Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HJT logs - System Tool infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HJT logs - System Tool infection

Unread postby MAPepin » January 2nd, 2011, 8:09 pm

My other computer has the "System Tool 2011". I tried to run HijackThis but couldn't run it. Anything I try to run gets stopped, telling me that it is infected. I can't even start Task Manager. The computer is running Vista Home 32 bit. I followed your instructions to rename HijackThis.exe but that didn't work. Rkill.exe didn't work either. I restarted in safe mode and ran HijackThis. Following are the HJT log and the uninstall log.

====================== - HIJACKTHIS LOG - ===============================

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:20:44 PM, on 1/2/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18999)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Aaron\Desktop\SuckOnThis.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: cpmsky browser optimizer - {6ff7cd9f-8183-16a2-4245-4d88dd54f36f} - C:\Windows\system32\{f053e74d-b418-5f0d-f69c-198f54f619e6}.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: mysidesearch search enhancer - {95148B99-4A50-6469-7BA4-7E8AF0BA8D7A} - C:\Windows\system32\mfwshjpdqpgdelmj.dll
O2 - BHO: adzgalore - {994B5FB4-0103-44A6-B6B3-C73572B362BC} - C:\Windows\system32\nscB855.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [spa_start] C:\Windows\System32\Rundll32.exe "C:\Windows\system32\{f053e74d-b418-5f0d-f69c-198f54f619e6}.dll" DllInit
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [MRT] "C:\Windows\system32\MRT.exe" /R
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ilayuhaku] rundll32.exe "C:\Users\Aaron\AppData\Local\isojacuq.dll",Startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [userinit] C:\Users\Aaron\AppData\Roaming\sdra64.exe
O4 - HKCU\..\RunOnce: [gIjBc06300] C:\ProgramData\gIjBc06300\gIjBc06300.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = ?
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -

C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1

\SDHelper.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program

Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32

\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support

Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9186 bytes

====================== - UNINSTALL LOG - ===============================

Ad-Aware 2007
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.3
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center Ex
ATI PCI Express (3GIO) Filter Driver
Belarc Advisor 7.2
Bonjour
Browser Address Error Redirector
Browser Optimizer Adzgalore
CCleaner (remove only)
Conexant HDA D110 MDC V.92 Modem
Contextual Tool Adzgalore
DeePsea
Dell Getting Started Guide
Dell Support Center
Dell Wireless WLAN Card
Digidesign Pro Tools M-Powered Demo 7.4
Digidesign Shared Plug-Ins 7.4
Digital Line Detect
Doom Builder
Doom Builder 2.1
DOOM Collector's Edition
Doom II for Windows 95
Doomsday Engine 1.9.0-beta5
Enhancement Browser Tools Cpmsky
Google Desktop
Guitar Pro 5.0
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HyperCam 2
Interlok driver setup x32
Internet Service Offers Launcher
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6
LilyPond
Live 6.0.1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
MidiNotate Composer
Modem Diagnostic Tool
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music, Photos & Videos Launcher
MySpaceIM
NetWaiting
Notation Composer 2.5 (Trial Version)
OpenOffice.org 2.3
Product Documentation Launcher
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
RPG Maker 2000 - Super Columbine Massacre RPG!
Search Assistant Mysidesearch
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
SigmaTel Audio
Skulltag
SlimDX Redistributable (March 2009)
Sonic Activation Module
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Ultimate Doom for Windows 95
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
User's Guides
Windows Media Player Firefox Plugin
Windows Mobile Device Center
Windows Mobile Device Center Driver Update
Yahoo! Install Manager
Yahoo! Toolbar
ZDaemon (remove only)

=========================================================================================
MAPepin
Regular Member
 
Posts: 22
Joined: January 28th, 2008, 11:37 am
Advertisement
Register to Remove

Re: HJT logs - System Tool infection

Unread postby deltalima » January 3rd, 2011, 10:45 am

Checking your log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: HJT logs - System Tool infection

Unread postby deltalima » January 3rd, 2011, 11:12 am

Hi MAPepin,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your malware issue.

The logs can take some time to research, so please be patient with me.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please Note:
The programs I ask you to run need to be run in Administrator Mode by... Right clicking the program file and selecting: Run as Administrator.
Additionally, the built-in User Account Control (UAC) utility, if enabled, may prompt you for permission to run the program.
When prompted, please select: Allow. Reference: User Account Control (UAC) and Running as Administrator

Before we begin I must warn you that you have a seriously infected computer and so before we go any further Please use a USB pen drive to copy any important documents and store them in a safe place in case the computer cannot be recovered.

Please let me know what the file C:\Users\Aaron\Desktop\SuckOnThis.exe is. Is it the renamed HijackThis?

I don't see any running antivirus software on the computer, are you aware of this fact?

Once the computer is running in normal mode it is vital that you install and keep installed antivirus software.

Until the computer is running normally please follow my instructions to download tools to another computer then transfer them to the infected one and then transfer the logs back and then post them.

Run the following in safe mode until I give other instructions.

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: HJT logs - System Tool infection

Unread postby MAPepin » January 3rd, 2011, 11:37 am

Thank you deltalima for your response. Yes, the file SuckOnThis.exe is the renamed HijackThis.exe. I was unable to run the program without renaming it.

I am aware of the antivirus issue. A McAfee trial was running and has expired. I will be installing AVG after this clears up. I will not be able to accomplish your instructions until later this afternoon - around 5:00 PM (my time -5).

Mike
MAPepin
Regular Member
 
Posts: 22
Joined: January 28th, 2008, 11:37 am

Re: HJT logs - System Tool infection

Unread postby deltalima » January 3rd, 2011, 11:42 am

OK that's fine, please post the log when ready.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: HJT logs - System Tool infection

Unread postby MAPepin » January 3rd, 2011, 11:00 pm

Here's the GMER log:


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-03 21:36:29
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK8046GSX rev.LB312D
Running: 41qpurd9.exe; Driver: C:\Users\Aaron\AppData\Local\Temp\pglcrpog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
MAPepin
Regular Member
 
Posts: 22
Joined: January 28th, 2008, 11:37 am

Re: HJT logs - System Tool infection

Unread postby deltalima » January 4th, 2011, 7:17 am

Hi MAPepin,

Run Combofix

Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix.

Download ComboFix from here to your Desktop.

For more information about Combofix please see here.

Close all programs.

Double click combofix.exe and follow the prompts.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures, if not, then follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Once installed, you should see the following message:

The recovery console was successfuly installed.
Click ‘YES’ to continue scanning for malware
Click ‘NO’ for exit

Click the YES button.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your “drive access” light. If it is flashing, Combofix is still at work.

When finished ComboFix will produce a log file. Please post the contents of this log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: HJT logs - System Tool infection

Unread postby MAPepin » January 4th, 2011, 11:16 pm

Here's my ComboFix log:

ComboFix 11-01-04.02 - Aaron 01/04/2011 21:43:56.1.1 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.893.494 [GMT -5:00]
Running from: c:\users\Aaron\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\gIjBc06300
c:\programdata\gIjBc06300\gIjBc06300
c:\programdata\gIjBc06300\gIjBc06300.exe
c:\users\Aaron\AppData\Local\{D2A2CF18-A02C-48AF-942E-95B23B2A7E57}
c:\users\Aaron\AppData\Local\{D2A2CF18-A02C-48AF-942E-95B23B2A7E57}\chrome.manifest
c:\users\Aaron\AppData\Local\{D2A2CF18-A02C-48AF-942E-95B23B2A7E57}\chrome\content\_cfg.js
c:\users\Aaron\AppData\Local\{D2A2CF18-A02C-48AF-942E-95B23B2A7E57}\chrome\content\overlay.xul
c:\users\Aaron\AppData\Local\{D2A2CF18-A02C-48AF-942E-95B23B2A7E57}\install.rdf
c:\users\Aaron\AppData\Local\isojacuq.dll
c:\users\Aaron\AppData\Local\ksanelsp.dll
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp15FE.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp1A.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp1C48.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp1C5C.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp1D76.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp1DB4.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp1E3A.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp219C.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp23CA.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp39A3.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp3B00.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp403F.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp438C.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp4697.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp4DEC.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp584B.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp7615.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp8463.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp8596.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp85D3.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp8753.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp8E02.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp8F2B.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp97C6.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp9FF6.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpB3E7.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpC0E9.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpC1E8.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpCF.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpD001.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpD0C3.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpD444.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpE133.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpE3C.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpEA5B.tmp
c:\users\Aaron\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpEB6F.tmp
c:\users\Aaron\AppData\Roaming\dkfjasdfshd.bat
c:\users\Aaron\AppData\Roaming\install
c:\users\Aaron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tool
c:\users\Aaron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tool\System Tool 2011.lnk
c:\users\Aaron\Desktop\System Tool 2011.lnk
c:\windows\system32\{f053e74d-b418-5f0d-f69c-198f54f619e6}.dll-uninst.exe
c:\windows\system32\adzgalore-remove.exe
c:\windows\system32\af3549c0-69c6-aae5-8662-449488a06346.exe
c:\windows\system32\cpmsky-uninst.exe
c:\windows\system32\logs
c:\windows\system32\mfwshjpdqpgdelmj.dll-uninst.exe
c:\windows\system32\mfwshjpdqpgdelmj.dll
c:\windows\system32\mysidesearch_sidebar_uninstall.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
.

2011-01-05 02:39 . 2011-01-05 02:40 -------- d-----w- C:\32788R22FWJFW
2011-01-02 00:48 . 2011-01-02 00:48 -------- d-----w- c:\programdata\MFAData
2011-01-02 00:18 . 2010-11-16 17:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F3862F86-098A-4D95-8486-71885C16BF0E}\mpengine.dll
2011-01-02 00:18 . 2010-10-19 15:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-17 15:43 . 2010-12-17 15:43 -------- d-----w- c:\windows\system32\MpEngineStore
2010-12-16 20:41 . 2010-10-28 13:20 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-04 02:52 . 2010-04-11 11:41 0 ----a-w- c:\users\Aaron\AppData\Local\Aqewexi.bin
2010-10-08 19:54 . 2010-10-08 19:54 163 ----a-w- c:\users\Aaron\AppData\Roaming\asdsada.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6ff7cd9f-8183-16a2-4245-4d88dd54f36f}]
2008-04-08 12:24 327680 ----a-w- c:\windows\System32\{f053e74d-b418-5f0d-f69c-198f54f619e6}.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-10-10 202544]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 1460560]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-20 815104]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-12 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1540096]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-16 1838592]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-09 136600]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 842584]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-10-10 202544]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824]
"MRT"="c:\windows\system32\MRT.exe" [2010-12-17 37366216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-15 50688]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-12-15 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R1 utvdyuwa;utvdyuwa;c:\windows\system32\drivers\utvdyuwa.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2007-08-31 600912]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 YMIDUSBW;Yamaha USB-MIDI Driver (WDM);c:\windows\system32\drivers\ymidusbw.sys [2007-02-26 32720]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE
*NewlyCreated* - PXHELP20

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
FF - ProfilePath - c:\users\Aaron\AppData\Roaming\Mozilla\Firefox\Profiles\tnhe4pes.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5555
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe
HKCU-Run-Ilayuhaku - c:\users\Aaron\AppData\Local\isojacuq.dll
HKLM-RunOnce-<NO NAME> - (no file)
AddRemove-af3549c0-69c6-aae5-8662-449488a06346 - c:\windows\system32\af3549c0-69c6-aae5-8662-449488a06346.exe
AddRemove-{9DE13AC7-E567-6CA4-E9B2-6611437E5C9E} - c:\windows\system32\mfwshjpdqpgdelmj.dll-uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-04 21:51
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-01-04 21:55:58
ComboFix-quarantined-files.txt 2011-01-05 02:55

Pre-Run: 28,151,496,704 bytes free
Post-Run: 30,108,983,296 bytes free

- - End Of File - - 3125A50F4A9ACF9B7CE7864CA0001C64
MAPepin
Regular Member
 
Posts: 22
Joined: January 28th, 2008, 11:37 am

Re: HJT logs - System Tool infection

Unread postby deltalima » January 5th, 2011, 5:10 am

Hi MAPepin,

Please boot into normal mode.

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Right click on OTL.exe and select: Run as Administrator.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Right click the .exe file and select: Run as Administrator.. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: HJT logs - System Tool infection

Unread postby MAPepin » January 5th, 2011, 9:02 pm

Here are the logs that you requested.

A note about GMER: A window popped up saying that xpuwv8m3.exe (gmer.exe) has stopped working and that a problem caused the program to stop working correctly. Windows closed the program.

I ran it again and here's the log output:

=================================================================================
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-01-05 18:28:18
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK8046GSX rev.LB312D
Running: 41qpurd9.exe; Driver: C:\Users\Aaron\AppData\Local\Temp\pglcrpog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
=================================================================================
OTL.txt

OTL logfile created on: 1/5/2011 4:58:52 PM - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Users\Aaron\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18999)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

893.00 Mb Total Physical Memory | 392.00 Mb Available Physical Memory | 44.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 51.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 64.44 Gb Total Space | 26.70 Gb Free Space | 41.43% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.05 Gb Free Space | 60.47% Space Free | Partition Type: NTFS

Computer Name: AARON-PC | User Name: Aaron | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Aaron\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (Digidesign, A Division of Avid Technology, Inc.)
PRC - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (Lavasoft AB)
PRC - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
PRC - C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
PRC - C:\Windows\sttray.exe (SigmaTel, Inc.)
PRC - C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
PRC - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe (ATI Technologies Inc.)


========== Modules (SafeList) ==========

MOD - C:\Users\Aaron\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (McSysmon) -- C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe File not found
SRV - (McShield) -- C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe File not found
SRV - (WPFFontCache_v0400) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (GoogleDesktopManager) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
SRV - (DigiRefresh) -- C:\Program Files\Digidesign\Drivers\MMERefresh.exe (Digidesign, A Division of Avid Technology, Inc.)
SRV - (digiSPTIService) -- C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe (Digidesign, A Division of Avid Technology, Inc.)
SRV - (aawservice) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (Lavasoft AB)
SRV - (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (WcesComm) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation)
SRV - (RapiMgr) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (utvdyuwa) -- C:\Windows\System32\drivers\utvdyuwa.sys File not found
DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found
DRV - (catchme) -- C:\Users\Aaron\AppData\Local\Temp\catchme.sys File not found
DRV - (blbdrive) -- C:\Windows\System32\drivers\blbdrive.sys File not found
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\Windows\System32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (TPkd) -- C:\Windows\System32\drivers\TPkd.sys (PACE Anti-Piracy, Inc.)
DRV - (bcm4sbxp) -- C:\Windows\System32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (YMIDUSBW) Yamaha USB-MIDI Driver (WDM) -- C:\Windows\System32\drivers\ymidusbw.sys (Yamaha Corporation)
DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (SigmaTel, Inc.)
DRV - (rimsptsk) -- C:\Windows\system32\drivers\rimsptsk.sys (REDC)
DRV - (rismxdp) -- C:\Windows\system32\drivers\rixdptsk.sys (REDC)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (SynTP) -- C:\Windows\System32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (BCM43XX) -- C:\Windows\System32\drivers\BCMWL6.SYS (Broadcom Corporation)
DRV - (HSF_DPV) -- C:\Windows\System32\drivers\HSX_DPV.sys (Conexant Systems, Inc.)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\Windows\System32\drivers\HSX_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSXHWAZL) -- C:\Windows\System32\drivers\HSXHWAZL.sys (Conexant Systems, Inc.)
DRV - (Point32) -- C:\Windows\System32\drivers\point32k.sys (Microsoft Corporation)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (e1express) Intel(R) -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)
DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (AtiPcie) ATI PCI Express (3GIO) -- C:\Windows\system32\DRIVERS\AtiPcie.sys (ATI Technologies Inc.)
DRV - (BANTExt) -- C:\Windows\System32\Drivers\BANTExt.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555



IE - HKU\S-1-5-21-1271755778-601456851-151212410-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1271755778-601456851-151212410-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 2
IE - HKU\S-1-5-21-1271755778-601456851-151212410-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1271755778-601456851-151212410-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1271755778-601456851-151212410-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1271755778-601456851-151212410-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.6.20090220
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 5555
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/14 06:16:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/05 10:12:54 | 000,000,000 | ---D | M]

[2010/05/09 09:51:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Aaron\AppData\Roaming\Mozilla\Extensions
[2011/01/05 10:21:35 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Aaron\AppData\Roaming\Mozilla\Firefox\Profiles\tnhe4pes.default\extensions
[2010/06/25 12:01:24 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Aaron\AppData\Roaming\Mozilla\Firefox\Profiles\tnhe4pes.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/05 10:14:23 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Aaron\AppData\Roaming\Mozilla\Firefox\Profiles\tnhe4pes.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/01/05 10:12:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/05 10:12:57 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/01/04 21:51:35 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (cpmsky browser optimizer) - {6ff7cd9f-8183-16a2-4245-4d88dd54f36f} - C:\Windows\System32\{f053e74d-b418-5f0d-f69c-198f54f619e6}.dll ( )
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1271755778-601456851-151212410-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe (Digidesign, A Division of Avid Technology, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [ECenter] C:\DELL\E-Center\EULALauncher.exe ( )
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Windows\sttray.exe (SigmaTel, Inc.)
O4 - HKU\.DEFAULT..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe ()
O4 - HKU\S-1-5-18..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe ()
O4 - HKU\S-1-5-21-1271755778-601456851-151212410-1000..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKU\S-1-5-21-1271755778-601456851-151212410-1000..\Run: [Ilayuhaku] C:\Users\Aaron\AppData\Local\isojacuq.DLL File not found
O4 - HKU\S-1-5-21-1271755778-601456851-151212410-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKU\S-1-5-21-1271755778-601456851-151212410-1000..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe File not found
O4 - HKU\S-1-5-21-1271755778-601456851-151212410-1000..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\NPSWF32_FlashUtil.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1271755778-601456851-151212410-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1271755778-601456851-151212410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1271755778-601456851-151212410-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Aaron\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Aaron\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/05 16:54:09 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Aaron\Desktop\OTL.exe
[2011/01/05 10:15:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2011/01/05 10:12:53 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/01/05 10:12:53 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/01/05 10:12:53 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/01/05 10:12:53 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/01/04 21:56:00 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/01/04 21:56:00 | 000,000,000 | ---D | C] -- C:\Users\Aaron\AppData\Local\temp
[2011/01/04 21:55:19 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/01/04 21:40:32 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/01/04 21:40:32 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/01/04 21:40:32 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/01/04 21:40:20 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/01/04 21:39:42 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/01/04 21:39:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/01/04 21:39:23 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2011/01/02 18:09:35 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Aaron\Desktop\SuckOnThis.exe
[2011/01/01 19:48:22 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2011/01/01 19:18:34 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/12/17 10:43:44 | 000,000,000 | ---D | C] -- C:\Windows\System32\MpEngineStore
[2010/12/16 15:43:48 | 002,038,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2010/12/16 15:43:39 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/12/16 15:43:37 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010/12/16 15:43:37 | 000,173,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2010/12/16 15:43:36 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2010/12/16 15:43:36 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/12/16 15:43:36 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2010/12/16 15:43:34 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2010/12/16 15:43:34 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010/12/16 15:43:34 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010/12/16 15:43:34 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010/12/16 15:43:34 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2010/12/16 15:43:33 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2010/12/16 15:43:33 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2010/12/16 15:43:33 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2010/12/16 15:43:33 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/12/16 15:43:33 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2010/12/16 15:43:33 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010/12/16 15:43:23 | 000,352,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\taskschd.dll
[2010/12/16 15:43:20 | 000,345,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmicmiplugin.dll
[2010/12/16 15:43:19 | 000,270,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\taskcomp.dll
[2010/12/16 15:43:09 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\consent.exe
[2010/12/16 15:43:05 | 000,292,352 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2010/12/16 15:43:05 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\fontsub.dll
[2010/12/16 15:43:05 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2010/12/16 15:41:49 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/12/11 18:03:01 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2009/01/11 17:01:07 | 000,040,960 | ---- | C] (Analog Devices Inc.) -- C:\Users\Aaron\AppData\Local\Mcegocadisayik.dll
[2008/04/08 07:24:40 | 000,327,680 | ---- | C] ( ) -- C:\Windows\System32\{f053e74d-b418-5f0d-f69c-198f54f619e6}.dll

========== Files - Modified Within 30 Days ==========

[2011/01/05 16:55:43 | 000,296,448 | ---- | M] () -- C:\Users\Aaron\Desktop\xpuwv8m3.exe
[2011/01/05 16:54:11 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Aaron\Desktop\OTL.exe
[2011/01/05 15:58:17 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/01/05 15:58:17 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/01/05 14:02:42 | 000,061,522 | ---- | M] () -- C:\Users\Aaron\Desktop\bioshock_lolcat_3_by_afairjudgement.jpg
[2011/01/05 10:01:54 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/01/05 10:01:54 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/01/05 09:54:41 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/01/05 09:54:36 | 937,476,096 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/04 21:51:35 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/01/04 21:37:05 | 004,013,176 | ---- | M] () -- C:\Users\Aaron\Documents\ComboFix.exe
[2011/01/04 21:36:42 | 004,013,176 | R--- | M] () -- C:\Users\Aaron\Desktop\ComboFix.exe
[2011/01/04 20:16:15 | 005,439,163 | ---- | M] () -- C:\Users\Aaron\Documents\mwym11.zip
[2011/01/03 23:55:25 | 000,296,448 | ---- | M] () -- C:\Users\Aaron\Desktop\41qpurd9.exe
[2011/01/03 21:57:24 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2011/01/03 21:52:54 | 000,000,000 | ---- | M] () -- C:\Users\Aaron\AppData\Local\Aqewexi.bin
[2011/01/03 19:26:09 | 000,158,720 | ---- | M] () -- C:\Users\Aaron\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/02 22:52:04 | 000,780,283 | ---- | M] () -- C:\Users\Aaron\Desktop\rkill.exe
[2011/01/01 19:48:09 | 000,002,243 | ---- | M] () -- C:\Windows\epplauncher.mif
[2011/01/01 19:48:07 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Aaron\Desktop\SuckOnThis.exe
[2011/01/01 19:31:53 | 000,007,944 | ---- | M] () -- C:\Users\Aaron\AppData\Local\d3d9caps.dat
[2010/12/27 20:01:05 | 016,561,671 | ---- | M] () -- C:\Users\Aaron\Documents\BWV 582.wmv
[2010/12/27 15:42:36 | 001,981,281 | ---- | M] () -- C:\Users\Aaron\Documents\32in24-4final.zip
[2010/12/26 22:26:44 | 011,804,129 | ---- | M] () -- C:\Users\Aaron\Documents\BWV 548_Fugue.wmv
[2010/12/26 20:08:58 | 009,442,882 | ---- | M] () -- C:\Users\Aaron\Documents\BWV 548.wmv
[2010/12/26 19:30:36 | 000,008,866 | ---- | M] () -- C:\Users\Aaron\AppData\Roaming\wklnhst.dat
[2010/12/20 18:30:04 | 000,608,150 | ---- | M] () -- C:\Users\Aaron\Documents\FUNNY BAN MESSAGES.rtf
[2010/12/17 12:11:09 | 000,349,848 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/12/17 10:43:45 | 000,000,127 | ---- | M] () -- C:\Windows\System32\MRT.INI
[2010/12/11 18:04:15 | 000,001,889 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 8.lnk

========== Files Created - No Company Name ==========

[2011/01/05 16:55:42 | 000,296,448 | ---- | C] () -- C:\Users\Aaron\Desktop\xpuwv8m3.exe
[2011/01/05 14:02:35 | 000,061,522 | ---- | C] () -- C:\Users\Aaron\Desktop\bioshock_lolcat_3_by_afairjudgement.jpg
[2011/01/05 09:54:36 | 937,476,096 | -HS- | C] () -- C:\hiberfil.sys
[2011/01/04 21:40:32 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/01/04 21:40:32 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/01/04 21:40:32 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/01/04 21:40:32 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/01/04 21:40:32 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/01/04 21:37:05 | 004,013,176 | ---- | C] () -- C:\Users\Aaron\Documents\ComboFix.exe
[2011/01/04 21:36:25 | 004,013,176 | R--- | C] () -- C:\Users\Aaron\Desktop\ComboFix.exe
[2011/01/04 20:14:58 | 005,439,163 | ---- | C] () -- C:\Users\Aaron\Documents\mwym11.zip
[2011/01/03 20:24:52 | 000,296,448 | ---- | C] () -- C:\Users\Aaron\Desktop\41qpurd9.exe
[2011/01/02 18:08:57 | 000,780,283 | ---- | C] () -- C:\Users\Aaron\Desktop\rkill.exe
[2011/01/01 19:48:09 | 000,002,243 | ---- | C] () -- C:\Windows\epplauncher.mif
[2010/12/27 19:55:47 | 016,561,671 | ---- | C] () -- C:\Users\Aaron\Documents\BWV 582.wmv
[2010/12/27 15:42:12 | 001,981,281 | ---- | C] () -- C:\Users\Aaron\Documents\32in24-4final.zip
[2010/12/26 22:14:13 | 011,804,129 | ---- | C] () -- C:\Users\Aaron\Documents\BWV 548_Fugue.wmv
[2010/12/26 19:28:23 | 009,442,882 | ---- | C] () -- C:\Users\Aaron\Documents\BWV 548.wmv
[2010/12/11 18:04:15 | 000,001,889 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 8.lnk
[2010/10/08 14:54:58 | 000,000,163 | ---- | C] () -- C:\Users\Aaron\AppData\Roaming\asdsada.bat
[2010/07/20 16:48:05 | 000,217,088 | ---- | C] () -- C:\Windows\System32\qtmlClient.dll
[2010/04/11 06:41:08 | 000,000,000 | ---- | C] () -- C:\Users\Aaron\AppData\Local\Aqewexi.bin
[2010/04/11 06:41:07 | 000,000,120 | ---- | C] () -- C:\Users\Aaron\AppData\Local\Ntejujiqi.dat
[2010/04/06 17:03:34 | 000,010,466 | -HS- | C] () -- C:\Users\Aaron\AppData\Local\C6158646
[2010/04/06 17:03:34 | 000,010,466 | -HS- | C] () -- C:\ProgramData\C6158646
[2009/09/24 17:24:22 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/06/11 03:06:26 | 000,000,127 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2008/12/26 15:38:34 | 000,007,944 | ---- | C] () -- C:\Users\Aaron\AppData\Local\d3d9caps.dat
[2008/09/20 11:01:46 | 000,000,882 | ---- | C] () -- C:\Windows\DC.ini
[2008/07/21 17:50:06 | 000,000,054 | ---- | C] () -- C:\Windows\Composer.INI
[2008/02/06 12:21:56 | 000,233,472 | ---- | C] () -- C:\Windows\System32\nscB855.dll
[2008/01/07 20:20:11 | 000,008,866 | ---- | C] () -- C:\Users\Aaron\AppData\Roaming\wklnhst.dat
[2008/01/07 14:52:32 | 000,003,840 | ---- | C] () -- C:\Windows\System32\drivers\BANTExt.sys
[2008/01/06 23:27:49 | 000,158,720 | ---- | C] () -- C:\Users\Aaron\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/12/16 07:13:02 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2007/12/16 07:13:01 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2007/12/16 07:12:52 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2007/12/15 23:40:13 | 000,065,536 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2006/11/07 14:25:58 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/09/17 00:36:50 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/17 00:36:50 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 64 bytes -> C:\Users\Aaron\Documents\lol.mpg:TOC.WMV
@Alternate Data Stream - 64 bytes -> C:\Users\Aaron\Documents\Explosive Impact - Cyber Bullies Hackers.mp3:TOC.WMV
@Alternate Data Stream - 64 bytes -> C:\Users\Aaron\Documents\clip0045.avi:TOC.WMV
@Alternate Data Stream - 64 bytes -> C:\Users\Aaron\Documents\clip0039.avi:TOC.WMV
@Alternate Data Stream - 64 bytes -> C:\Users\Aaron\Documents\Alice in Chains God Smack.mp3:TOC.WMV
@Alternate Data Stream - 64 bytes -> C:\Users\Aaron\Desktop\WAVE0001.WAV:TOC.WMV
@Alternate Data Stream - 1326 bytes -> C:\Users\Aaron\AppData\Local\ZBmpryHWj:y848GBFMpyP0qdK0pH07wxi
@Alternate Data Stream - 1289 bytes -> C:\ProgramData\Microsoft:y98ascon5PANdUG4DGiG4oXlWS
@Alternate Data Stream - 1197 bytes -> C:\ProgramData\Microsoft:rcAtvThhWVLuORUwIKagaT
@Alternate Data Stream - 1093 bytes -> C:\Users\Aaron\AppData\Local\LMeeS4wmLIB:0smQLv1TqtzpAGsn0CI2FD

< End of report >
=================================================================================
Extras.txt

OTL Extras logfile created on: 1/5/2011 4:58:52 PM - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Users\Aaron\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18999)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

893.00 Mb Total Physical Memory | 392.00 Mb Available Physical Memory | 44.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 51.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 64.44 Gb Total Space | 26.70 Gb Free Space | 41.43% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.05 Gb Free Space | 60.47% Space Free | Partition Type: NTFS

Computer Name: AARON-PC | User Name: Aaron | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1271755778-601456851-151212410-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01B5B37C-AAE1-4AC8-821D-6E0118FF1EF9}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{05FA470E-D198-480B-AE3B-81797C8CE509}" = lport=445 | protocol=6 | dir=in | app=system |
"{1F1D327E-4CA0-4418-ABAE-FD8C8086614F}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{1FCC2F43-B961-40D0-B04A-A0CC89B28B85}" = lport=139 | protocol=6 | dir=in | app=system |
"{21370580-F6A5-4689-98B9-88B89967D976}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{2700B6B4-C9B5-4F23-99A1-79208ACD5981}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{374F15A2-1E2A-4354-B8D7-FBB13C8E4E59}" = lport=138 | protocol=17 | dir=in | app=system |
"{3E311F69-5893-46E3-8511-B40C0EEEE1E9}" = lport=2869 | protocol=6 | dir=in | app=system |
"{3EB0910B-26B7-4ED7-9808-72E69B5A36D2}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{5609C4BB-DCD5-4CDA-BEBA-8D531B257B1E}" = lport=10243 | protocol=6 | dir=in | app=system |
"{5E51B1E5-7B1A-43BB-A9A1-D33EA1655B6E}" = rport=139 | protocol=6 | dir=out | app=system |
"{71D656A7-E82A-4904-B318-68E6365EA9D2}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{79C80685-F77B-4B6F-A9C6-763C4ACF0024}" = rport=137 | protocol=17 | dir=out | app=system |
"{82A3D11C-784F-4FCC-B5C0-D58D3659B6C3}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{8923382C-8AFC-424F-A1FC-4607344B8585}" = lport=137 | protocol=17 | dir=in | app=system |
"{9011C896-1108-41C9-9F7D-6EA2C0DAF0FB}" = rport=445 | protocol=6 | dir=out | app=system |
"{A92FD0F9-2F99-4A7F-8160-865781407339}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{D6CB3F33-32EF-406F-9F11-2E8ED35B3E72}" = rport=138 | protocol=17 | dir=out | app=system |
"{F07A01B5-D61E-4B81-98C2-7D9816687E81}" = rport=10243 | protocol=6 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02337090-5604-483B-9C16-9F5ADFA4CCAF}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{0836C1F4-E4F1-4553-9DFD-C03CA9062503}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{0884C863-7831-4DD1-A0F6-F9BB2B6FCAB0}" = protocol=17 | dir=in | app=c:\program files\skulltag\idese.exe |
"{1D818489-8C4A-4B87-B297-FCC7130E1542}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{2800B986-693D-4E97-BBE5-367101EFD309}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{2F88A7CF-FD91-422E-A48B-9B97FC3BA04B}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{330E9471-C419-430E-A5FB-CBAAD5E88F0E}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{344F9BD6-1C5E-4C2E-B5BF-603139C4C453}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{37F13A76-9A27-46E8-83D5-92736334E358}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{42F2AFA4-09EE-40AC-8930-FDD6FF5A4F3E}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{446BC096-33AB-4B3D-B13F-0688970088CC}" = protocol=6 | dir=in | app=c:\program files\skulltag\idese.exe |
"{481DDA6C-A3BE-4977-9232-826B290CECF0}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{49E50AD1-2381-4C39-BC59-F01329C99052}" = protocol=6 | dir=in | app=c:\program files\skulltag\rcon_utility.exe |
"{4B763526-9D37-4741-A3D2-7CBEA6852295}" = protocol=17 | dir=in | app=c:\program files\skulltag\skulltag.exe |
"{573968ED-E079-45A1-9742-2F59AF505BB6}" = protocol=6 | dir=out | app=system |
"{5802CA74-648D-4450-932A-60CA436F1155}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{5885C609-D305-4D8B-9270-923ACE98396B}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{5C95452B-A83F-4E40-8F8F-E2931E78B570}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{5F48E0D8-82FE-4CE3-9422-3407764A3F5A}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{60F6922D-BB59-4C81-AA99-891EED27508A}" = protocol=6 | dir=in | app=c:\program files\skulltag\skulltag.exe |
"{7202BFC6-34CC-4693-8FCE-FCF72712191D}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{83BFF618-EE55-479D-AB1D-B71E419ACAA3}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{86AE4B85-6ABB-4428-AEA9-F3B0EC9965C2}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{8E3EE34F-F488-46BA-8345-F729B9D1B347}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{99998D88-4D5E-4BF3-B761-97B668A4B053}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{A4400CA8-C234-474C-9F3F-9858E99529C1}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{AC3A3CE3-438E-4F40-A388-7BBF67C71E9B}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{B9A48AA5-2E34-4031-8DAD-92644A1BAC7A}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{BAD51CE0-076D-441B-A35D-29928E4C52FD}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{BB1C37FB-B1E7-438F-9B0A-A6D99C6E2F84}" = protocol=17 | dir=in | app=c:\program files\skulltag\rcon_utility.exe |
"{C65E2B84-0A00-4184-A62C-5C64DA3B2347}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{DEE8D291-B7AB-477B-A7F8-5F9D755D66A6}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{E3B016E7-67FE-49E2-B922-B5E0051AAC4A}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{E96827E4-331F-42E2-844D-2B1F4F47BDDE}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{FC1C57A6-CF5A-4AFD-9F40-AFF1DEED7346}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"TCP Query User{19093DF3-A5CA-4913-923D-68BF9219819E}C:\program files\zdaemon\zserv32.exe" = protocol=6 | dir=in | app=c:\program files\zdaemon\zserv32.exe |
"TCP Query User{1E1BCCE9-6C22-422B-AE42-0FFE7AB7A8FF}C:\program files\zdaemon\zdaemon.exe" = protocol=6 | dir=in | app=c:\program files\zdaemon\zdaemon.exe |
"TCP Query User{203D2425-FC1D-4B11-B3DC-E6D528A68E2C}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"TCP Query User{271B2C46-21F9-43D3-96C4-C62FF3AA4F30}C:\zdaemon\zlauncher.exe" = protocol=6 | dir=in | app=c:\zdaemon\zlauncher.exe |
"TCP Query User{2776AA13-CFFF-4D2F-8582-BE1ECA5300BC}C:\users\aaron\desktop\zdoom\idese.exe" = protocol=6 | dir=in | app=c:\users\aaron\desktop\zdoom\idese.exe |
"TCP Query User{2A4795A5-B2E3-435D-A3C0-248D16FB7E33}C:\program files\zdaemon\zserv32.exe" = protocol=6 | dir=in | app=c:\program files\zdaemon\zserv32.exe |
"TCP Query User{2DD515C2-D126-461F-BBDC-D8F98835E4BF}C:\zdaemon\zdaemon.exe" = protocol=6 | dir=in | app=c:\zdaemon\zdaemon.exe |
"TCP Query User{3C432DF6-3336-4C73-A5F6-DD17C10626A1}C:\program files\zdaemon\zserv.exe" = protocol=6 | dir=in | app=c:\program files\zdaemon\zserv.exe |
"TCP Query User{3C8EF1B3-F1E0-49E1-9750-DCA921A86A8A}C:\program files\zdaemon\zlauncher.exe" = protocol=6 | dir=in | app=c:\program files\zdaemon\zlauncher.exe |
"TCP Query User{3E3B83EB-0396-49EB-8AB6-E0357E7461C8}C:\users\aaron\desktop\zdoom\skulltag.exe" = protocol=6 | dir=in | app=c:\users\aaron\desktop\zdoom\skulltag.exe |
"TCP Query User{56D8EBB5-A90D-443A-BB81-68CF1D66F8FB}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"TCP Query User{6F55220F-1E2E-44B0-8F41-901CEE69914B}C:\users\aaron\desktop\ide\ide.exe" = protocol=6 | dir=in | app=c:\users\aaron\desktop\ide\ide.exe |
"TCP Query User{8454ADDD-8234-4AF7-B155-E16D2DE05042}C:\zdaemon\zdaemon.exe" = protocol=6 | dir=in | app=c:\zdaemon\zdaemon.exe |
"TCP Query User{846B2A41-D187-472F-9CA5-9BE4D7A85864}C:\program files\doom collector's edition\final doom\doom95.exe" = protocol=6 | dir=in | app=c:\program files\doom collector's edition\final doom\doom95.exe |
"TCP Query User{8717B6C3-8CDF-4C82-B955-649176AF5BF0}C:\program files\skulltag\idese.exe" = protocol=6 | dir=in | app=c:\program files\skulltag\idese.exe |
"TCP Query User{A51373DA-9D3F-4BDD-8168-BA8CD59B4DC6}C:\program files\zdaemon\zdaemon.exe" = protocol=6 | dir=in | app=c:\program files\zdaemon\zdaemon.exe |
"TCP Query User{A88AE5B8-983F-40E2-8DC3-6769A8F228F7}C:\zdaemon\zlauncher.exe" = protocol=6 | dir=in | app=c:\zdaemon\zlauncher.exe |
"TCP Query User{AB6A0E07-EAA1-46A9-93F8-63A8F5A6F856}C:\users\aaron\desktop\idese.exe" = protocol=6 | dir=in | app=c:\users\aaron\desktop\idese.exe |
"TCP Query User{C28504A8-B119-4B21-A8A9-5AABCBF16B1C}C:\program files\zdaemon\zlauncher.exe" = protocol=6 | dir=in | app=c:\program files\zdaemon\zlauncher.exe |
"TCP Query User{D2A07C5E-77CA-4E93-8541-A14C524C4FE6}C:\program files\zdaemon\zsl\zsllite.exe" = protocol=6 | dir=in | app=c:\program files\zdaemon\zsl\zsllite.exe |
"TCP Query User{DAFBB312-47AA-4303-B28D-73BDCD5A4C8E}C:\program files\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"TCP Query User{F613BB9C-AF88-4C0E-8ACD-2366CB9D833D}C:\program files\zdaemon\zsl\zsllite.exe" = protocol=6 | dir=in | app=c:\program files\zdaemon\zsl\zsllite.exe |
"TCP Query User{F8214718-A3A8-4466-844F-D9CAE6E02D4D}C:\users\aaron\desktop\idese.exe" = protocol=6 | dir=in | app=c:\users\aaron\desktop\idese.exe |
"UDP Query User{0175F8BF-750B-4578-A456-2DD9938D8772}C:\users\aaron\desktop\idese.exe" = protocol=17 | dir=in | app=c:\users\aaron\desktop\idese.exe |
"UDP Query User{03043559-C084-48E1-9FF4-CE1287D9964E}C:\program files\zdaemon\zsl\zsllite.exe" = protocol=17 | dir=in | app=c:\program files\zdaemon\zsl\zsllite.exe |
"UDP Query User{115820D4-8CFF-43F2-BB3B-8B26FD8256D1}C:\zdaemon\zlauncher.exe" = protocol=17 | dir=in | app=c:\zdaemon\zlauncher.exe |
"UDP Query User{1DA7B263-0E35-4B06-94F0-380EF7119042}C:\users\aaron\desktop\idese.exe" = protocol=17 | dir=in | app=c:\users\aaron\desktop\idese.exe |
"UDP Query User{21B1C3ED-062F-4AD9-8105-C365B0E58502}C:\program files\zdaemon\zserv32.exe" = protocol=17 | dir=in | app=c:\program files\zdaemon\zserv32.exe |
"UDP Query User{2819A26D-7EB1-440A-BED2-492D6033FCBA}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{2E5FE3EC-A83F-4961-BF38-E691FFF1C5DC}C:\users\aaron\desktop\ide\ide.exe" = protocol=17 | dir=in | app=c:\users\aaron\desktop\ide\ide.exe |
"UDP Query User{3D97FDB6-C0F6-48E4-82F1-E52E91AB57EB}C:\program files\doom collector's edition\final doom\doom95.exe" = protocol=17 | dir=in | app=c:\program files\doom collector's edition\final doom\doom95.exe |
"UDP Query User{46F47F32-676D-4495-917A-A1141915031E}C:\users\aaron\desktop\zdoom\skulltag.exe" = protocol=17 | dir=in | app=c:\users\aaron\desktop\zdoom\skulltag.exe |
"UDP Query User{493967A6-E60C-4EC5-9A9C-4D912371C347}C:\users\aaron\desktop\zdoom\idese.exe" = protocol=17 | dir=in | app=c:\users\aaron\desktop\zdoom\idese.exe |
"UDP Query User{4D5E47C2-F209-4894-BF66-F992BC4158A7}C:\program files\zdaemon\zserv.exe" = protocol=17 | dir=in | app=c:\program files\zdaemon\zserv.exe |
"UDP Query User{4F471E55-E27A-4249-9D7B-9C7C1DAB4F21}C:\program files\zdaemon\zlauncher.exe" = protocol=17 | dir=in | app=c:\program files\zdaemon\zlauncher.exe |
"UDP Query User{560A5988-356C-4B5D-AF4D-BD0F8BB06AF4}C:\zdaemon\zdaemon.exe" = protocol=17 | dir=in | app=c:\zdaemon\zdaemon.exe |
"UDP Query User{80DDF58A-F0D8-4055-8A65-C0AF4A599E9F}C:\program files\zdaemon\zdaemon.exe" = protocol=17 | dir=in | app=c:\program files\zdaemon\zdaemon.exe |
"UDP Query User{90A74413-1DDA-4520-B933-70842EFD6A30}C:\zdaemon\zlauncher.exe" = protocol=17 | dir=in | app=c:\zdaemon\zlauncher.exe |
"UDP Query User{ACD6B8E6-D6DD-46CC-B232-09E5AA9C9ABA}C:\zdaemon\zdaemon.exe" = protocol=17 | dir=in | app=c:\zdaemon\zdaemon.exe |
"UDP Query User{BA8BFBEB-822A-4FFF-831D-17DAED9C371F}C:\program files\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{BEBF5586-6A64-4E75-BC18-64647BCE1442}C:\program files\skulltag\idese.exe" = protocol=17 | dir=in | app=c:\program files\skulltag\idese.exe |
"UDP Query User{C4C84C44-51A0-43B0-8894-6D0F55C45173}C:\program files\zdaemon\zdaemon.exe" = protocol=17 | dir=in | app=c:\program files\zdaemon\zdaemon.exe |
"UDP Query User{D3E2E55B-39AC-4C82-8160-5862893E9AD6}C:\program files\zdaemon\zlauncher.exe" = protocol=17 | dir=in | app=c:\program files\zdaemon\zlauncher.exe |
"UDP Query User{DAC3B79B-F7F5-41CE-BB6B-638A2863F662}C:\program files\zdaemon\zserv32.exe" = protocol=17 | dir=in | app=c:\program files\zdaemon\zserv32.exe |
"UDP Query User{DC7D523C-FAE7-486A-96F7-F96CFA5EC05C}C:\program files\zdaemon\zsl\zsllite.exe" = protocol=17 | dir=in | app=c:\program files\zdaemon\zsl\zsllite.exe |
"UDP Query User{EFC52844-E685-47B8-B8A0-0B185D9DE1FD}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{0E4BC542-9CFD-4E97-B586-9F1E5516E7B9}" = Microsoft IntelliPoint 6.1
"{14AA664E-9BFA-44C4-A083-83A2998679BA}" = Digidesign Pro Tools M-Powered Demo 7.4
"{15CC668C-F37C-CE24-9047-40EC8034E29D}" = ATI Catalyst Control Center Ex
"{25613C10-27D2-410B-942B-D922D5C3A7BE}" = Interlok driver setup x32
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 23
"{2F29D6D2-824E-4FEF-8AED-7013F39F642A}" = OpenOffice.org 2.3
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java(TM) SE Runtime Environment 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}" = User's Guides
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{7F0C4457-8E64-491B-8D7B-991504365D1E}" = QuickSet
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89CEAE14-DD0F-448E-9554-15781EC9DB24}" = Product Documentation Launcher
"{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile Device Center
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{AFE354A5-640F-4A23-94C8-0B441E8967CA}" = Digidesign Shared Plug-Ins 7.4
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CCFF1E13-77A2-4032-8B12-7566982A27DF}" = Internet Service Offers Launcher
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5395E5F-4D45-4665-8F00-234FA33678AF}" = SlimDX Redistributable (March 2009)
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{D7769185-9A7C-48D4-8874-5388743A1DE2}" = Music, Photos & Videos Launcher
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware 2007
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E7044E25-3038-4A76-9064-344AC038043E}" = Windows Mobile Device Center Driver Update
"{E713653C-8312-4BC6-AFC9-ADE1F2F04AB9}" = ATI PCI Express (3GIO) Filter Driver
"{EF53DD60-C4E2-11DB-3D6C-167690F54AE1}" = Notation Composer 2.5 (Trial Version)
"{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
"{FC572E6B-1511-4C53-929A-469D49E1C576}" = MidiNotate Composer
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Belarc Advisor 2.0" = Belarc Advisor 7.2
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CCleaner" = CCleaner (remove only)
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"DeePsea" = DeePsea
"Doom Builder 2_is1" = Doom Builder 2.1
"Doom Builder_is1" = Doom Builder
"DOOM Collector's Edition" = DOOM Collector's Edition
"Doom II for Windows 95" = Doom II for Windows 95
"Doomsday Engine_is1" = Doomsday Engine 1.9.0-beta5
"Google Desktop" = Google Desktop
"Guitar Pro 5_is1" = Guitar Pro 5.0
"HyperCam 2" = HyperCam 2
"LilyPond" = LilyPond
"Live 6.0.1" = Live 6.0.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MySpaceIM" = MySpaceIM
"RPG Maker 2000 ColumbineRPG" = RPG Maker 2000 - Super Columbine Massacre RPG!
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Ultimate Doom for Windows 95" = Ultimate Doom for Windows 95
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar
"YInstHelper" = Yahoo! Install Manager
"ZDaemon" = ZDaemon (remove only)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/4/2011 10:54:44 PM | Computer Name = Aaron-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 1/4/2011 10:55:24 PM | Computer Name = Aaron-PC | Source = EventSystem | ID = 4609
Description =

Error - 1/5/2011 10:56:53 AM | Computer Name = Aaron-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 1/5/2011 11:01:37 AM | Computer Name = Aaron-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 1/5/2011 11:02:28 AM | Computer Name = Aaron-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 1/5/2011 11:02:33 AM | Computer Name = Aaron-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 1/5/2011 11:05:40 AM | Computer Name = Aaron-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 1/5/2011 11:13:51 AM | Computer Name = Aaron-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 1/5/2011 11:15:08 AM | Computer Name = Aaron-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 1/5/2011 5:24:25 PM | Computer Name = Aaron-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

[ Media Center Events ]
Error - 4/15/2008 8:33:24 PM | Computer Name = Aaron-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 4/18/2008 5:04:15 PM | Computer Name = Aaron-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 5/31/2008 8:56:35 AM | Computer Name = Aaron-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 4/29/2009 7:51:09 PM | Computer Name = Aaron-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 10/11/2009 11:29:32 PM | Computer Name = Aaron-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 12/6/2009 4:44:42 PM | Computer Name = Aaron-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 3/1/2010 6:55:29 AM | Computer Name = Aaron-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ System Events ]
Error - 1/4/2011 4:39:17 PM | Computer Name = Aaron-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 1/4/2011 4:39:24 PM | Computer Name = Aaron-PC | Source = DCOM | ID = 10005
Description =

Error - 1/4/2011 9:54:21 PM | Computer Name = Aaron-PC | Source = DCOM | ID = 10005
Description =

Error - 1/4/2011 10:39:41 PM | Computer Name = Aaron-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 1/4/2011 10:43:24 PM | Computer Name = Aaron-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 1/4/2011 10:51:37 PM | Computer Name = Aaron-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 1/5/2011 10:55:05 AM | Computer Name = Aaron-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 1/5/2011 10:55:05 AM | Computer Name = Aaron-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 1/5/2011 10:57:46 AM | Computer Name = Aaron-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 1/5/2011 10:58:54 AM | Computer Name = Aaron-PC | Source = Service Control Manager | ID = 7011
Description =


< End of report >
=================================================================================
MAPepin
Regular Member
 
Posts: 22
Joined: January 28th, 2008, 11:37 am

Re: HJT logs - System Tool infection

Unread postby deltalima » January 6th, 2011, 6:47 am

Hi MAPepin,

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :otl
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    IE - HKU\S-1-5-21-1271755778-601456851-151212410-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    O2 - BHO: (cpmsky browser optimizer) - {6ff7cd9f-8183-16a2-4245-4d88dd54f36f} - C:\Windows\System32\{f053e74d-b418-5f0d-f69c-198f54f619e6}.dll ( )
    O3 - HKU\S-1-5-21-1271755778-601456851-151212410-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O4 - HKU\S-1-5-21-1271755778-601456851-151212410-1000..\Run: [Ilayuhaku] C:\Users\Aaron\AppData\Local\isojacuq.DLL File not found
    O4 - HKU\S-1-5-21-1271755778-601456851-151212410-1000..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe File not found
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring" = 0
    :commands
    [EMPTYTEMP]
    [REBOOT]
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

McAfee Cleanup

  • Click here to download the McAfee removal tool and save to a convenient location.
  • Close all McAfee windows and double-click MCPR.exe to run the tool.
    NOTE: To run the tool in Vista, right-click MCPR.exe and select Run as Administrator.
  • Reboot the computer when "CleanUp Successful" appears to complete removal.

McAfee trial was running and has expired. I will be installing AVG after this


I would recommend that you choose one on the alternatives below.

No anti-virus

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors.


Note: You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

Now please run a full antivirus scan and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: HJT logs - System Tool infection

Unread postby MAPepin » January 6th, 2011, 7:14 pm

Here are the logs that you requested.

the last OTL log:

All processes killed
========== OTL ==========
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-21-1271755778-601456851-151212410-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6ff7cd9f-8183-16a2-4245-4d88dd54f36f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6ff7cd9f-8183-16a2-4245-4d88dd54f36f}\ deleted successfully.
C:\Windows\System32\{f053e74d-b418-5f0d-f69c-198f54f619e6}.dll moved successfully.
Registry value HKEY_USERS\S-1-5-21-1271755778-601456851-151212410-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-1271755778-601456851-151212410-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Ilayuhaku deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1271755778-601456851-151212410-1000\Software\Microsoft\Windows\CurrentVersion\Run\\swg deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware\\"DisableMonitoring" | 0 /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Aaron
->Temp folder emptied: 553873 bytes
->Temporary Internet Files folder emptied: 607440 bytes
->Java cache emptied: 8886623 bytes
->FireFox cache emptied: 118356134 bytes
->Flash cache emptied: 3208 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3306 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 122.00 mb


OTL by OldTimer - Version 3.2.20.1 log created on 01062011_170537

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
===============================================================================

Avira scan log:



Avira AntiVir Personal
Report file date: Thursday, January 06, 2011 18:05

Scanning for 2331556 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 2) [6.0.6002]
Boot mode : Normally booted
Username : Aaron
Computer name : AARON-PC

Version information:
BUILD.DAT : 10.0.0.609 31824 Bytes 12/13/2010 09:43:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 12/13/2010 13:39:56
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04
LUKE.DLL : 10.0.3.2 104296 Bytes 12/13/2010 13:40:06
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 23:03:53
VBASE002.VDF : 7.11.0.1 2048 Bytes 12/14/2010 23:03:54
VBASE003.VDF : 7.11.0.2 2048 Bytes 12/14/2010 23:03:54
VBASE004.VDF : 7.11.0.3 2048 Bytes 12/14/2010 23:03:54
VBASE005.VDF : 7.11.0.4 2048 Bytes 12/14/2010 23:03:54
VBASE006.VDF : 7.11.0.5 2048 Bytes 12/14/2010 23:03:54
VBASE007.VDF : 7.11.0.6 2048 Bytes 12/14/2010 23:03:54
VBASE008.VDF : 7.11.0.7 2048 Bytes 12/14/2010 23:03:54
VBASE009.VDF : 7.11.0.8 2048 Bytes 12/14/2010 23:03:55
VBASE010.VDF : 7.11.0.9 2048 Bytes 12/14/2010 23:03:55
VBASE011.VDF : 7.11.0.10 2048 Bytes 12/14/2010 23:03:55
VBASE012.VDF : 7.11.0.11 2048 Bytes 12/14/2010 23:03:55
VBASE013.VDF : 7.11.0.52 128000 Bytes 12/16/2010 23:03:56
VBASE014.VDF : 7.11.0.91 226816 Bytes 12/20/2010 23:03:57
VBASE015.VDF : 7.11.0.122 136192 Bytes 12/21/2010 23:03:58
VBASE016.VDF : 7.11.0.156 122880 Bytes 12/24/2010 23:03:59
VBASE017.VDF : 7.11.0.185 146944 Bytes 12/27/2010 23:04:00
VBASE018.VDF : 7.11.0.228 132608 Bytes 12/30/2010 23:04:00
VBASE019.VDF : 7.11.1.5 148480 Bytes 1/3/2011 23:04:02
VBASE020.VDF : 7.11.1.6 2048 Bytes 1/3/2011 23:04:02
VBASE021.VDF : 7.11.1.7 2048 Bytes 1/3/2011 23:04:02
VBASE022.VDF : 7.11.1.8 2048 Bytes 1/3/2011 23:04:02
VBASE023.VDF : 7.11.1.9 2048 Bytes 1/3/2011 23:04:02
VBASE024.VDF : 7.11.1.10 2048 Bytes 1/3/2011 23:04:03
VBASE025.VDF : 7.11.1.11 2048 Bytes 1/3/2011 23:04:03
VBASE026.VDF : 7.11.1.12 2048 Bytes 1/3/2011 23:04:03
VBASE027.VDF : 7.11.1.13 2048 Bytes 1/3/2011 23:04:03
VBASE028.VDF : 7.11.1.14 2048 Bytes 1/3/2011 23:04:03
VBASE029.VDF : 7.11.1.15 2048 Bytes 1/3/2011 23:04:03
VBASE030.VDF : 7.11.1.16 2048 Bytes 1/3/2011 23:04:03
VBASE031.VDF : 7.11.1.35 145920 Bytes 1/6/2011 23:04:04
Engineversion : 8.2.4.140
AEVDF.DLL : 8.1.2.1 106868 Bytes 12/13/2010 13:39:51
AESCRIPT.DLL : 8.1.3.52 1282426 Bytes 1/6/2011 23:04:19
AESCN.DLL : 8.1.7.2 127349 Bytes 12/13/2010 13:39:50
AESBX.DLL : 8.1.3.2 254324 Bytes 12/13/2010 13:39:50
AERDL.DLL : 8.1.9.2 635252 Bytes 12/13/2010 13:39:50
AEPACK.DLL : 8.2.4.7 512375 Bytes 1/6/2011 23:04:16
AEOFFICE.DLL : 8.1.1.10 201084 Bytes 12/13/2010 13:39:49
AEHEUR.DLL : 8.1.2.64 3154294 Bytes 1/6/2011 23:04:15
AEHELP.DLL : 8.1.16.0 246136 Bytes 12/13/2010 13:39:42
AEGEN.DLL : 8.1.5.1 397683 Bytes 1/6/2011 23:04:07
AEEMU.DLL : 8.1.3.0 393589 Bytes 12/13/2010 13:39:42
AECORE.DLL : 8.1.19.0 196984 Bytes 12/13/2010 13:39:41
AEBB.DLL : 8.1.1.0 53618 Bytes 12/13/2010 13:39:41
AVWINLL.DLL : 10.0.0.0 19304 Bytes 12/13/2010 13:39:56
AVPREF.DLL : 10.0.0.0 44904 Bytes 12/13/2010 13:39:54
AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 19:27:13
AVREG.DLL : 10.0.3.2 53096 Bytes 12/13/2010 13:39:54
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 12/13/2010 13:39:56
AVARKT.DLL : 10.0.22.6 231784 Bytes 12/13/2010 13:39:52
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 12/13/2010 13:39:53
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 19:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 12/13/2010 13:39:56
NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 19:27:21
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 12/13/2010 13:40:20

Configuration settings for the scan:
Jobname.............................: Short system scan after installation
Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +PFS,

Start of the scan: Thursday, January 06, 2011 18:05

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avconfig.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'MSASCui.exe' - '1' Module(s) have been scanned
Scan process 'setup.exe' - '1' Module(s) have been scanned
Scan process 'TrustedInstaller.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'presetup.exe' - '1' Module(s) have been scanned
Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
Scan process 'SDWinSec.exe' - '1' Module(s) have been scanned
Scan process 'xaudio.exe' - '1' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sprtsvc.exe' - '1' Module(s) have been scanned
Scan process 'RoxWatch9.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MMERefresh.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'CLI.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'quickset.exe' - '1' Module(s) have been scanned
Scan process 'DLG.exe' - '1' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'sttray.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned
Scan process 'ipoint.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'wmdc.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'Dwm.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'bcmwltry.exe' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SLsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsm.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'wininit.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '1789' files ).



End of the scan: Thursday, January 06, 2011 18:06
Used time: 00:53 Minute(s)

The scan has been done completely.

0 Scanned directories
2299 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
2299 Files not concerned
5 Archives were scanned
0 Warnings
0 Notes
MAPepin
Regular Member
 
Posts: 22
Joined: January 28th, 2008, 11:37 am

Re: HJT logs - System Tool infection

Unread postby deltalima » January 7th, 2011, 5:05 am

Hi MAPepin,

Now that you are clean, please follow these steps in order to keep your computer clean and secure.

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 23.
  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "JDK 6 Update 23 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u23-windows-i586-p.exe to install the newest version

Remove GMER

Delete the GMER icon from your desktop.

Uninstall ComboFix

  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK

Clean up with OTL

  • Double-click OTL.exe to start the program. This will remove all the tools we used to clean your pc.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.


Update your AntiVirus Software and keep your other programs up-to-date
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: HJT logs - System Tool infection

Unread postby Cypher » January 8th, 2011, 1:12 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware