Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I think im infected...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: I think im infected...

Unread postby Johannesgyr » May 22nd, 2012, 3:44 pm

Filsystemet „r av typen NTFS.

Varning! Parametern /F har inte angetts.
CHKDSK k”rs i skrivskyddat l„ge.

CHKDSK verifierar filer (steg 1 av 3)...
0 procent klart. (0 av 140288 filposter har behandlats)
1 procent klart. (14029 av 140288 filposter har behandlats)
2 procent klart. (28058 av 140288 filposter har behandlats)
3 procent klart. (42087 av 140288 filposter har behandlats)
4 procent klart. (56116 av 140288 filposter har behandlats)
5 procent klart. (70144 av 140288 filposter har behandlats)
6 procent klart. (84173 av 140288 filposter har behandlats)
7 procent klart. (98202 av 140288 filposter har behandlats)
8 procent klart. (112231 av 140288 filposter har behandlats)
9 procent klart. (126260 av 140288 filposter har behandlats)
140288 filposter har behandlats.

Filverifieringen „r klar.
410 stora filposter har behandlats.

0 skadade filposter har behandlats.

0 EA-poster har behandlats.

0 referensposter har behandlats.

CHKDSK verifierar index (steg 2 av 3)...
11 procent klart. (2415 av 160568 indexposter har behandlats)
12 procent klart. (4966 av 160568 indexposter har behandlats)
13 procent klart. (7517 av 160568 indexposter har behandlats)
14 procent klart. (10068 av 160568 indexposter har behandlats)
15 procent klart. (12619 av 160568 indexposter har behandlats)
16 procent klart. (15170 av 160568 indexposter har behandlats)
17 procent klart. (17721 av 160568 indexposter har behandlats)
18 procent klart. (20272 av 160568 indexposter har behandlats)
19 procent klart. (22823 av 160568 indexposter har behandlats)
20 procent klart. (25374 av 160568 indexposter har behandlats)
21 procent klart. (27925 av 160568 indexposter har behandlats)
22 procent klart. (30477 av 160568 indexposter har behandlats)
23 procent klart. (33028 av 160568 indexposter har behandlats)
24 procent klart. (35579 av 160568 indexposter har behandlats)
25 procent klart. (38130 av 160568 indexposter har behandlats)
26 procent klart. (40681 av 160568 indexposter har behandlats)
27 procent klart. (43232 av 160568 indexposter har behandlats)
28 procent klart. (45783 av 160568 indexposter har behandlats)
29 procent klart. (48334 av 160568 indexposter har behandlats)
30 procent klart. (50885 av 160568 indexposter har behandlats)
31 procent klart. (53436 av 160568 indexposter har behandlats)
32 procent klart. (55987 av 160568 indexposter har behandlats)
33 procent klart. (58538 av 160568 indexposter har behandlats)
34 procent klart. (61089 av 160568 indexposter har behandlats)
35 procent klart. (63640 av 160568 indexposter har behandlats)
36 procent klart. (66191 av 160568 indexposter har behandlats)
37 procent klart. (68742 av 160568 indexposter har behandlats)
38 procent klart. (71293 av 160568 indexposter har behandlats)
39 procent klart. (73845 av 160568 indexposter har behandlats)
40 procent klart. (76396 av 160568 indexposter har behandlats)
41 procent klart. (78947 av 160568 indexposter har behandlats)
42 procent klart. (81498 av 160568 indexposter har behandlats)
43 procent klart. (84049 av 160568 indexposter har behandlats)
44 procent klart. (86600 av 160568 indexposter har behandlats)
45 procent klart. (89151 av 160568 indexposter har behandlats)
46 procent klart. (91702 av 160568 indexposter har behandlats)
47 procent klart. (94253 av 160568 indexposter har behandlats)
48 procent klart. (96804 av 160568 indexposter har behandlats)
49 procent klart. (99355 av 160568 indexposter har behandlats)
50 procent klart. (101906 av 160568 indexposter har behandlats)
51 procent klart. (104457 av 160568 indexposter har behandlats)
52 procent klart. (107008 av 160568 indexposter har behandlats)
53 procent klart. (109559 av 160568 indexposter har behandlats)
54 procent klart. (112110 av 160568 indexposter har behandlats)
55 procent klart. (114661 av 160568 indexposter har behandlats)
56 procent klart. (117213 av 160568 indexposter har behandlats)
57 procent klart. (119764 av 160568 indexposter har behandlats)
58 procent klart. (122315 av 160568 indexposter har behandlats)
59 procent klart. (124866 av 160568 indexposter har behandlats)
60 procent klart. (127417 av 160568 indexposter har behandlats)
61 procent klart. (129968 av 160568 indexposter har behandlats)
62 procent klart. (132519 av 160568 indexposter har behandlats)
63 procent klart. (135070 av 160568 indexposter har behandlats)
64 procent klart. (137621 av 160568 indexposter har behandlats)
65 procent klart. (140172 av 160568 indexposter har behandlats)
65 procent klart. (140739 av 160568 indexposter har behandlats)
66 procent klart. (142723 av 160568 indexposter hIndexverifieringen „r klar.
0 oindexerade filer har genoms”kts.

0 oindexerade filer har †terst„llts.

CHKDSK verifierar s„kerhetsbeskrivare (steg 3 av 3)...
73 procent klart. (37 av 140288 fil-SD/SID-poster har behandlats)
74 procent klart. (7690 av 140288 fil-SD/SID-poster har behandlats)
75 procent klart. (15343 av 140288 fil-SD/SID-poster har behandlats)
76 procent klart. (22996 av 140288 fil-SD/SID-poster har behandlats)
77 procent klart. (30649 av 140288 fil-SD/SID-poster har behandlats)
78 procent klart. (38303 av 140288 fil-SD/SID-poster har behandlats)
79 procent klart. (45956 av 140288 fil-SD/SID-poster har behandlats)
80 procent klart. (53609 av 140288 fil-SD/SID-poster har behandlats)
81 procent klart. (61262 av 140288 fil-SD/SID-poster har behandlats)
82 procent klart. (68915 av 140288 fil-SD/SID-poster har behandlats)
83 procent klart. (76568 av 140288 fil-SD/SID-poster har behandlats)
84 procent klart. (84222 av 140288 fil-SD/SID-poster har behandlats)
85 procent klart. (91875 av 140288 fil-SD/SID-poster har behandlats)
86 procent klart. (99528 av 140288 fil-SD/SID-poster har behandlats)
87 procent klart. (107181 av 140288 fil-SD/SID-poster har behandlats)
88 procent klart. (114834 av 140288 fil-SD/SID-poster har behandlats)
89 procent klart. (122488 av 140288 fil-SD/SID-poster har behandlats)
90 procent klart. (130141 av 140288 fil-SD/SID-poster har behandlats)
91 procent klart. (137794 av 140288 fil-SD/SID-poster har behandlats)
140288 fil-SD/SID-poster har behandlats.

Verifieringen av s„kerhetsbeskrivare „r klar.
10141 datafiler har behandlats.

CHKDSK verifierar USN-journalen...
99 procent klart. (0 av 1209168 USN-byte har behandlats)
100 procent klart. (1204224 av 1209168 USN-byte har behandlats)
1209168 USN-byte har behandlats.

Verifieringen av USN-journalen „r klar.
Filsystemet har kontrollerats. Inga problem p†tr„ffades.

976759807 kB diskutrymme totalt.
171098080 kB i 114163 filer.
55916 kB i 10142 index.
0 kB i skadade sektorer.
237403 kB anv„nds av operativsystemet.
65536 kB h†rddisksutrymme anv„nds av loggfilen.
805368408 kB ledigt utrymme.

4096 byte i varje allokeringsenhet.
244189951 allokeringsenheter finns totalt p† disken.
201342102 allokeringsenheter „r tillg„ngliga p† disken.


Windows firewall says that the recommended settings are not being used, but I can't change the settings to recommended. When i try to enter the advanced settings, it just says "A problem occured when the snapin-module windows-firewall with advanced safety was being opened." Error code: 0x6D9
Johannesgyr
Regular Member
 
Posts: 18
Joined: May 19th, 2012, 3:44 am
Advertisement
Register to Remove

Re: I think im infected...

Unread postby askey127 » May 23rd, 2012, 6:57 am

Johannesgyr,
That CHKDSK result looks OK.

There has only been moderate success at fixing that Firewall error code without some kind of system re-install.
This can be caused by buggy software, like Registry cleaners or gaming tools, or by infections.

Let's Do This First:
Go to Start, Control panel, Administrative Tools
Double click on Services
Scroll down to the Windows Firewall entry, right click it, and choose Properties
Under Service Status, click Start
Set Startup Type to Automatic.
Click OK
==================================================

If That Fails, exit the Services module and proceed as follows:
Click Start and type cmd in the start search box.
From the programs list that pops up, right click on cmd.exe and select “Run as Administrator.”
In the command box, type each of the following commands, one at a time, and press Enter after each command.
netsh advfirewall reset
net start mpsdrv
net start bfe
net start mpssvc
regsvr32 firewallapi.dll

Confirm any box that comes up by clicking OK. The result on the last entry should say that it succeeded.

Let me know of the results.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: I think im infected...

Unread postby Johannesgyr » May 23rd, 2012, 8:56 am

Services did not work. This is the error message "Windows Firewall could not be started on Local Computer. You can find more information in the system log. If this service does not come from Microsoft, you should contact the creator of the service and enter the following service-specific errorcode: 5.


This is what happened in cmd.

netsh advfirewall reset
An error ocurred during a try to contact the service Windows Firewall. Make sure that the service is not already running and then try again.

net start mpsdrv
The service is already running.
You can recieve more help by typing NET HELPMSG 2182.

net start mpssvc
The service Windows Firewall is starting.
Could not start the service Windows Firewall
A service-specific error ocurred: 5.
You can revieve more help by typing NET HELPMSG 3547

regsvr32 firewallapi.dll
DllRegisterService in firewallapi.dll succeeded
Johannesgyr
Regular Member
 
Posts: 18
Joined: May 19th, 2012, 3:44 am

Re: I think im infected...

Unread postby askey127 » May 23rd, 2012, 11:38 am

Johannesgyr,
Let's see whether anything else is preventing the startup.
-----------------------------------------------
Run aswMBR
Download aswMBR.exe and save to your desktop.
Double click on aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan, click "save log". Save it to your desktop and post the contents in your next reply.
------------------------------------------------------------
Run MalwareBytes' Anti-Malware

As you already have Malwarebytes' Anti-Malware installed on your computer, could you please do a scan using this procedure:
  • Open Malwarebytes' Anti-Malware (Right click and "Run as administrator")
  • Select the Update tab. Choose Check for Updates.
  • Restart Malwarebytes Anti-Malware after the Update if you have to.
  • After the update has been completed, select the Settings tab, then the Scanner Settings tab
  • For Action for Potentially Unwanted Programs (PUP), choose Show in results list and check for removal
  • Select the Scanner tab.
  • Select Perform Full scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Make sure all items are checked. Then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.
    The same new log can also be found via the Logs tab when the application is re-started.
Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
This allows MBAM to remove additional items that could not be removed while Windows is running.

We will be expecting the log from aswMBR, and the Malwarebytes log.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: I think im infected...

Unread postby Johannesgyr » May 23rd, 2012, 1:59 pm

aswMBR:


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-23 18:59:59
-----------------------------
18:59:59.031 OS Version: Windows x64 6.1.7601 Service Pack 1
18:59:59.031 Number of processors: 8 586 0x1A05
18:59:59.031 ComputerName: JOHANNES-DATOR UserName: Johannes
18:59:59.202 Initialize success
19:00:14.797 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:00:14.798 Disk 0 Vendor: ST310005 JC4B Size: 953869MB BusType: 3
19:00:14.800 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\00000076
19:00:14.801 Disk 1 Vendor: Corsair_ 2.1a Size: 109704MB BusType: 11
19:00:14.803 Disk 1 MBR read successfully
19:00:14.805 Disk 1 MBR scan
19:00:14.806 Disk 1 Windows 7 default MBR code
19:00:14.808 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 109702 MB offset 2048
19:00:14.811 Disk 1 scanning C:\Windows\system32\drivers
19:00:19.958 Service scanning
19:00:22.713 Modules scanning
19:00:22.717 Disk 1 trace - called modules:
19:00:22.721 ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll mvs91xx.sys
19:00:22.724 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa800e38d060]
19:00:22.727 3 CLASSPNP.SYS[fffff88001c0143f] -> nt!IofCallDriver -> \Device\00000076[0xfffffa800ab91580]
19:00:22.730 Scan finished successfully
19:00:29.974 Disk 1 MBR has been saved successfully to "C:\Users\Johannes\Desktop\MBR.dat"
19:00:29.979 The log file has been saved successfully to "C:\Users\Johannes\Desktop\aswMBR.txt"

MBAM:


Malwarebytes Anti-Malware (PRO) 1.61.0.1400
http://www.malwarebytes.org

Databasversion: v2012.05.23.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Johannes :: JOHANNES-DATOR [administratör]

Skydd: Inaktiverad

2012-05-23 19:03:09
mbam-log-2012-05-23 (19-03-09).txt

Skanningstyp: Fullständig skanning
Aktiverade skanningsalternativ: Minne | Start | Register | Filsystem | Heuristik/Extra | Heuristik/Shuriken | PUP | PUM
Inaktiverade skanningsalternativ: P2P
Antal skannade objekt: 494903
Förfluten tid: 55 minut(er), 15 sekund(er)

Upptäckta minnesprocesser: 0
(Inga skadliga poster hittades)

Upptäckta minnesmoduler: 0
(Inga skadliga poster hittades)

Upptäckta registernycklar: 0
(Inga skadliga poster hittades)

Upptäckta registervärden: 0
(Inga skadliga poster hittades)

Upptäckta registerdataposter: 0
(Inga skadliga poster hittades)

Upptäckta mappar: 0
(Inga skadliga poster hittades)

Upptäckta filer: 1
C:\Windows\Installer\{65319fec-cafa-141f-d703-598298f8356b}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Sattes i karantän och togs bort.

(klar)
Johannesgyr
Regular Member
 
Posts: 18
Joined: May 19th, 2012, 3:44 am

Re: I think im infected...

Unread postby askey127 » May 24th, 2012, 7:54 am

Johannesgyr,
Thanks for staying with me on this. It's not a simple one.
There does not appear to be any rootkit or Master Boot Record infection.

Malwarebytes found one bad entry. We will check to see that it is gone.
Since the bad entry was a Trojan downloader, we need to see whether it added any infected items or corrupted any system files
-------------------------------------------------
Run the ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.
You will, however, need to disable your current installed Anti-Virus. Additional information on how to do it is shown here.

Vista/Windows 7 users: You will need to to right-click on the either the Internet Explorer or FireFox icon in the Start Menu or Quick Launch Bar and select Run as Administrator.

  • Please go HERE to run the scan.
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

---------------------------------------------
There are hundreds of registry entries that control the firewall service.
Each may have many assigned values that can be corrupted.
It may not be practical to find the offending item, but maybe we can get lucky.
---------------------------------------------
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it. OK the User Account Control.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :Filefind
    00000008.@
    mpssvc.dll
    
    :Reg
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The results log can also be found on your Desktop, entitled SystemLook.txt

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: I think im infected...

Unread postby Johannesgyr » May 24th, 2012, 11:20 am

SystemLook:

SystemLook 30.07.11 by jpshortstuff
Log created at 15:43 on 24/05/2012 by Johannes
Administrator - Elevation successful

========== Filefind ==========

Searching for "00000008.@"
No files found.

Searching for "mpssvc.dll"
C:\Windows\System32\MPSSVC.dll --a---- 828416 bytes [03:24 21/11/2010] [03:24 21/11/2010] 54FFC9C8898113ACE189D4AA7199D2C1
C:\Windows\winsxs\amd64_networking-mpssvc-svc_31bf3856ad364e35_6.1.7601.17514_none_f83a40e7de7c47da\MPSSVC.dll --a---- 828416 bytes [03:24 21/11/2010] [03:24 21/11/2010] 54FFC9C8898113ACE189D4AA7199D2C1

========== Reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc]
"DisplayName"="@%SystemRoot%\system32\FirewallAPI.dll,-23090"
"Group"="NetworkProvider"
"ImagePath"="%SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork"
"Description"="@%SystemRoot%\system32\FirewallAPI.dll,-23091"
"ObjectName"="NT Authority\LocalService"
"ErrorControl"= 0x0000000001 (1)
"Start"= 0x0000000002 (2)
"Type"= 0x0000000020 (32)
"DependOnService"="mpsdrv bfe"
"ServiceSidType"= 0x0000000003 (3)
"RequiredPrivileges"="SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeChangeNotifyPrivilege SeCreateGlobalPrivilege SeImpersonatePrivilege SeIncreaseQuotaPrivilege"
"FailureActions"=80 51 01 00 00 00 00 00 00 00 00 00 03 00 00 00 14 00 00 00 01 00 00 00 c0 d4 01 00 01 00 00 00 e0 93 04 00 00 00 00 00 00 00 00 00 (REG_BINARY)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc\Parameters]
"ServiceDll"="%SystemRoot%\system32\mpssvc.dll"
"ServiceDllUnloadOnStop"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc\Parameters\PortKeywords]
(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc\Security]
"Security"=01 00 14 80 b4 00 00 00 c0 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 84 00 05 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 06 00 00 00 00 00 28 00 15 00 00 00 01 06 00 00 00 00 00 05 50 00 00 00 49 59 9d 77 91 56 e5 55 dc f4 e2 0e a7 8b eb ca 7b 42 13 56 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 (REG_BINARY)


-= EOF =-


ESET:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f719a3d1f5c2d0489f513bf9c9ac4c62
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-05-24 03:15:23
# local_time=2012-05-24 05:15:23 (+0100, Paris, Madrid, sommartid)
# country="Sweden"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5121 16777213 100 75 150410 38356290 0 0
# compatibility_mode=5893 16776574 66 94 11153701 89494696 0 0
# compatibility_mode=8192 67108863 100 0 207 207 0 0
# scanned=230680
# found=2
# cleaned=0
# scan_time=7677
C:\Windows\Installer\{65319fec-cafa-141f-d703-598298f8356b}\U\80000064.@ Win64/Sirefef.AE trojan (unable to clean) 00000000000000000000000000000000 I
E:\Hämtade filer\Bulletstorm-FLT\flt-bull a variant of Win32/Packed.VMProtect.AAD trojan (unable to clean) 00000000000000000000000000000000 I
Johannesgyr
Regular Member
 
Posts: 18
Joined: May 19th, 2012, 3:44 am

Re: I think im infected...

Unread postby askey127 » May 25th, 2012, 11:16 am

Johannesgyr
---------------------------------------------
Run SystemLook
  • Right Click SystemLook.exe and choose "Run as administrator". OK the User Account Control.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :dir
    C:\Windows\Installer\{65319fec-cafa-141f-d703-598298f8356b}\U  /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The new results log can also be found on your Desktop, entitled SystemLook.txt

-------------------------------------------------
Please download RogueKiller.exe and save it to your desktop.

Run RogueKiller
  • First, quit all running programs.
  • Start RogueKiller.exe. (Right click and choose "Run as administrator" in Vista/Win7)
  • Note: If the program is blocked, do not hesitate to try several times.
    If it really does not work (it could happen), rename it to winlogon.exe or RogueKiller.com.
  • Wait until prescan has finished.
  • Click on the Scan button in the upper right. Wait for it to finish.
  • When the scan is complete, a file icon named RKreport.txt should appear on your desktop.
  • Please double click that file RKreport.txt and post its contents in your next Reply.
    (You can also open the report by clicking the Report button on the right).
  • Please DO NOT click on any corrective measures at this time.
  • When you exit RogueKiller, you may get a popup reporting "None of the Elements have been deleted. Do you want to quit?" Click "Yes".

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: I think im infected...

Unread postby Johannesgyr » May 25th, 2012, 12:22 pm

Systemlook:

SystemLook 30.07.11 by jpshortstuff
Log created at 18:20 on 25/05/2012 by Johannes
Administrator - Elevation successful

========== dir ==========

C:\Windows\Installer\{65319fec-cafa-141f-d703-598298f8356b}\U - Parameters: "/s"

---Files---
00000004.@ --a---- 2048 bytes [20:25 14/05/2012] [22:23 18/05/2012]
000000cb.@ --a---- 1584 bytes [20:25 14/05/2012] [20:25 14/05/2012]
80000064.@ --a---- 76800 bytes [20:25 14/05/2012] [20:25 14/05/2012]

No folders found.

-= EOF =-

RogueKiller:


RogueKiller V7.5.0 [05/24/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/fi ... guekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Johannes [Admin rights]
Mode: Scan -- Date: 05/25/2012 18:21:47

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 6 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Spotify Web Helper ("C:\Users\Johannes\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe") -> FOUND
[SUSP PATH] HKCU\[...]\Run : Google (C:\Users\Johannes\AppData\Roaming\googleoez.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-554517835-2887831909-526785192-1001[...]\Run : Spotify Web Helper ("C:\Users\Johannes\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe") -> FOUND
[SUSP PATH] HKUS\S-1-5-21-554517835-2887831909-526785192-1001[...]\Run : Google (C:\Users\Johannes\AppData\Roaming\googleoez.exe) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST31000524AS +++++
--- User ---
[MBR] 0c12f77838d657eb6601faa7c626d386
[BSP] 6c6e0c271043a1e23932433a5a537915 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Corsair CSSD-F115GB2-A SCSI Disk Device +++++
--- User ---
[MBR] aec59734a83d88013e9adc201a77fc3f
[BSP] af6027f5bc47192b757d73da4d82ea74 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 109702 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt
Johannesgyr
Regular Member
 
Posts: 18
Joined: May 19th, 2012, 3:44 am

Re: I think im infected...

Unread postby askey127 » May 25th, 2012, 2:01 pm

Johannesgyr,
----------------------------------------------
Perform a Custom Fix with OTL
Run OTL (Right click and choose "Run as administrator" in Vista/Win7)
  • In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
    Code: Select all
    :Files
    C:\Windows\Installer\{65319fec-cafa-141f-d703-598298f8356b}\U
    C:\Users\Johannes\AppData\Roaming\Spotify
    C:\Users\Johannes\AppData\Roaming\googleoez.exe
    ipconfig /flushdns /c
    
    :Commands
    [EMPTYTEMP]
    [CREATERESTOREPOINT]
    
  • Then click the Run Fix button at the top.
  • Let the program run unhindered and reboot the PC when it is done.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
---------------------------------------------
Right Click SystemLook.exe and choose "Run as administrator" to run it. OK the User Account Control.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :Regfind
    Spotify
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The results log can also be found on your Desktop, entitled SystemLook.txt

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: I think im infected...

Unread postby Johannesgyr » May 26th, 2012, 12:31 pm

OTL:


OTL logfile created on: 2012-05-26 18:25:09 - Run 3
OTL by OldTimer - Version 3.2.43.1 Folder = C:\Users\Johannes\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 0000041D | Country: Sverige | Language: SVE | Date Format: yyyy-MM-dd

11,99 Gb Total Physical Memory | 10,11 Gb Available Physical Memory | 84,29% Memory free
23,98 Gb Paging File | 21,88 Gb Available in Paging File | 91,23% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 107,13 Gb Total Space | 30,40 Gb Free Space | 28,38% Space Free | Partition Type: NTFS
Drive E: | 931,51 Gb Total Space | 778,03 Gb Free Space | 83,52% Space Free | Partition Type: NTFS

Computer Name: JOHANNES-DATOR | User Name: Johannes | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012-05-22 20:12:03 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Johannes\Desktop\OTL.exe
PRC - [2012-05-19 08:38:15 | 000,529,232 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe
PRC - [2012-05-05 15:44:42 | 000,932,528 | ---- | M] () -- C:\Users\Johannes\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
PRC - [2012-04-04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012-04-04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012-03-10 15:26:10 | 001,242,448 | ---- | M] (Valve Corporation) -- E:\Program Files (x86)\Steam\Steam.exe
PRC - [2012-03-01 02:02:00 | 002,348,352 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
PRC - [2012-02-29 13:26:46 | 000,382,272 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2011-04-14 18:17:18 | 000,113,288 | ---- | M] (Renesas Electronics Corporation) -- C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
PRC - [2009-12-02 22:23:38 | 000,209,768 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2009-12-02 22:23:32 | 000,483,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe


========== Modules (No Company Name) ==========

MOD - [2012-05-23 03:56:50 | 000,441,880 | ---- | M] () -- C:\Users\Johannes\AppData\Local\Google\Chrome\Application\19.0.1084.52\ppGoogleNaClPluginChrome.dll
MOD - [2012-05-23 03:56:49 | 003,922,456 | ---- | M] () -- C:\Users\Johannes\AppData\Local\Google\Chrome\Application\19.0.1084.52\pdf.dll
MOD - [2012-05-23 03:55:35 | 000,553,496 | ---- | M] () -- C:\Users\Johannes\AppData\Local\Google\Chrome\Application\19.0.1084.52\libglesv2.dll
MOD - [2012-05-23 03:55:33 | 000,117,784 | ---- | M] () -- C:\Users\Johannes\AppData\Local\Google\Chrome\Application\19.0.1084.52\libegl.dll
MOD - [2012-05-23 03:55:24 | 000,134,696 | ---- | M] () -- C:\Users\Johannes\AppData\Local\Google\Chrome\Application\19.0.1084.52\avutil-51.dll
MOD - [2012-05-23 03:55:23 | 000,250,408 | ---- | M] () -- C:\Users\Johannes\AppData\Local\Google\Chrome\Application\19.0.1084.52\avformat-54.dll
MOD - [2012-05-23 03:55:21 | 002,375,720 | ---- | M] () -- C:\Users\Johannes\AppData\Local\Google\Chrome\Application\19.0.1084.52\avcodec-54.dll
MOD - [2012-05-19 08:38:12 | 020,313,384 | ---- | M] () -- E:\Program Files (x86)\Steam\bin\libcef.dll
MOD - [2012-05-19 08:38:10 | 000,895,312 | ---- | M] () -- E:\Program Files (x86)\Steam\bin\chromehtml.dll
MOD - [2012-05-19 08:38:07 | 000,123,192 | ---- | M] () -- E:\Program Files (x86)\Steam\bin\avutil-51.dll
MOD - [2012-05-19 08:38:05 | 000,190,776 | ---- | M] () -- E:\Program Files (x86)\Steam\bin\avformat-53.dll
MOD - [2012-05-19 08:38:03 | 001,099,576 | ---- | M] () -- E:\Program Files (x86)\Steam\bin\avcodec-53.dll
MOD - [2012-05-05 15:44:42 | 000,932,528 | ---- | M] () -- C:\Users\Johannes\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2012-03-20 13:11:30 | 000,162,192 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Windows\SysNative\mfevtps.exe -- (mfevtp)
SRV:64bit: - [2012-03-20 12:56:24 | 000,210,584 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV:64bit: - [2012-03-20 12:55:54 | 000,199,272 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV:64bit: - [2011-01-27 18:28:20 | 000,249,936 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV:64bit: - [2011-01-27 18:28:20 | 000,249,936 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV:64bit: - [2011-01-27 18:28:20 | 000,249,936 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV:64bit: - [2011-01-27 18:28:20 | 000,249,936 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV:64bit: - [2011-01-27 18:28:20 | 000,249,936 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV:64bit: - [2011-01-27 18:28:20 | 000,249,936 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV:64bit: - [2011-01-27 18:28:20 | 000,249,936 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2012-05-19 08:38:15 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012-05-14 22:26:22 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012-04-04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012-03-22 19:30:56 | 000,502,032 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2012-03-01 02:02:00 | 002,348,352 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2012-02-29 13:26:46 | 000,382,272 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2012-02-29 08:50:48 | 000,158,856 | R--- | M] (Skype Technologies) [Disabled | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012-01-03 15:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011-12-20 19:21:21 | 000,079,360 | ---- | M] (Creative Labs) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
SRV - [2011-12-20 19:21:12 | 000,079,360 | ---- | M] (Creative Labs) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe -- (Creative ALchemy AL6 Licensing Service)
SRV - [2011-03-28 21:11:06 | 002,292,096 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Program\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2010-09-22 18:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV - [2010-04-13 20:11:18 | 000,231,224 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2010-03-18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010-01-09 21:34:24 | 004,925,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE -- (osppsvc)
SRV - [2009-12-02 22:23:38 | 000,209,768 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2009-12-02 22:23:32 | 000,483,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2009-08-28 20:45:56 | 000,286,720 | ---- | M] (Creative Technology Ltd) [Disabled | Stopped] -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2009-06-10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012-05-12 08:27:55 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV:64bit: - [2012-04-04 15:56:40 | 000,024,904 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2012-03-01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012-02-22 13:29:46 | 000,647,208 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfehidk.sys -- (mfehidk)
DRV:64bit: - [2012-02-22 13:29:46 | 000,487,296 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfefirek.sys -- (mfefirek)
DRV:64bit: - [2012-02-22 13:29:46 | 000,289,664 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfewfpk.sys -- (mfewfpk)
DRV:64bit: - [2012-02-22 13:29:46 | 000,229,528 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeavfk.sys -- (mfeavfk)
DRV:64bit: - [2012-02-22 13:29:46 | 000,160,792 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeapfk.sys -- (mfeapfk)
DRV:64bit: - [2012-02-22 13:29:46 | 000,100,912 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mferkdet.sys -- (mferkdet)
DRV:64bit: - [2012-02-22 13:29:46 | 000,075,936 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mfenlfk.sys -- (mfenlfk)
DRV:64bit: - [2012-02-22 13:29:46 | 000,065,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\cfwids.sys -- (cfwids)
DRV:64bit: - [2012-02-15 12:01:50 | 000,052,736 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012-01-17 14:45:56 | 000,188,224 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2011-11-24 00:02:20 | 000,648,808 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011-09-08 16:40:24 | 000,508,520 | ---- | M] (Realtek ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2011-06-10 17:00:38 | 000,208,896 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3xhc.sys -- (nusb3xhc)
DRV:64bit: - [2011-06-10 17:00:36 | 000,091,648 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3hub.sys -- (nusb3hub)
DRV:64bit: - [2011-05-20 09:53:44 | 000,557,848 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2011-05-19 16:55:36 | 000,120,920 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\jraid.sys -- (JRAID)
DRV:64bit: - [2011-04-11 14:29:20 | 000,071,800 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\McPvDrv.sys -- (McPvDrv)
DRV:64bit: - [2011-04-08 19:00:06 | 000,312,624 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mvs91xx.sys -- (mvs91xx)
DRV:64bit: - [2011-03-14 11:29:46 | 000,024,880 | ---- | M] (Marvell Semiconductor Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mv91cons.sys -- (mv91cons)
DRV:64bit: - [2011-03-11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011-03-11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010-11-21 05:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010-11-21 05:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010-11-21 05:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010-10-01 12:35:06 | 000,302,120 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mv91xx.sys -- (mv91xx)
DRV:64bit: - [2010-04-13 20:10:24 | 000,066,040 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\MOBK.sys -- (MOBKFilter)
DRV:64bit: - [2009-12-22 02:54:00 | 001,308,160 | ---- | M] (C-Media Electronics Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CM10864.sys -- (USBPNPA)
DRV:64bit: - [2009-12-02 22:23:38 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftvollh.sys -- (Sftvol)
DRV:64bit: - [2009-12-02 22:23:34 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftredirlh.sys -- (Sftredir)
DRV:64bit: - [2009-12-02 22:23:32 | 000,269,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftplaylh.sys -- (Sftplay)
DRV:64bit: - [2009-12-02 22:23:26 | 000,721,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftfslh.sys -- (Sftfs)
DRV:64bit: - [2009-07-31 12:40:32 | 000,025,600 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\WRfiltv.sys -- (WRfiltv)
DRV:64bit: - [2009-07-16 05:38:40 | 000,015,416 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV:64bit: - [2009-07-14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009-07-14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009-07-14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009-06-10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009-06-10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009-06-10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009-06-10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009-05-18 14:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009-03-18 17:35:42 | 000,033,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hamachi.sys -- (hamachi)
DRV:64bit: - [2008-01-17 17:51:44 | 000,018,816 | ---- | M] (Razer USA Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Lycosa.sys -- (Lycosa)
DRV - [2010-08-04 11:05:12 | 000,016,384 | ---- | M] (LG Soft India) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\LGI2CDriver.sys -- (LGDDCDevice)
DRV - [2010-08-04 11:05:00 | 000,019,968 | ---- | M] (LG Soft India) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\LGPII2CDriver.sys -- (LGII2CDevice)
DRV - [2009-07-14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\URLSearchHook: {687578b9-7132-4a7a-80e4-30ee31099e03} - No CLSID value found
IE - HKLM\..\SearchScopes,DefaultScope =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://se.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = sv-SE
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 80 62 E8 F3 4D 38 CD 01 [binary data]
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
IE - HKCU\..\URLSearchHook: {687578b9-7132-4a7a-80e4-30ee31099e03} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_2_202_235.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.0: C:\Windows\system32\npDeployJava1.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.4.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: E:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.0: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.0\npesnsonar.dll File not found
FF - HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.4: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.102.0: C:\Program Files (x86)\Battlelog Web Plugins\1.102.0\npesnlaunch.dll File not found
FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.110.0: C:\Program Files (x86)\Battlelog Web Plugins\1.110.0\npesnlaunch.dll File not found
FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.118.0: C:\Program Files (x86)\Battlelog Web Plugins\1.118.0\npesnlaunch.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~2\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files (x86)\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll File not found
FF - HKLM\Software\MozillaPlugins\@ngm.nexoneu.com/NxGame: C:\ProgramData\NexonEU\NGM\npNxGameeu.dll File not found
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Johannes\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Johannes\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files (x86)\McAfee\SiteAdvisor [2012-05-25 12:07:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files (x86)\Common Files\McAfee\SystemCore [2012-05-22 21:20:24 | 000,000,000 | ---D | M]

[2012-03-08 15:47:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Johannes\AppData\Roaming\mozilla\Extensions
[2012-05-22 20:12:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Johannes\AppData\Roaming\mozilla\Firefox\extensions
[2012-04-29 14:38:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Johannes\AppData\Roaming\mozilla\Firefox\Profiles\uo7hz1s3.default\extensions
[2012-04-29 14:38:19 | 001,184,804 | ---- | M] () (No name found) -- C:\USERS\JOHANNES\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UO7HZ1S3.DEFAULT\EXTENSIONS\TESTPILOT@LABS.MOZILLA.COM.XPI

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Johannes\AppData\Local\Google\Chrome\Application\19.0.1084.52\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Johannes\AppData\Local\Google\Chrome\Application\19.0.1084.52\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Johannes\AppData\Local\Google\Chrome\Application\19.0.1084.52\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\Johannes\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Users\Johannes\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.41.123.2_0\McChPlg.dll
CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Program Files (x86)\McAfee\SiteAdvisor\npmcffplg32.dll
CHR - plugin: Skype Toolbars (Enabled) = C:\Users\Johannes\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.9.0.9216_0\npSkypeChromePlugin.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
CHR - plugin: ESN Launch Mozilla Plugin (Enabled) = C:\Program Files (x86)\Battlelog Web Plugins\1.118.0\npesnlaunch.dll
CHR - plugin: ESN Sonar API (Enabled) = C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: NVIDIA 3D Vision (Enabled) = C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
CHR - plugin: NVIDIA 3D VISION (Enabled) = C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Unity Player (Enabled) = C:\Users\Johannes\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Johannes\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: iTunes Application Detector (Enabled) = E:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll
CHR - plugin: McAfee SecurityCenter (Enabled) = c:\progra~2\mcafee\msc\npmcsn~1.dll
CHR - Extension: YouTube = C:\Users\Johannes\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: S\u00F6k p\u00E5 Google = C:\Users\Johannes\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: SiteAdvisor = C:\Users\Johannes\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.41.123.2_0\
CHR - Extension: Click 2 Save = C:\Users\Johannes\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihmnjncblbopofbigibekembijeajahe\1.1_0\
CHR - Extension: ICE Quick Stream = C:\Users\Johannes\AppData\Local\Google\Chrome\User Data\Default\Extensions\mapljocpedaolbooelchgnkkaplpadgp\5.2_0\
CHR - Extension: Gmail = C:\Users\Johannes\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2009-06-10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program\Common Files\McAfee\SystemCore\ScriptSn.20120522212021.dll (McAfee, Inc.)
O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
O2:64bit: - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll (McAfee, Inc.)
O2:64bit: - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120522212021.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL (Microsoft Corporation)
O3:64bit: - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4:64bit: - HKLM..\Run: [Cm108Sound] C:\Windows\Syswow64\cm108.dll (C-Media Corporation)
O4:64bit: - HKLM..\Run: [McPvTray_exe] C:\Program Files\McAfee\MAT\McPvTray.exe (McAfee, Inc.)
O4:64bit: - HKLM..\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NUSB3MON] C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Renesas Electronics Corporation)
O4 - HKCU..\Run: [DAEMON Tools Lite] E:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Google] C:\Users\Johannes\AppData\Roaming\googleoez.exe File not found
O4 - HKCU..\Run: [ISUSPM Startup] c:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup File not found
O4 - HKCU..\Run: [Spotify Web Helper] C:\Users\Johannes\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe ()
O4 - HKCU..\Run: [Steam] E:\Program Files (x86)\Steam\steam.exe (Valve Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000 File not found
O8:64bit: - Extra context menu item: Ski&cka till OneNote - res://C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105 File not found
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Ski&cka till OneNote - res://C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105 File not found
O9:64bit: - Extra Button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra Button: Länkade &anteckningar - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : Länkade &anteckningar - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Program\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Program\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} http://ccfiles.creative.com/Web/softwar ... PIDPDE.cab (Creative Software AutoUpdate Support Package 2)
O16 - DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} http://ccfiles.creative.com/Web/softwar ... TSUEng.cab (Creative Software AutoUpdate 2)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwar ... /CTPID.cab (Creative Software AutoUpdate Support Package)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 195.67.199.18 195.67.199.19 195.67.199.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7A7F6BE2-E2B9-40DB-8C7D-02BC76260A30}: DhcpNameServer = 195.67.199.18 195.67.199.19 195.67.199.20
O18:64bit: - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll (McAfee, Inc.)
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll (McAfee, Inc.)
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18:64bit: - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program\McAfee\MSC\McSnIePl64.dll (McAfee, Inc.)
O18:64bit: - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~2\mcafee\msc\mcsniepl.dll (McAfee, Inc.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{fc916e0d-8883-11e1-bba6-14dae93e092d}\Shell - "" = AutoRun
O33 - MountPoints2\{fc916e0d-8883-11e1-bba6-14dae93e092d}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012-05-25 18:21:18 | 000,000,000 | ---D | C] -- C:\Users\Johannes\Desktop\RK_Quarantine
[2012-05-23 19:01:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012-05-23 19:01:36 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012-05-23 19:01:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012-05-22 22:21:31 | 000,068,928 | ---- | C] (Khronos Group) -- C:\Windows\SysNative\OpenCL.dll
[2012-05-22 22:21:31 | 000,061,248 | ---- | C] (Khronos Group) -- C:\Windows\SysWow64\OpenCL.dll
[2012-05-22 21:20:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\McAfeeMOBK
[2012-05-22 21:20:47 | 000,066,040 | ---- | C] (Mozy, Inc.) -- C:\Windows\SysNative\drivers\MOBK.sys
[2012-05-22 21:20:47 | 000,000,000 | --SD | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Online Backup
[2012-05-22 21:20:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\McAfee Online Backup
[2012-05-22 21:20:41 | 000,071,800 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\McPvDrv.sys
[2012-05-22 21:20:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2012-05-22 21:20:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\McAfee.com
[2012-05-22 21:20:21 | 000,010,248 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeclnk.sys
[2012-05-22 21:20:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\McAfee
[2012-05-22 21:20:19 | 000,487,296 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfefirek.sys
[2012-05-22 21:20:19 | 000,289,664 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfewfpk.sys
[2012-05-22 21:20:19 | 000,229,528 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeavfk.sys
[2012-05-22 21:20:19 | 000,100,912 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mferkdet.sys
[2012-05-22 21:20:19 | 000,075,936 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfenlfk.sys
[2012-05-22 21:20:19 | 000,065,264 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\cfwids.sys
[2012-05-22 21:20:17 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2012-05-22 21:20:17 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
[2012-05-22 21:20:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2012-05-22 21:20:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\McAfee
[2012-05-22 21:11:56 | 000,162,192 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\mfevtps.exe
[2012-05-22 21:11:54 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2012-05-22 20:12:58 | 000,000,000 | ---D | C] -- C:\_OTL
[2012-05-22 20:12:01 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Johannes\Desktop\OTL.exe
[2012-05-22 19:52:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
[2012-05-22 18:17:33 | 000,000,000 | ---D | C] -- C:\Users\Johannes\Documents\RemoveMalware
[2012-05-15 06:03:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Diablo III
[2012-05-15 06:03:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Diablo III
[2012-05-13 15:05:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
[2012-05-13 15:03:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Analysis Services
[2012-05-13 15:02:54 | 000,000,000 | RH-D | C] -- C:\MSOCache
[2012-05-12 17:23:55 | 000,000,000 | ---D | C] -- C:\Users\Johannes\Documents\Skolgrejer
[2012-05-12 14:27:44 | 000,000,000 | ---D | C] -- C:\Users\Johannes\AppData\Local\Insanely Twisted Shadow Planet
[2012-05-12 14:25:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Game Studios
[2012-05-12 08:28:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DAEMON Tools Lite
[2012-05-12 08:27:55 | 000,283,200 | ---- | C] (DT Soft Ltd) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys
[2012-05-12 08:18:47 | 000,000,000 | ---D | C] -- C:\Users\Johannes\AppData\Roaming\Google
[2012-05-07 21:16:05 | 000,000,000 | ---D | C] -- C:\Users\Johannes\AppData\Local\Funcom
[2012-05-07 21:16:04 | 000,000,000 | ---D | C] -- C:\ProgramData\media center programs
[2012-05-07 21:16:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Funcom
[2012-05-04 23:13:26 | 000,000,000 | ---D | C] -- C:\Users\Johannes\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Terraria
[2012-05-04 22:44:18 | 000,033,856 | -H-- | C] (LogMeIn, Inc.) -- C:\Windows\SysNative\hamachi.sys
[2012-05-01 01:01:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Wise Installation Wizard
[2012-05-01 00:59:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Deep Silver
[2012-04-29 15:02:25 | 000,000,000 | ---D | C] -- C:\Users\Johannes\AppData\Roaming\Opera
[2012-04-29 15:02:25 | 000,000,000 | ---D | C] -- C:\Users\Johannes\AppData\Local\Opera
[2012-04-29 14:11:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2012-04-28 14:55:26 | 000,000,000 | ---D | C] -- C:\Users\Johannes\AppData\Local\Risen2
[2010-11-19 06:27:00 | 000,587,776 | ---- | C] (Igor Pavlov) -- C:\Users\Johannes\AppData\Roaming\7za.exe

========== Files - Modified Within 30 Days ==========

[2012-05-26 18:28:03 | 000,001,828 | ---- | M] () -- C:\Users\Public\Desktop\McAfee Total Protection.lnk
[2012-05-26 18:22:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012-05-26 18:22:54 | 1066,749,950 | -HS- | M] () -- C:\hiberfil.sys
[2012-05-26 17:54:00 | 000,001,016 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-554517835-2887831909-526785192-1001UA.job
[2012-05-26 17:51:00 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012-05-26 12:00:55 | 000,021,888 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012-05-26 12:00:55 | 000,021,888 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012-05-26 12:00:41 | 001,575,584 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012-05-26 12:00:41 | 000,662,158 | ---- | M] () -- C:\Windows\SysNative\perfh01D.dat
[2012-05-26 12:00:41 | 000,652,602 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012-05-26 12:00:41 | 000,141,702 | ---- | M] () -- C:\Windows\SysNative\perfc01D.dat
[2012-05-26 12:00:41 | 000,121,276 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012-05-25 19:54:00 | 000,000,964 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-554517835-2887831909-526785192-1001Core.job
[2012-05-24 20:45:43 | 000,268,993 | ---- | M] () -- C:\Users\Johannes\Desktop\Brodangia.jpg
[2012-05-24 13:55:13 | 000,002,374 | ---- | M] () -- C:\Users\Johannes\Desktop\Google Chrome.lnk
[2012-05-23 19:01:41 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012-05-22 20:12:03 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Johannes\Desktop\OTL.exe
[2012-05-19 03:46:58 | 000,332,019 | ---- | M] () -- C:\Users\Johannes\Desktop\csgo.png
[2012-05-15 06:10:41 | 000,001,189 | ---- | M] () -- C:\Users\Public\Desktop\Diablo III.lnk
[2012-05-13 22:02:28 | 000,341,544 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012-05-12 08:27:55 | 000,283,200 | ---- | M] (DT Soft Ltd) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys
[2012-05-11 16:02:45 | 000,123,823 | ---- | M] () -- C:\Users\Johannes\Desktop\123asd.jpg
[2012-05-05 15:18:48 | 000,000,000 | -H-- | M] () -- C:\Users\Johannes\Documents\Default.rdp
[2012-05-04 23:23:52 | 001,553,434 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012-04-30 00:52:02 | 000,000,448 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Update Version3.job

========== Files Created - No Company Name ==========

[2012-05-24 20:45:43 | 000,268,993 | ---- | C] () -- C:\Users\Johannes\Desktop\Brodangia.jpg
[2012-05-23 19:01:41 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012-05-22 21:21:00 | 000,001,828 | ---- | C] () -- C:\Users\Public\Desktop\McAfee Total Protection.lnk
[2012-05-19 03:46:58 | 000,332,019 | ---- | C] () -- C:\Users\Johannes\Desktop\csgo.png
[2012-05-15 06:03:50 | 000,001,189 | ---- | C] () -- C:\Users\Public\Desktop\Diablo III.lnk
[2012-05-11 16:02:50 | 000,123,823 | ---- | C] () -- C:\Users\Johannes\Desktop\123asd.jpg
[2012-05-05 15:18:48 | 000,000,000 | -H-- | C] () -- C:\Users\Johannes\Documents\Default.rdp
[2012-04-26 14:02:57 | 000,000,027 | ---- | C] () -- C:\Program Files\plugins.dat
[2012-04-02 22:17:38 | 000,040,985 | ---- | C] () -- C:\Users\Johannes\AppData\Roaming\a.7z
[2012-03-13 22:06:09 | 000,021,840 | ---- | C] () -- C:\Windows\SysWow64\SIntfNT.dll
[2012-03-13 22:06:09 | 000,017,212 | ---- | C] () -- C:\Windows\SysWow64\SIntf32.dll
[2012-03-13 22:06:09 | 000,012,067 | ---- | C] () -- C:\Windows\SysWow64\SIntf16.dll
[2012-02-29 13:26:56 | 000,416,064 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe
[2012-01-23 22:44:51 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini
[2012-01-22 18:57:53 | 000,000,206 | ---- | C] () -- C:\Windows\ulead32.ini
[2011-12-26 23:43:39 | 000,094,208 | ---- | C] () -- C:\Windows\SysWow64\LGErrorHandler.dll
[2011-12-26 23:43:38 | 000,020,992 | ---- | C] () -- C:\Windows\SysWow64\LGUmdl.dll
[2011-12-20 19:21:23 | 000,001,801 | ---- | C] () -- C:\Windows\WRcfg.ini
[2011-12-20 19:21:23 | 000,000,388 | ---- | C] () -- C:\Windows\WRMCcfg.ini
[2011-12-20 19:21:22 | 000,176,128 | ---- | C] () -- C:\Windows\SysWow64\APOMngr.DLL
[2011-12-20 19:21:22 | 000,073,728 | ---- | C] () -- C:\Windows\SysWow64\CmdRtr.DLL
[2011-12-15 00:26:10 | 000,143,360 | ---- | C] () -- C:\Windows\Vmix108.dll
[2011-12-15 00:26:10 | 000,000,518 | ---- | C] () -- C:\Windows\Cm108.ini.cfl
[2011-12-15 00:26:05 | 000,008,031 | ---- | C] () -- C:\Windows\Cm108.ini.imi
[2011-12-15 00:26:05 | 000,002,029 | ---- | C] () -- C:\Windows\Cm108.ini.cfg
[2011-12-15 00:26:04 | 000,001,320 | ---- | C] () -- C:\Windows\cm108.ini
[2011-11-02 04:10:24 | 000,088,280 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat
[2011-10-16 00:40:43 | 000,000,032 | ---- | C] () -- C:\Program Files\plugins-04041e-fe8.dat
[2011-09-28 17:44:14 | 000,179,271 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011-09-01 15:06:17 | 001,553,434 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011-05-31 08:39:50 | 000,058,368 | ---- | C] () -- C:\Windows\SysWow64\bdmpegv.dll
[2011-05-31 08:38:18 | 000,015,360 | ---- | C] () -- C:\Windows\SysWow64\bdmjpeg.dll

========== LOP Check ==========

[2011-10-08 17:28:27 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\.minecraft
[2012-01-21 23:29:27 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\BigHugeEngine
[2012-01-22 18:55:56 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
[2012-03-13 21:59:05 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\DAEMON Tools Lite
[2012-02-05 20:38:57 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\DarknessIIDemo
[2012-01-16 15:40:10 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\DriverCure
[2012-02-01 16:29:15 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\fltk.org
[2011-12-09 21:59:16 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\Image-Line
[2011-10-07 17:08:59 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\LolClient
[2012-05-19 10:15:09 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\Opera
[2011-10-25 19:04:25 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\Origin
[2012-01-23 22:22:44 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\PCCleaner
[2012-02-05 23:49:38 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\RIFT
[2012-03-01 03:50:44 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\RotMG.Production
[2012-05-24 17:26:05 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\SoftGrid Client
[2012-05-25 20:17:58 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\Spotify
[2012-01-23 22:25:18 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\spotmau
[2011-12-09 22:08:36 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\SynthMaker
[2011-10-22 18:33:53 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\TP
[2012-03-30 18:47:02 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\Trine2
[2012-02-16 00:19:58 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\TuneUp Software
[2012-03-10 15:29:42 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\Unity
[2012-01-01 14:14:25 | 000,000,000 | ---D | M] -- C:\Users\Johannes\AppData\Roaming\VOIPlay
[2012-04-30 00:52:02 | 000,000,448 | ---- | M] () -- C:\Windows\Tasks\ParetoLogic Update Version3.job
[2012-03-08 14:55:14 | 000,032,514 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >


SystemLook:

SystemLook 30.07.11 by jpshortstuff
Log created at 18:29 on 26/05/2012 by Johannes
Administrator - Elevation successful

========== Regfind ==========

Searching for "Spotify"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}]
"AppPath"="C:\Users\Johannes\AppData\Roaming\Spotify"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}]
"AppName"="spotify.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}]
"AppPath"="C:\Users\Johannes\AppData\Roaming\Spotify"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}]
"AppName"="spotify.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\a9454990_0]
@="{0.0.0.00000000}.{c0cd62d8-6abc-456c-88e2-7dab78f74ba2}|\Device\HarddiskVolume1\Users\Johannes\AppData\Roaming\Spotify\spotify.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\b533b826_0]
@="{0.0.0.00000000}.{2f33a793-65d4-4068-a7ef-416fdc74252f}|\Device\HarddiskVolume1\Users\Johannes\AppData\Roaming\Spotify\spotify.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\ba162e5f_0]
@="{0.0.0.00000000}.{8155cc31-6b70-4257-9b23-df87752399e6}|\Device\HarddiskVolume1\Users\Johannes\AppData\Roaming\Spotify\spotify.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\d8b69744_0]
@="{0.0.0.00000000}.{1d12cbb5-16af-4ba7-91e6-2d9ae83d2870}|\Device\HarddiskVolume1\Users\Johannes\AppData\Roaming\Spotify\spotify.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\df02009_0]
@="{0.0.0.00000000}.{7c3c77c0-4396-493e-81ab-368ea6ff3af4}|\Device\HarddiskVolume1\Users\Johannes\AppData\Roaming\Spotify\spotify.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\f45ed52a_0]
@="{0.0.0.00000000}.{f4aa8083-71d3-4c61-a60b-7228fbcdd99c}|\Device\HarddiskVolume1\Users\Johannes\AppData\Roaming\Spotify\spotify.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\f76b1821_0]
@="{0.0.0.00000000}.{cd298114-82aa-4534-ae59-24f219141801}|\Device\HarddiskVolume1\Users\Johannes\AppData\Roaming\Spotify\spotify.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Spotify Web Helper"=""C:\Users\Johannes\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify]
"UninstallString"=""C:\Users\Johannes\AppData\Roaming\Spotify\Spotify.exe" /uninstall"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify]
"InstallLocation"="C:\Users\Johannes\AppData\Roaming\Spotify"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify]
"DisplayName"="Spotify"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify]
"DisplayIcon"="C:\Users\Johannes\AppData\Roaming\Spotify\Spotify.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify]
"URLInfoAbout"="http://www.spotify.com"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify]
"Publisher"="Spotify AB"
[HKEY_CURRENT_USER\Software\Spotify]
[HKEY_CURRENT_USER\Software\Spotify]
@="C:\Users\Johannes\AppData\Roaming\Spotify"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\Johannes\AppData\Roaming\Spotify\spotify.exe"="Spotify"
[HKEY_CURRENT_USER\Software\Classes\spotify]
[HKEY_CURRENT_USER\Software\Classes\spotify\DefaultIcon]
@=""C:\Users\Johannes\AppData\Roaming\Spotify\Spotify.exe",0"
[HKEY_CURRENT_USER\Software\Classes\spotify\shell\open\command]
@=""C:\Users\Johannes\AppData\Roaming\Spotify\Spotify.exe" /uri %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\spotify]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\spotify\DefaultIcon]
@=""C:\Users\Johannes\AppData\Roaming\Spotify\spotify.exe",0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\spotify\shell\open\command]
@=""C:\Users\Johannes\AppData\Roaming\Spotify\spotify.exe" /uri %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Spotify.m4a]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Spotify.m4a\shell\open\command]
@=""C:\Users\Johannes\AppData\Roaming\Spotify\spotify.exe" /file "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Spotify.m4p]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Spotify.m4p\shell\open\command]
@=""C:\Users\Johannes\AppData\Roaming\Spotify\spotify.exe" /file "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Spotify.mp3]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Spotify.mp3\shell\open\command]
@=""C:\Users\Johannes\AppData\Roaming\Spotify\spotify.exe" /file "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Spotify.mp4]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Spotify.mp4\shell\open\command]
@=""C:\Users\Johannes\AppData\Roaming\Spotify\spotify.exe" /file "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Spotify_RASAPI32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Spotify_RASMANCS]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\Spotify]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\Spotify]
"EventMessageFile"="C:\Users\Johannes\AppData\Roaming\Spotify\spotify.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\eventlog\Application\Spotify]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\eventlog\Application\Spotify]
"EventMessageFile"="C:\Users\Johannes\AppData\Roaming\Spotify\spotify.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Spotify]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Spotify]
"EventMessageFile"="C:\Users\Johannes\AppData\Roaming\Spotify\spotify.exe"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}]
"AppPath"="C:\Users\Johannes\AppData\Roaming\Spotify"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}]
"AppName"="spotify.exe"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}]
"AppPath"="C:\Users\Johannes\AppData\Roaming\Spotify"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}]
"AppName"="spotify.exe"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\a9454990_0]
@="{0.0.0.00000000}.{c0cd62d8-6abc-456c-88e2-7dab78f74ba2}|\Device\HarddiskVolume1\Users\Johannes\AppData\Roaming\Spotify\spotify.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\b533b826_0]
@="{0.0.0.00000000}.{2f33a793-65d4-4068-a7ef-416fdc74252f}|\Device\HarddiskVolume1\Users\Johannes\AppData\Roaming\Spotify\spotify.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\ba162e5f_0]
@="{0.0.0.00000000}.{8155cc31-6b70-4257-9b23-df87752399e6}|\Device\HarddiskVolume1\Users\Johannes\AppData\Roaming\Spotify\spotify.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\d8b69744_0]
@="{0.0.0.00000000}.{1d12cbb5-16af-4ba7-91e6-2d9ae83d2870}|\Device\HarddiskVolume1\Users\Johannes\AppData\Roaming\Spotify\spotify.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\df02009_0]
@="{0.0.0.00000000}.{7c3c77c0-4396-493e-81ab-368ea6ff3af4}|\Device\HarddiskVolume1\Users\Johannes\AppData\Roaming\Spotify\spotify.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\f45ed52a_0]
@="{0.0.0.00000000}.{f4aa8083-71d3-4c61-a60b-7228fbcdd99c}|\Device\HarddiskVolume1\Users\Johannes\AppData\Roaming\Spotify\spotify.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\f76b1821_0]
@="{0.0.0.00000000}.{cd298114-82aa-4534-ae59-24f219141801}|\Device\HarddiskVolume1\Users\Johannes\AppData\Roaming\Spotify\spotify.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Windows\CurrentVersion\Run]
"Spotify Web Helper"=""C:\Users\Johannes\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe""
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify]
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify]
"UninstallString"=""C:\Users\Johannes\AppData\Roaming\Spotify\Spotify.exe" /uninstall"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify]
"InstallLocation"="C:\Users\Johannes\AppData\Roaming\Spotify"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify]
"DisplayName"="Spotify"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify]
"DisplayIcon"="C:\Users\Johannes\AppData\Roaming\Spotify\Spotify.exe"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify]
"URLInfoAbout"="http://www.spotify.com"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify]
"Publisher"="Spotify AB"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Spotify]
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Spotify]
@="C:\Users\Johannes\AppData\Roaming\Spotify"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\Johannes\AppData\Roaming\Spotify\spotify.exe"="Spotify"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Classes\spotify]
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Classes\spotify\DefaultIcon]
@=""C:\Users\Johannes\AppData\Roaming\Spotify\Spotify.exe",0"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Classes\spotify\shell\open\command]
@=""C:\Users\Johannes\AppData\Roaming\Spotify\Spotify.exe" /uri %1"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\Johannes\AppData\Roaming\Spotify\spotify.exe"="Spotify"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001_Classes\spotify]
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001_Classes\spotify\DefaultIcon]
@=""C:\Users\Johannes\AppData\Roaming\Spotify\Spotify.exe",0"
[HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001_Classes\spotify\shell\open\command]
@=""C:\Users\Johannes\AppData\Roaming\Spotify\Spotify.exe" /uri %1"

-= EOF =-
Johannesgyr
Regular Member
 
Posts: 18
Joined: May 19th, 2012, 3:44 am

Re: I think im infected...

Unread postby askey127 » May 26th, 2012, 4:33 pm

Johannesgyr,
Hopefully, we are pretty close to having this cleaned up.
----------------------------------------------
Perform a Custom Fix with OTL
Run OTL (Right click and choose "Run as administrator" in Vista/Win7)
  • In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
    Code: Select all
    :OTL
    O4 - HKCU..\Run: [Spotify Web Helper] C:\Users\Johannes\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe ()
    O4 - HKCU..\Run: [Google] C:\Users\Johannes\AppData\Roaming\googleoez.exe File not found
    CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
    MOD - [2012-05-05 15:44:42 | 000,932,528 | ---- | M] () -- C:\Users\Johannes\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
    
    :Reg
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\a9454990_0]
    @=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\b533b826_0]
    @=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\ba162e5f_0]
    @=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\d8b69744_0]
    @=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\df02009_0]
    @=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\f45ed52a_0]
    @=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\f76b1821_0]
    @-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "Spotify Web Helper"=-
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify]
    [-HKEY_CURRENT_USER\Software\Spotify]
    [HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
    "C:\Users\Johannes\AppData\Roaming\Spotify\spotify.exe"=-
    [-HKEY_CURRENT_USER\Software\Classes\spotify]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\spotify]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Spotify.m4a]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Spotify.m4p]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Spotify.mp3]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Spotify.mp4]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Spotify_RASAPI32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Spotify_RASMANCS]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\Spotify]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\eventlog\Application\Spotify]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Spotify]
    [-HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}]
    [-HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}]
    [HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\a9454990_0]
    @=-
    [HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\b533b826_0]
    @=-
    [HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\ba162e5f_0]
    @=-
    [HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\d8b69744_0]
    @=-
    [HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\df02009_0]
    @=-
    [HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\f45ed52a_0]
    @=-
    [HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\f76b1821_0]
    @=-
    [HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Windows\CurrentVersion\Run]
    "Spotify Web Helper"=-
    [-HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify]
    [-HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Spotify]
    [HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
    "C:\Users\Johannes\AppData\Roaming\Spotify\spotify.exe"=-
    [-HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001\Software\Classes\spotify]
    [HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
    "C:\Users\Johannes\AppData\Roaming\Spotify\spotify.exe"=-
    [-HKEY_USERS\S-1-5-21-554517835-2887831909-526785192-1001_Classes\spotify]
    
    :Files
    C:\Users\Johannes\AppData\Roaming\Spotify
    C:\Program Files (x86)\Pando Networks\Media Booster\
    ipconfig /flushdns /c
    
    :Commands
    [EMPTYTEMP]
    [CREATERESTOREPOINT]
    
  • Then click the Run Fix button at the top.
  • Let the program run unhindered and reboot the PC when it is done.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
---------------------------------------------------------

Now that the machine should be quite clean, check to see whether the McAfee or Windows firewall will start.
If you see that there is no running McAfee or Windows Firewall, these are the possibilities that I see without a total Windows 7 Re-Install. I can't tell you which of these might work, but you can try each one until you have success :
  • You could Uninstall McAfee, Reboot the Computer, and then re-install McAfee. This has worked in some cases where the McAfee files were corrupted by infection.

  • Uninstall McAfee, Run McAfee's total removal tool HERE, and then install Microsoft Security Essentials, along with Online Armor Free.
    Online Armor Free is here: http://www.online-armor.com/products-on ... r-free.php
    If you allow it to initialize itself, it is fairly easy to get it set up. You will still have a few queries about which programs should be connecting to the internet.
    (McAfee's removal tool is a step that may be necessary if you want to change security vendors).

  • Uninstall McAfee, Run a Windows 7 Repair Install, then re-install McAfee.

Let me know how it goes.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: I think im infected...

Unread postby Johannesgyr » May 28th, 2012, 12:05 am

Hi,

when i try to run the OTL fix, the program just stops responding. I gave it 4 hours, still nothing happened. What should I do?
Johannesgyr
Regular Member
 
Posts: 18
Joined: May 19th, 2012, 3:44 am

Re: I think im infected...

Unread postby askey127 » May 28th, 2012, 7:09 am

johannesgyr,
Let's see if this is easier to run:
----------------------------------------------------------------
Perform a Custom Fix with OTL
Run OTL (Right click and choose "Run as administrator" in Vista/Win7)
  • In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
    Code: Select all
    :OTL
    O4 - HKCU..\Run: [Spotify Web Helper] C:\Users\Johannes\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe ()
    O4 - HKCU..\Run: [Google] C:\Users\Johannes\AppData\Roaming\googleoez.exe File not found
    CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
    
    :Files
    C:\Users\Johannes\AppData\Roaming\Spotify
    C:\Program Files (x86)\Pando Networks\Media Booster\
    ipconfig /flushdns /c
    
    :Commands
    [EMPTYTEMP]
    [CREATERESTOREPOINT]
    
  • Then click the Run Fix button at the top.
  • Let the program run unhindered and reboot the PC when it is done.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

That should get rid of the most important parts.

Then if that completes, you can choose your options about the Firewall from the previous post.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: I think im infected...

Unread postby Johannesgyr » May 30th, 2012, 7:36 am

So, I ran the fix, then i reinstalled windows, and now everything works great! The firewall issue is no more, the scans show no threats, so everything works fine now! Thanks so much for all the help!
Johannesgyr
Regular Member
 
Posts: 18
Joined: May 19th, 2012, 3:44 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 141 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware