02.2012_22.49.49_log.txt
2012-02-26 20:57 - 2012-02-17 23:18 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-02-26 20:48 - 2012-02-26 20:48 - 0000000 ____D C:\Users\George\Desktop\tdsskiller(1)
2012-02-26 20:48 - 2012-02-26 20:48 - 0000000 ____D C:\Documents and Settings\George\Desktop\tdsskiller(1)
2012-02-26 20:18 - 2012-02-26 20:12 - 0000000 ___SD C:\friday
2012-02-20 20:14 - 2012-02-20 20:14 - 0000761 ____A C:\Windows\System32\Drivers\etc\hosts
2012-02-18 09:16 - 2012-02-18 09:16 - 0000134 ____A C:\Users\George\Desktop\hosts-perm(1).bat
2012-02-18 09:16 - 2012-02-18 09:16 - 0000134 ____A C:\Documents and Settings\George\Desktop\hosts-perm(1).bat
2012-02-17 23:34 - 2012-02-17 23:34 - 0000000 ____D C:\Qoobox
2012-02-17 23:34 - 2011-03-05 23:16 - 0000000 ____D C:\Windows\ERDNT
2012-02-17 23:30 - 2012-02-17 23:26 - 0076562 ____A C:\TDSSKiller.2.7.13.0_18.02.2012_01.26.57_log.txt
2012-02-17 23:26 - 2012-02-17 23:19 - 0150158 ____A C:\TDSSKiller.2.7.13.0_18.02.2012_01.19.53_log.txt
2012-02-17 23:18 - 2012-02-17 23:17 - 0076562 ____A C:\TDSSKiller.2.7.13.0_18.02.2012_01.17.04_log.txt
2012-02-17 23:15 - 2012-02-17 23:15 - 0000000 ____D C:\Users\George\Desktop\tdsskiller
2012-02-17 23:15 - 2012-02-17 23:15 - 0000000 ____D C:\Documents and Settings\George\Desktop\tdsskiller
2012-02-17 22:53 - 2009-06-07 14:41 - 0000000 ____D C:\Users\George\AppData\LocalLow
2012-02-17 22:53 - 2009-06-07 14:41 - 0000000 ____D C:\Documents and Settings\George\AppData\LocalLow
2012-02-16 18:16 - 2012-02-16 18:16 - 0000000 ____D C:\_OTL
2012-02-16 18:16 - 2009-06-10 11:10 - 0000000 ____D C:\Program Files\BitComet
2012-02-16 18:09 - 2012-01-31 05:57 - 0137416 ____A (Avira GmbH) C:\Windows\System32\Drivers\avipbb.sys
2012-02-12 10:59 - 2010-06-24 16:59 - 0000258 _RASH C:\Users\All Users\ntuser.pol
2012-02-12 10:59 - 2010-06-24 16:59 - 0000258 _RASH C:\ProgramData\ntuser.pol
2012-02-12 10:59 - 2010-06-24 16:59 - 0000258 _RASH C:\Documents and Settings\All Users\ntuser.pol
2012-02-12 10:56 - 2011-03-06 11:39 - 0000000 __SHD C:\$RECYCLE.BIN
2012-02-12 10:43 - 2006-11-02 03:18 - 0000000 _SHDC C:\Windows\$NtUninstallKB56683$
2012-02-11 15:36 - 2010-11-28 20:53 - 0000680 ____A C:\Users\George\AppData\Local\d3d9caps.dat
2012-02-11 15:36 - 2010-11-28 20:53 - 0000680 ____A C:\Documents and Settings\George\AppData\Local\d3d9caps.dat
2012-02-11 14:26 - 2012-01-01 22:03 - 0000913 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-02-11 14:26 - 2012-01-01 22:03 - 0000913 ____A C:\Documents and Settings\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-02-11 14:26 - 2012-01-01 22:01 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-02-09 01:56 - 2009-08-14 06:03 - 0189744 ____A C:\Windows\System32\PnkBstrB.xtr
2012-02-09 01:56 - 2009-06-07 18:32 - 0189744 ____A C:\Windows\System32\PnkBstrB.exe
2012-02-05 21:40 - 2009-06-16 20:19 - 0131584 ____A C:\Users\George\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-02-05 21:40 - 2009-06-16 20:19 - 0131584 ____A C:\Documents and Settings\George\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-02-03 17:13 - 2009-06-07 18:33 - 0139904 ____A C:\Windows\System32\Drivers\PnkBstrK.sys
2012-01-31 06:09 - 2009-06-07 14:54 - 0000000 ____D C:\Users\George\AppData\Local\Google
2012-01-31 06:09 - 2009-06-07 14:54 - 0000000 ____D C:\Documents and Settings\George\AppData\Local\Google
2012-01-31 06:04 - 2012-01-31 06:04 - 0000000 ____D C:\Users\George\AppData\Roaming\Avira
2012-01-31 06:04 - 2012-01-31 06:04 - 0000000 ____D C:\Documents and Settings\George\AppData\Roaming\Avira
2012-01-31 05:58 - 2012-01-31 05:58 - 0001854 ____A C:\Users\Public\Desktop\Avira Control Center.lnk
2012-01-31 05:58 - 2012-01-31 05:58 - 0001854 ____A C:\Documents and Settings\Public\Desktop\Avira Control Center.lnk
2012-01-31 05:58 - 2012-01-31 05:57 - 0000000 ____D C:\Users\All Users\Avira
2012-01-31 05:58 - 2012-01-31 05:57 - 0000000 ____D C:\ProgramData\Avira
2012-01-31 05:58 - 2012-01-31 05:57 - 0000000 ____D C:\Documents and Settings\All Users\Avira
2012-01-31 05:57 - 2012-01-31 05:57 - 0000000 ____D C:\Program Files\Avira
2012-01-31 05:43 - 2010-12-25 20:51 - 0000000 ____D C:\Users\George\AppData\Roaming\Skype
2012-01-31 05:43 - 2010-12-25 20:51 - 0000000 ____D C:\Documents and Settings\George\AppData\Roaming\Skype
2012-01-30 18:02 - 2012-01-30 18:02 - 0000000 ____D C:\Users\George\AppData\Roaming\Help
2012-01-30 18:02 - 2012-01-30 18:02 - 0000000 ____D C:\Documents and Settings\George\AppData\Roaming\Help
2012-01-30 17:57 - 2009-06-07 14:39 - 0000000 ____D C:\Users\George\AppData\Roaming\Media Center Programs
2012-01-30 17:57 - 2009-06-07 14:39 - 0000000 ____D C:\Documents and Settings\George\AppData\Roaming\Media Center Programs
2012-01-29 13:27 - 2006-11-02 04:37 - 0000000 ____D C:\Windows\twain_32
2012-01-24 15:22 - 2012-01-24 15:22 - 0009391 ____A C:\Users\George\Documents\propassign2.ods
2012-01-24 15:22 - 2012-01-24 15:22 - 0009391 ____A C:\Documents and Settings\George\Documents\propassign2.ods
2012-01-24 12:37 - 2012-01-17 05:43 - 0000000 ____D C:\Users\George\AppData\Roaming\Appe
2012-01-24 12:37 - 2012-01-17 05:43 - 0000000 ____D C:\Documents and Settings\George\AppData\Roaming\Appe
2012-01-23 23:21 - 2012-01-17 05:43 - 0000000 ____D C:\Users\George\AppData\Roaming\Kalaaf
2012-01-23 23:21 - 2012-01-17 05:43 - 0000000 ____D C:\Documents and Settings\George\AppData\Roaming\Kalaaf
2012-01-07 23:18 - 2009-07-23 17:57 - 0000000 ____D C:\Program Files\Common Files\Steam
2012-01-06 17:38 - 2012-01-06 17:38 - 0041517 ____A C:\Users\George\Desktop\dkaeventdeck.jpg
2012-01-06 17:38 - 2012-01-06 17:38 - 0041517 ____A C:\Documents and Settings\George\Desktop\dkaeventdeck.jpg
2012-01-05 18:42 - 2012-01-05 18:42 - 0138338 ____A C:\Users\George\Desktop\dkaintropacks.jpg
2012-01-05 18:42 - 2012-01-05 18:42 - 0138338 ____A C:\Documents and Settings\George\Desktop\dkaintropacks.jpg
2012-01-04 14:15 - 2006-11-02 02:24 - 52128560 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 12%
Total physical RAM: 4094.47 MB
Available physical RAM: 3580.67 MB
Total Pagefile: 3807.21 MB
Available Pagefile: 3651.88 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: (VistaOS) (Fixed) (Total:116.44 GB) (Free:9.74 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (DATA) (Fixed) (Total:104.73 GB) (Free:14.06 GB) NTFS
4 Drive f: (GEORGE'S IP) (Removable) (Total:0.48 GB) (Free:0.04 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 1559 KB
Disk 1 Online 489 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 12 GB 32 KB
Partition 2 Primary 116 GB 12 GB
Partition 0 Extended 105 GB 128 GB
Partition 3 Logical 105 GB 128 GB

======================================================================================================

Disk: 0
Partition 1
Type : 1C
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C VistaOS NTFS Partition 116 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D DATA NTFS Partition 105 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 488 MB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 F GEORGE'S IP FAT32 Removable 488 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-03-31 11:36

======================= End Of Log ==========================

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:55 PM

Posted 01 April 2012 - 04:12 PM

Hi

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
script removed
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Now restart, let it boot normally and tell me how it went.



NEXT

Please download RestoreBFE.exe from here

Double click on the downloaded file. It should only take a few seconds to run.
When complete, it will say .. "Done!


NEXT




Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /rp /s
    DRIVES
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

Edited by CatByte, 03 July 2012 - 09:39 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 signofzeta

signofzeta
  • Topic Starter

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 01 April 2012 - 06:09 PM

My computer seems to have rebooted normally, although I didn't check the security center if it has been fixed yet.

-----------------------------------------------------------------------------------------------------------------------------

Fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 14-03-2012
Ran by SYSTEM at 2012-04-01 17:33:32 R:1
Running from F:\AV2012

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.

========= remdir C:\Windows\$NtUninstallKB56683$ =========

'remdir' is not recognized as an internal or external command,
operable program or batch file.

========= End of CMD: =========


==== End of Fixlog ====

--------------------------------------------------------------------------------------------------------------

OTL.txt I didn't get a Extras.txt

OTL logfile created on: 4/1/2012 5:45:53 PM - Run 4
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Users\George\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.10 Gb Available Physical Memory | 69.94% Memory free
6.19 Gb Paging File | 5.34 Gb Available in Paging File | 86.16% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 116.44 Gb Total Space | 11.56 Gb Free Space | 9.93% Space Free | Partition Type: NTFS
Drive D: | 104.73 Gb Total Space | 19.08 Gb Free Space | 18.22% Space Free | Partition Type: NTFS
Drive H: | 487.52 Mb Total Space | 36.77 Mb Free Space | 7.54% Space Free | Partition Type: FAT32

Computer Name: GEORGEGAMINGPC | User Name: George | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\George\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Unlocker\UnlockerAssistant.exe ()
PRC - C:\seagate\Sync\FreeAgentService.exe (Seagate Technology LLC)
PRC - C:\seagate\FreeAgent Status\stxmenumgr.exe (Seagate LLC)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
PRC - C:\Program Files\Winamp\winampa.exe ()
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\conime.exe (Microsoft Corporation)
PRC - C:\Windows\ASScrPro.exe ()
PRC - C:\Program Files\ASUS\SmartLogon\sensorsrv.exe (ASUS)
PRC - C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe (ASUS)
PRC - C:\Program Files\P4G\BatteryLife.exe (ATK)
PRC - C:\Program Files\ASUS\ATK Media\DMedia.exe (ASUS)
PRC - C:\Program Files\ASUS\ASUS CopyProtect\ASPG.exe (ASUS)
PRC - C:\Program Files\ASUS\Splendid\ACMON.exe (ATK)
PRC - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMTray.exe (ASUSTek Computer Inc.)
PRC - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe (ASUSTek Computer Inc.)
PRC - C:\Program Files\ATK Hotkey\HControl.exe (ATK0100)
PRC - C:\Program Files\ATK Hotkey\WDC.exe ()
PRC - C:\Program Files\ATK Hotkey\HControlUser.exe ()
PRC - C:\Program Files\ATK Hotkey\ATKOSD.exe ()
PRC - C:\Program Files\ASUS\ASUS Live Update\ALU.exe ()
PRC - C:\Program Files\ATK Hotkey\MsgTranAgt.exe ()
PRC - C:\Windows\System32\ASUSTPE.exe (ASUS)
PRC - C:\Program Files\ATK Hotkey\AsLdrSrv.exe ()
PRC - C:\Program Files\ATK Hotkey\KBFiltr.exe ()
PRC - C:\Program Files\ATKGFNEX\GFNEXSrv.exe ()
PRC - C:\Program Files\Wireless Console 2\wcourier.exe ()
PRC - C:\Windows\System32\ACEngSvr.exe (ASUSTeK)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Unlocker\UnlockerHook.dll ()
MOD - C:\Program Files\Unlocker\UnlockerAssistant.exe ()
MOD - C:\Program Files\OpenOffice.org 3\program\libxml2.dll ()
MOD - C:\Program Files\Winamp\winampa.exe ()
MOD - C:\Windows\ASScrPro.exe ()
MOD - C:\Program Files\CyberLink\Power2Go\CLMediaLibrary.dll ()
MOD - C:\Program Files\CyberLink\Power2Go\CLMLSvcPS.dll ()
MOD - C:\Program Files\ATK Hotkey\HControlUser.exe ()
MOD - C:\Program Files\ASUS\ASUS Live Update\ALU.exe ()
MOD - C:\Program Files\ATK Hotkey\MsgTran.dll ()
MOD - C:\Program Files\Common Files\LightScribe\QtGui4.dll ()
MOD - C:\Program Files\Common Files\LightScribe\plugins\imageformats\qjpeg4.dll ()
MOD - C:\Program Files\Common Files\LightScribe\QtCore4.dll ()
MOD - C:\Program Files\ASUS\ASUS Data Security Manager\OverlayIconShlExt.dll ()
MOD - C:\Program Files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll ()


========== Win32 Services (SafeList) ==========

SRV - (DAUpdaterSvc) -- D:\DragonAgeOrigins\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe File not found
SRV - (Steam Client Service) -- C:\Program Files\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
SRV - (FreeAgentGoNext Service) -- C:\seagate\Sync\FreeAgentService.exe (Seagate Technology LLC)
SRV - (NMSAccessU) -- C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
SRV - (ADSMService) -- C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe (ASUSTek Computer Inc.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (ASLDRService) -- C:\Program Files\ATK Hotkey\AsLdrSrv.exe ()
SRV - (ATKGFNEXSrv) -- C:\Program Files\ATKGFNEX\GFNEXSrv.exe ()


========== Driver Services (SafeList) ==========

DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (catchme) -- C:\Users\George\AppData\Local\Temp\catchme.sys File not found
DRV - (aac5j1gx) -- File not found
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (avkmgr) -- C:\Windows\System32\drivers\avkmgr.sys (Avira GmbH)
DRV - (UnlockerDriver5) -- C:\Program Files\Unlocker\UnlockerDriver5.sys ()
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (SSPORT) -- C:\Windows\System32\drivers\SSPORT.sys (Samsung Electronics)
DRV - (DgiVecp) -- C:\Windows\System32\drivers\DGIVECP.SYS (Samsung Electronics Co., Ltd.)
DRV - (hamachi) -- C:\Windows\System32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (sptd) -- C:\Windows\System32\drivers\sptd.sys ()
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (SiSGbeLH) -- C:\Windows\System32\drivers\SiSGB6.sys (Silicon Integrated Systems Corp.)
DRV - (SNP2UVC) USB2.0 PC Camera (SNP2UVC) -- C:\Windows\System32\drivers\snp2uvc.sys ()
DRV - (kbfiltr) -- C:\Windows\System32\drivers\kbfiltr.sys ( )
DRV - (lullaby) -- C:\Windows\System32\drivers\lullaby.sys (Windows ® Codename Longhorn DDK provider)
DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.)
DRV - (AsDsm) -- C:\Windows\System32\drivers\AsDsm.sys (Windows ® Codename Longhorn DDK provider)
DRV - (ASMMAP) -- C:\Program Files\ATKGFNEX\ASMMAP.sys ()
DRV - (MTsensor) -- C:\Windows\System32\drivers\ATKACPI.sys (ATK0100)
DRV - (smserial) -- C:\Windows\System32\drivers\smserial.sys (Motorola Inc.)
DRV - (WmFilter) -- C:\Windows\System32\drivers\WmFilter.sys (Logitech Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=ASUS&bmod=ASUS
IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ASUS
IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2042005289-950038496-3332287716-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=ASUS&bmod=ASUS
IE - HKU\S-1-5-21-2042005289-950038496-3332287716-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2042005289-950038496-3332287716-1000\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKU\S-1-5-21-2042005289-950038496-3332287716-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-2042005289-950038496-3332287716-1000\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ASUS_enCA330
IE - HKU\S-1-5-21-2042005289-950038496-3332287716-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rlz=1I7ASUS_enCA330&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-2042005289-950038496-3332287716-1000\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:4664/search&s=vMJhA4yydRR_odlm9UaRPlVRMy4?q={searchTerms}
IE - HKU\S-1-5-21-2042005289-950038496-3332287716-1000\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_ca&p={searchTerms}
IE - HKU\S-1-5-21-2042005289-950038496-3332287716-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig/redirectdomain?brand=ASUS&bmod=ASUS"
FF - prefs.js..extensions.enabledItems: battlefieldheroespatcher@ea.com:4.0.27.0
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20110323
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 64242
FF - prefs.js..network.proxy.type: 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa2,version=2.0.0: C:\Program Files\Picasa2\npPicasa2.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@idsoftware.com/QuakeLive: C:\ProgramData\id Software\QuakeLive\npquakezero.dll (id Software Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.448: C:\Program Files\VistaCodecPack\rm\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/29 09:39:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/16 21:16:16 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{6C028C61-1644-4D51-B6C5-E47F4688180E}: C:\Users\George\AppData\Local\{6C028C61-1644-4D51-B6C5-E47F4688180E}\

[2009/06/07 18:04:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\George\AppData\Roaming\Mozilla\Extensions
[2012/04/01 15:06:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\tkl96nqs.default\extensions
[2011/03/18 21:46:30 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\tkl96nqs.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/03/06 22:14:06 | 000,000,000 | ---D | M] (WOT) -- C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\tkl96nqs.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2009/06/10 14:10:45 | 000,000,000 | ---D | M] (BitComet Video Downloader) -- C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\tkl96nqs.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
[2012/04/01 15:06:08 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\tkl96nqs.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/12/07 18:38:28 | 000,000,000 | ---D | M] (Battlefield Heroes Updater) -- C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\tkl96nqs.default\extensions\battlefieldheroespatcher@ea.com
[2011/11/10 14:51:37 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/25 23:52:12 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2012/02/29 09:39:40 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/02/02 22:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/02/29 09:39:35 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/02/29 09:39:35 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/02/20 23:14:28 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ADSMTray] C:\Program Files\ASUS\ASUS Data Security Manager\ADSMTray.exe (ASUSTek Computer Inc.)
O4 - HKLM..\Run: [ASUS Camera ScreenSaver] C:\Windows\AsScrProlog.exe ()
O4 - HKLM..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe ()
O4 - HKLM..\Run: [ASUSTPE] C:\Windows\System32\ASUSTPE.exe (ASUS)
O4 - HKLM..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMedia.exe (ASUS)
O4 - HKLM..\Run: [ATKOSD2] C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe (ASUS)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [HControlUser] C:\Program Files\ATK Hotkey\HcontrolUser.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MaxMenuMgr] C:\seagate\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [P2Go_Menu] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - Startup: C:\Users\George\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2042005289-950038496-3332287716-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2042005289-950038496-3332287716-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - %SystemRoot%\System32\winrnr.dll File not found
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A0BBAC67-483F-495C-AC61-DBB492CA07A9}: DhcpNameServer = 64.71.255.198
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F30F37EC-794C-4650-A5AB-1880BB88B0BA}: DhcpNameServer = 10.0.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\George\Pictures\black.jpg
O24 - Desktop BackupWallPaper: C:\Users\George\Pictures\black.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2012/02/27 21:25:34 | 000,000,000 | -HS- | M] () - H:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2012/03/28 16:39:46 | 000,000,000 | RHSD | M] - H:\.Autorun -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/04/01 17:52:58 | 000,000,000 | ---D | C] -- C:\FRST
[2012/04/01 17:41:23 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Users\George\Desktop\OTL.exe
[2012/03/31 14:13:49 | 000,000,000 | --SD | C] -- C:\Poopyhead
[2012/03/31 14:10:15 | 004,452,445 | R--- | C] (Swearware) -- C:\Users\George\Desktop\Poopyhead.exe
[2012/03/02 23:31:42 | 000,000,000 | --SD | C] -- C:\mandrake
[2012/03/02 23:09:44 | 000,000,000 | --SD | C] -- C:\friday32470f
[2012/03/02 22:51:08 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW

========== Files - Modified Within 30 Days ==========

[2012/04/01 17:41:26 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Users\George\Desktop\OTL.exe
[2012/04/01 17:41:25 | 000,691,576 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/04/01 17:41:25 | 000,138,494 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/04/01 17:41:01 | 000,027,648 | ---- | M] () -- C:\Users\George\Desktop\RestoreBFE.exe
[2012/04/01 17:37:11 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/01 17:37:09 | 000,048,734 | ---- | M] () -- C:\ProgramData\nvModes.001
[2012/04/01 17:36:22 | 000,045,056 | ---- | M] () -- C:\Windows\System32\acovcnt.exe
[2012/04/01 17:36:18 | 000,048,734 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2012/04/01 17:35:01 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/04/01 17:35:01 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/04/01 17:34:53 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/04/01 17:34:47 | 3218,395,136 | -HS- | M] () -- C:\hiberfil.sys
[2012/04/01 17:28:52 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/04/01 16:56:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/01 15:11:20 | 000,000,420 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{25D39F52-AFBC-4213-A160-F2C344AEDA86}.job
[2012/03/31 14:10:30 | 004,452,445 | R--- | M] (Swearware) -- C:\Users\George\Desktop\Poopyhead.exe
[2012/03/12 21:28:50 | 000,337,137 | ---- | M] () -- C:\Users\George\Desktop\FSS.exe
[2012/03/02 23:25:56 | 000,294,400 | ---- | M] () -- C:\Users\George\Desktop\exeHelper.com
[2012/03/02 23:24:38 | 001,008,141 | ---- | M] () -- C:\Users\George\Desktop\rkill.exe

========== Files Created - No Company Name ==========

[2012/04/01 17:41:00 | 000,027,648 | ---- | C] () -- C:\Users\George\Desktop\RestoreBFE.exe
[2012/03/12 21:28:49 | 000,337,137 | ---- | C] () -- C:\Users\George\Desktop\FSS.exe
[2012/03/02 23:25:54 | 000,294,400 | ---- | C] () -- C:\Users\George\Desktop\exeHelper.com
[2012/03/02 23:24:34 | 001,008,141 | ---- | C] () -- C:\Users\George\Desktop\rkill.exe
[2012/02/25 19:12:19 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/02/25 19:12:19 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/02/25 19:12:18 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/02/25 19:12:18 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/02/25 19:12:18 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/01/02 00:00:30 | 000,010,432 | -HS- | C] () -- C:\Users\George\AppData\Local\bsc7o1i0dbmi
[2012/01/02 00:00:30 | 000,010,432 | -HS- | C] () -- C:\ProgramData\bsc7o1i0dbmi
[2011/04/09 18:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2011/03/04 18:44:11 | 000,000,000 | ---- | C] () -- C:\Users\George\AppData\Local\Hfefaf.bin
[2011/03/04 18:43:13 | 000,000,120 | ---- | C] () -- C:\Users\George\AppData\Local\Xkidagayus.dat
[2011/02/10 21:06:59 | 000,006,327 | ---- | C] () -- C:\Users\George\AppData\Roaming\56DE.800
[2010/11/28 23:53:40 | 000,000,680 | ---- | C] () -- C:\Users\George\AppData\Local\d3d9caps.dat
[2010/06/24 19:59:56 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/05/26 07:12:58 | 000,000,313 | ---- | C] () -- C:\Windows\doom3.ini

========== LOP Check ==========

[2011/01/23 17:59:59 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\DAEMON Tools Lite
[2011/05/20 01:46:23 | 000,000,000 | ---D | M] -- C:\Users\George\AppData\Roaming\.doomseeker
[2011/12/28 04:29:58 | 000,000,000 | ---D | M] -- C:\Users\George\AppData\Roaming\2K Sports
[2009/08/23 20:19:43 | 000,000,000 | ---D | M] -- C:\Users\George\AppData\Roaming\Activision
[2012/01/24 15:37:26 | 000,000,000 | ---D | M] -- C:\Users\George\AppData\Roaming\Appe
[2009/07/18 20:55:32 | 000,000,000 | ---D | M] -- C:\Users\George\AppData\Roaming\Canneverbe_Limited
[2009/07/18 01:52:31 | 000,000,000 | ---D | M] -- C:\Users\George\AppData\Roaming\DAEMON Tools Lite
[2011/03/05 00:58:32 | 000,000,000 | ---D | M] -- C:\Users\George\AppData\Roaming\E35248A7D24B3A6B5942EEB1DF816866
[2009/09/06 08:22:21 | 000,000,000 | ---D | M] -- C:\Users\George\AppData\Roaming\GameScannerData
[2012/01/24 02:21:36 | 000,000,000 | ---D | M] -- C:\Users\George\AppData\Roaming\Kalaaf
[2010/03/16 21:20:45 | 000,000,000 | ---D | M] -- C:\Users\George\AppData\Roaming\Leadertech
[2009/09/22 11:23:14 | 000,000,000 | ---D | M] -- C:\Users\George\AppData\Roaming\OpenOffice.org
[2009/06/12 23:11:09 | 000,000,000 | ---D | M] -- C:\Users\George\AppData\Roaming\TextPad
[2011/04/13 02:43:22 | 000,000,000 | ---D | M] -- C:\Users\George\AppData\Roaming\USBSafelyRemove
[2009/12/15 23:19:37 | 000,000,000 | ---D | M] -- C:\Users\George\AppData\Roaming\VistaCodecs
[2011/02/26 11:06:20 | 000,000,000 | ---D | M] -- C:\Users\George\AppData\Roaming\Wizards of the Coast
[2011/05/30 18:10:07 | 000,000,000 | ---D | M] -- C:\Users\George\AppData\Roaming\YOUDONTKNOWJACK
[2012/04/01 17:28:53 | 000,032,618 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012/04/01 15:11:20 | 000,000,420 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{25D39F52-AFBC-4213-A160-F2C344AEDA86}.job

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2009/04/07 10:14:23 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2009/04/07 10:14:23 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\ERDNT\cache\explorer.exe
[2009/04/07 10:14:23 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2009/04/07 10:14:22 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2009/04/07 10:14:23 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2008/01/20 21:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/01/20 21:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\ERDNT\cache\svchost.exe
[2008/01/20 21:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\System32\svchost.exe
[2008/01/20 21:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe
[2012/01/13 15:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/01/20 21:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\ERDNT\cache\userinit.exe
[2008/01/20 21:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008/01/20 21:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

< MD5 for: WINLOGON.EXE >
[2012/01/13 15:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2009/04/11 01:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009/04/11 01:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2008/01/20 21:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\ERDNT\cache\winlogon.exe
[2008/01/20 21:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

< %systemroot%\*. /rp /s >

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed hard disk media
Interface type: IDE
Media Type: Fixed hard disk media
Model: ST9250320AS ATA Device
Partitions: 3
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE1 - Removable Media
Interface type: USB
Media Type: Removable Media
Model: Apple iPod USB Device
Partitions: 1
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Unknown
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 12.00GB
Starting Offset: 32256
Hidden sectors: 0


DeviceID: Disk #0, Partition #1
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 116.00GB
Starting Offset: 12584678400
Hidden sectors: 0


DeviceID: Disk #0, Partition #2
PartitionType: Extended w/Extended Int 13
Bootable: False
BootPartition: False
PrimaryPartition: False
Size: 105.00GB
Starting Offset: 137608934400
Hidden sectors: 0


DeviceID: Disk #1, Partition #0
PartitionType: Unknown
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 0.00GB
Starting Offset: 16384
Hidden sectors: 0


========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Roaming -> Junction
[C:\Windows\System32\config\systemprofile\Documents\My Music] -> C:\Windows\system32\config\systemprofile\Music -> Junction
[C:\Windows\System32\config\systemprofile\Documents\My Pictures] -> C:\Windows\system32\config\systemprofile\Pictures -> Junction
[C:\Windows\System32\config\systemprofile\Documents\My Videos] -> C:\Windows\system32\config\systemprofile\Videos -> Junction
[C:\Windows\System32\config\systemprofile\Local Settings] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\My Documents] -> C:\Windows\system32\config\systemprofile\Documents -> Junction
[C:\Windows\System32\config\systemprofile\NetHood] -> C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts -> Junction
[C:\Windows\System32\config\systemprofile\PrintHood] -> C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts -> Junction
[C:\Windows\System32\config\systemprofile\Recent] -> C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent -> Junction
[C:\Windows\System32\config\systemprofile\SendTo] -> C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo -> Junction
[C:\Windows\System32\config\systemprofile\Start Menu] -> C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu -> Junction
[C:\Windows\System32\config\systemprofile\Templates] -> C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates -> Junction

< End of report >

Edited by signofzeta, 01 April 2012 - 06:09 PM.


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:55 PM

Posted 01 April 2012 - 06:11 PM

my apologies, there was a typo in that FRST script, if you could please run it again with the following script

start
SubSystems: [Windows] ==> ZeroAccess
CMD: rmdir C:\Windows\$NtUninstallKB56683$
end

(the security center isn't fixed yet, we need to run a reg fix, we'll be doing that next)

Edited by CatByte, 01 April 2012 - 06:12 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 signofzeta

signofzeta
  • Topic Starter

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 01 April 2012 - 06:51 PM

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 14-03-2012
Ran by SYSTEM at 2012-04-01 18:45:31 R:2
Running from F:\AV2012

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.

========= rmdir C:\Windows\$NtUninstallKB56683$ =========

The directory is not empty.

========= End of CMD: =========


==== End of Fixlog ====

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:55 PM

Posted 01 April 2012 - 06:59 PM

OK, we need to see what's in this folder

please do the following:



Please press WinKey +R to open a run box, copy/paste the following command (it's one long command) into the runbox and press OK:

cmd /c dir "C:\Windows\$NtUninstallKB56683$" /a /s >> "%userprofile%\desktop\look.txt" 2>>&1


A black box will open and a file will appear on your Desktop called look.txt

Please wait until the black box closes before opening the file, and post the contents of look.txt in your next response.


thanks

Edited by CatByte, 01 April 2012 - 06:59 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 signofzeta

signofzeta
  • Topic Starter

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 01 April 2012 - 07:04 PM

Volume in drive C is VistaOS
Volume Serial Number is C07A-6C0D

Directory of C:\Windows\$NtUninstallKB56683$

02/12/2012 01:43 PM <DIR> .
02/12/2012 01:43 PM <DIR> ..
02/12/2012 01:43 PM <DIR> 26205412
0 File(s) 0 bytes

Directory of C:\Windows\$NtUninstallKB56683$\26205412

02/12/2012 01:43 PM <DIR> .
02/12/2012 01:43 PM <DIR> ..
02/12/2012 01:43 PM <DIR> L
02/12/2012 01:43 PM <DIR> U
0 File(s) 0 bytes

Directory of C:\Windows\$NtUninstallKB56683$\26205412\L

02/12/2012 01:43 PM <DIR> .
02/12/2012 01:43 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\Windows\$NtUninstallKB56683$\26205412\U

02/12/2012 01:43 PM <DIR> .
02/12/2012 01:43 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
11 Dir(s) 11,781,939,200 bytes free

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:55 PM

Posted 01 April 2012 - 07:09 PM

OK,

Very good,

Please run the following:


Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    FF - prefs.js..network.proxy.http_port: 64242
    [2012/01/02 00:00:30 | 000,010,432 | -HS- | C] () -- C:\Users\George\AppData\Local\bsc7o1i0dbmi
    [2012/01/02 00:00:30 | 000,010,432 | -HS- | C] () -- C:\ProgramData\bsc7o1i0dbmi
    [2011/03/04 18:44:11 | 000,000,000 | ---- | C] () -- C:\Users\George\AppData\Local\Hfefaf.bin
    [2011/03/04 18:43:13 | 000,000,120 | ---- | C] () -- C:\Users\George\AppData\Local\Xkidagayus.dat
    
    :Reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc]
    "DisplayName"="@%SystemRoot%\\system32\\FirewallAPI.dll,-23090"
    "Group"="NetworkProvider"
    "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
    74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
    00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
    6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
    00,65,00,4e,00,6f,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,00,00
    "Description"="@%SystemRoot%\\system32\\FirewallAPI.dll,-23091"
    "ObjectName"="NT Authority\\LocalService"
    "ErrorControl"=dword:00000001
    "Start"=dword:00000002
    "Type"=dword:00000020
    "DependOnService"=hex(7):6d,00,70,00,73,00,64,00,72,00,76,00,00,00,62,00,66,00,\
    65,00,00,00,00,00
    "ServiceSidType"=dword:00000003
    "RequiredPrivileges"=hex(7):53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,\
    00,72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,\
    72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,41,00,75,\
    00,64,00,69,00,74,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
    00,00,53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,\
    00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\
    53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,00,6f,00,62,00,61,\
    00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,\
    65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,\
    00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,\
    6e,00,63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,\
    00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
    "FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
    00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters]
    "ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
    00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
    6d,00,70,00,73,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
    "ServiceDllUnloadOnStop"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap]
    "Collection"=hex:87,00,01,00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Security]
    "Security"=hex:01,00,14,80,b4,00,00,00,c0,00,00,00,14,00,00,00,30,00,00,00,02,\
    00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
    00,00,02,00,84,00,05,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
    05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
    20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
    00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,28,00,15,00,\
    00,00,01,06,00,00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,e5,55,dc,f4,e2,\
    0e,a7,8b,eb,ca,7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,\
    00,00,00,05,12,00,00,00
    
    :Files
    ipconfig /flushdns /c
    rd C:\Windows\$NtUninstallKB56683$\26205412\U /c
    rd C:\Windows\$NtUninstallKB56683$\26205412\L /c
    rd C:\Windows\$NtUninstallKB56683$\26205412 /c
    rd C:\Windows\$NtUninstallKB56683$ /c
    
    
    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 signofzeta

signofzeta
  • Topic Starter

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 01 April 2012 - 07:13 PM

ok, there is a popup message that says Cannot create file C:\Windows\System32\drivers\etc\Hosts.

The only option there to click is OK, which I did.

Now OTL is stuck trying to reset the hosts file.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:55 PM

Posted 01 April 2012 - 07:15 PM

OK,

please end that script and we'll re-run the script leaving the [resethosts] out of the equation

use this script instead, thanks

:OTL
FF - prefs.js..network.proxy.http_port: 64242
[2012/01/02 00:00:30 | 000,010,432 | -HS- | C] () -- C:\Users\George\AppData\Local\bsc7o1i0dbmi
[2012/01/02 00:00:30 | 000,010,432 | -HS- | C] () -- C:\ProgramData\bsc7o1i0dbmi
[2011/03/04 18:44:11 | 000,000,000 | ---- | C] () -- C:\Users\George\AppData\Local\Hfefaf.bin
[2011/03/04 18:43:13 | 000,000,120 | ---- | C] () -- C:\Users\George\AppData\Local\Xkidagayus.dat

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc]
"DisplayName"="@%SystemRoot%\\system32\\FirewallAPI.dll,-23090"
"Group"="NetworkProvider"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
00,65,00,4e,00,6f,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,00,00
"Description"="@%SystemRoot%\\system32\\FirewallAPI.dll,-23091"
"ObjectName"="NT Authority\\LocalService"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"Type"=dword:00000020
"DependOnService"=hex(7):6d,00,70,00,73,00,64,00,72,00,76,00,00,00,62,00,66,00,\
65,00,00,00,00,00
"ServiceSidType"=dword:00000003
"RequiredPrivileges"=hex(7):53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,\
00,72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,\
72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,41,00,75,\
00,64,00,69,00,74,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
00,00,53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,\
00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\
53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,00,6f,00,62,00,61,\
00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,\
65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,\
00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,\
6e,00,63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,\
00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6d,00,70,00,73,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
"ServiceDllUnloadOnStop"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap]
"Collection"=hex:87,00,01,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Security]
"Security"=hex:01,00,14,80,b4,00,00,00,c0,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,84,00,05,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,28,00,15,00,\
00,00,01,06,00,00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,e5,55,dc,f4,e2,\
0e,a7,8b,eb,ca,7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,\
00,00,00,05,12,00,00,00

:Files
ipconfig /flushdns /c
rd C:\Windows\$NtUninstallKB56683$\26205412\U /c
rd C:\Windows\$NtUninstallKB56683$\26205412\L /c
rd C:\Windows\$NtUninstallKB56683$\26205412 /c
rd C:\Windows\$NtUninstallKB56683$ /c


:Commands
[purity]
[emptytemp]
[Reboot]


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 signofzeta

signofzeta
  • Topic Starter

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 01 April 2012 - 08:09 PM

All processes killed
========== OTL ==========
Prefs.js: 64242 removed from network.proxy.http_port
File C:\Users\George\AppData\Local\bsc7o1i0dbmi not found.
File C:\ProgramData\bsc7o1i0dbmi not found.
File C:\Users\George\AppData\Local\Hfefaf.bin not found.
File C:\Users\George\AppData\Local\Xkidagayus.dat not found.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\\"DisplayName"|"@%SystemRoot%\\system32\\FirewallAPI.dll,-23090" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\\"Group"|"NetworkProvider" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\\"ImagePath"|hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,4e,00,6f,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\\"Description"|"@%SystemRoot%\\system32\\FirewallAPI.dll,-23091" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\\"ObjectName"|"NT Authority\\LocalService" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\\"ErrorControl"|dword:00000001 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\\"Start"|dword:00000002 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\\"Type"|dword:00000020 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\\"DependOnService"|hex(7):6d,00,70,00,73,00,64,00,72,00,76,00,00,00,62,00,66,00,65,00,00,00,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\\"ServiceSidType"|dword:00000003 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\\"RequiredPrivileges"|hex(7):53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,41,00,75,00,64,00,69,00,74,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\\"FailureActions"|hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\\"ServiceDll"|hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,70,00,73,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\\"ServiceDllUnloadOnStop"|dword:00000001 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\\"Collection"|hex:87,00,01,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Security\\"Security"|hex:01,00,14,80,b4,00,00,00,c0,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,84,00,05,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,28,00,15,00,00,00,01,06,00,00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,e5,55,dc,f4,e2,0e,a7,8b,eb,ca,7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 /E : value set successfully!
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\George\Desktop\cmd.bat deleted successfully.
C:\Users\George\Desktop\cmd.txt deleted successfully.
< rd C:\Windows\$NtUninstallKB56683$\26205412\U /c >
C:\Users\George\Desktop\cmd.bat deleted successfully.
C:\Users\George\Desktop\cmd.txt deleted successfully.
< rd C:\Windows\$NtUninstallKB56683$\26205412\L /c >
C:\Users\George\Desktop\cmd.bat deleted successfully.
C:\Users\George\Desktop\cmd.txt deleted successfully.
< rd C:\Windows\$NtUninstallKB56683$\26205412 /c >
C:\Users\George\Desktop\cmd.bat deleted successfully.
C:\Users\George\Desktop\cmd.txt deleted successfully.
< rd C:\Windows\$NtUninstallKB56683$ /c >
C:\Users\George\Desktop\cmd.bat deleted successfully.
C:\Users\George\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: George
->Temp folder emptied: 1276679 bytes
->Temporary Internet Files folder emptied: 2640260 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 552151678 bytes
->Flash cache emptied: 2943 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 85543349 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 612.00 mb


OTL by OldTimer - Version 3.2.39.2 log created on 04012012_195955

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users