Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HijackThis log =( - got a normal HJT log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HijackThis log =( - got a normal HJT log

Unread postby strelet007 » July 20th, 2010, 2:00 pm

Problem Description:


I can't install/ uninstall programs without using safe mode. Programs cannot be downloaded- they got 2/3KB in and then just stop. Windows Live OneCare expired recently and thats when it seems the problems started.

Windows utilities like msconfig, regedit, and windows update do not run. Attempting to run them result in nothing happen.

I did a quick scan of MBAM with safe mode started and it didnt detect anything. I haven't been able to get Microsoft Security Essentials running because it doesn't install in safe mode and I'm unable to install programs running Windows normally.

Update: I ran the windows live onecare cleaner tool in safemode. Upon restart and logging in on any of the user accounts, the screen is black. Restarting explorer.exe through the Task manager fixes it but its rather annoying.

I've also discovered that files cannot be deleted. The recycling dialog pops up and tries to recycle a file, but the progress bar does not move.

Update2: I fixed the black screen problem. The other problems still persist. Also, it appears I can't change any settings in the control panel without running safe mode.

I've also found out that running with a diagnostic startup in msconfig disables the problems. But that's no permanent solution. Something is still wrong when running all normal services.

Update3: I got an earlier version of HijackThis to run with normal services loaded. I appended that log to the bottom of the post, after the uninstall list. However, I received a couple errors while scanning.

Error 1: "For some reason your system denied write access to the Hosts file, if any hijacked domains are in the file, HijackThis may not be able to fix this".

Error 2: "An unexpected error has occurred at procedure: modMain_CheckOther1Item()
Error #75 - Path/File access error

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 6.00.1906
MSIE version: 8.0.6001.18928
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan."


HijackThis log: EDIT: please note, I was only running in SAFEMODE when I ran this as HJT won't run normally

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:48:45 AM, on 7/20/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Roaa\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Roaa\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Roaa\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Roaa\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Roaa\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{60525742-673A-44CF-B57B-F517BF589BB8}: NameServer = 69.145.248.50,69.145.232.4
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Windows Live OneCare Health Monitor (OcHealthMon) - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 6543 bytes

Uninstall List


µTorrent
7-Zip 4.65
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 6.0
Adobe Reader 9.3.2
Age of Empires III
Age of Empires III - The Asian Dynasties
Age of Empires III - The WarChiefs
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 6
Auslogics Disk Defrag
Battlefield: Bad Company™ 2
Blitzkrieg Mod
Bonjour
CCleaner
Company of Heroes: Opposing Fronts
Counter-Strike: Source
Diablo II
Dolby Control Center Link
Download Manager 2.3.7
EA Download Manager
EA Download Manager UI
EA Download Manager UI
Empire: Total War
Google Gears
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
Grand Theft Auto IV
Heroes of Newerth
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections 12.1.12.0
Intel(R) PRO Network Connections 12.1.12.0
Intel® Management Engine Interface
iTunes
Java(TM) 6 Update 20
Java(TM) 6 Update 7
Last.fm 1.5.4.24567
Launchy 2.1.2
Majesty 2
Malwarebytes' Anti-Malware
Medieval II: Total War - Kingdoms
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.0.14)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
OGA Notifier 2.0.0048.0
OVT Scanner
Pando Media Booster
Picasa 3
Pirates, Vikings, and Knights II
PodUtil 2.5.2
Prime95
PunkBuster Services
QuickTime
RealPlayer
Red Orchestra
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Sid Meier's Civilization IV: Beyond the Sword
SigmaTel Audio
Spelling Dictionaries Support For Adobe Reader 9
SSIII Solo Ultratus 1.1
Stanford University
Starcraft
Steam
Tom Clancy's Splinter Cell Conviction
Ubisoft Game Launcher
Ultimate Extras sounds from Microsoft® Tinker™
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb983486)
Ventrilo Client
VirtualCloneDrive
VLC media player 1.0.5
Warcraft III
Warhammer 40,000: Dawn of War II
WC3Banlist
Windows Live installer
Windows Live Messenger
Windows Media Player Firefox Plugin
Windows Sound Schemes
WinPcap 4.0.2
WinRAR archiver
World of Warcraft

______________________


Logfile of HijackThis v1.99.1
Scan saved at 8:29:03 PM, on 7/22/2010
Platform: Unknown Windows (WinNT 6.00.1906 SP2)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WerCon.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Users\Roaa\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Roaa\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Roaa\AppData\Local\Google\Update\GoogleUpdate.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [Google Update] "C:\Users\Roaa\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{60525742-673A-44CF-B57B-F517BF589BB8}: NameServer = 69.145.248.50,69.145.232.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - igfxdev.dll (file missing)
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30011 (AppHostSvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30003 (W3SVC) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30001 (WAS) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm
Advertisement
Register to Remove

Re: HijackThis log =( - got a normal HJT log

Unread postby Jack&Jill » July 26th, 2010, 2:40 am

Hello and welcome to Malware Removal.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

You will be notified of replies by email as soon as they are posted.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 3 days, this topic will be closed.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: HijackThis log =( - got a normal HJT log

Unread postby strelet007 » July 26th, 2010, 11:33 am

Hello Jack&Jill!

I'm very happy to have someone with me to help me fix my computer.

Thank you
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: HijackThis log =( - got a normal HJT log

Unread postby Jack&Jill » July 26th, 2010, 11:54 pm

Hello strelet007 :),

Welcome to Malware Removal. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
  • Please observe and follow these Forum Rules and ALL USERS OF THIS FORUM MUST READ THIS FIRST.
  • Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
  • Please read the instructions carefully and follow them closely, in the order they are presented to you.
  • If you have any doubts or problems during the fix, please stop and ask.
  • All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
  • Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
  • Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
  • Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
  • If you do not reply within 3 days, this topic will be closed.

If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

Remove P2P software
  • IMPORTANT: I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    µTorrent

  • Please read our P2P Policy where we explain why it's not a good idea to have them.
  • Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
  • Go to Control Panel > Add/Remove Programs and uninstall the P2P program(s) listed above (in red).
  • Please remove them before we continue with fixing your computer.

--------------------

Stanford University

May I know what program is this?

--------------------

Please download OTL© by OldTimer from one of the links below and save it to your desktop.

Link 1
Link 2

Scan with OTL
  • Double click on OTL.exe to run it.
  • Make sure all the Use SafeList options is checked (ticked). There are six of them.
  • Check Scan All Users.
  • At the lower right corner, check LOP Check and Purity Check.
  • Click on Run Scan at the top left hand corner. This might take a while.
  • When done, two Notepad files will open. Please post the contents of these 2 Notepad files in your next reply. One log per reply please.
    Note: These files are saved as OTL.txt and Extras.txt on the desktop.

--------------------

Please close all programs and do not run any others before and during the GMER scan. Do not use the computer for anything else until after the scan is completed.

Please download GMER and save it to your desktop. Click here.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running GMER. They may cause the computer to freeze.
  • If you need help to disable your protection programs see here and here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, click on No.
  • In the right panel, you will see several boxes that have been checked (ticked).
    • Uncheck IAT/EAT
    • Uncheck All other Drives/Partitions except C:\ (leave C:\ checked)
    • Uncheck Show All (don't miss this one)
  • Then click the Scan button and wait for it to finish.
  • Once done, click on the Save... button and save it as "Gmer.txt" at a convenient location. Post the contents of that report.
  • Enable back your security softwares as soon as you completed the GMER steps.
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.

If you are having problems running this version of GMER, please try running GMER in Safe Mode. You can get into Safe Mode using the F8 key during the startup of your computer after a reboot.

--------------------

Please post back:
1. the answer to my question about the program
2. OTL logs (OTL.txt and Extras.txt)
3. GMER result
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: HijackThis log =( - got a normal HJT log

Unread postby strelet007 » July 27th, 2010, 12:25 pm

Hi Jack&Jill,

I tried uninstalling utorrent but it appears that I can't uninstall any programs without using safe mode. However, I did uninstall it.

That Stanford University program is just some directory of classmates from Stanford. It was installed by a disc sent by the university.

I tried running those scans with windows running normally but they would lock up. I'm running them in safe mode and will post the logs shortly.

OTL.txt

OTL logfile created on: 7/27/2010 10:24:05 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Roaa\Desktop
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 85.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 152.80 Gb Free Space | 32.81% Space Free | Partition Type: NTFS
Drive D: | 581.94 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 465.76 Gb Total Space | 465.65 Gb Free Space | 99.98% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DEELING-PC
Current User Name: Roaa
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/27 10:01:02 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Roaa\Desktop\OTL.exe
PRC - [2010/06/28 20:27:23 | 000,945,720 | ---- | M] (Google Inc.) -- C:\Users\Roaa\AppData\Local\Google\Chrome\Application\chrome.exe
PRC - [2009/04/11 00:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/01/20 20:22:10 | 000,498,176 | ---- | M] (Microsoft Corporation) -- C:\Windows\HelpPane.exe


========== Modules (SafeList) ==========

MOD - [2010/07/27 10:01:02 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Roaa\Desktop\OTL.exe
MOD - [2009/04/11 00:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2008/01/20 20:22:45 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe -- (OcHealthMon)
SRV - [2010/05/30 22:16:14 | 000,395,048 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/04/21 11:46:17 | 000,373,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2010/04/21 11:46:17 | 000,373,760 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2010/04/03 16:59:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/09/24 19:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/04/11 00:28:17 | 000,052,224 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2008/08/28 08:11:19 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/01/20 20:21:41 | 000,272,952 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/11/06 14:22:26 | 000,092,792 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 11:31:54 | 000,098,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2007/09/11 00:45:04 | 000,124,832 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)
SRV - [2007/03/21 13:00:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\igdkmd32.sys -- (igfx)
DRV - [2010/04/03 16:55:31 | 011,573,800 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/03/25 21:30:22 | 000,042,368 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2009/12/17 16:25:12 | 000,026,024 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2009/11/06 21:24:16 | 000,685,816 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/08/09 15:25:56 | 000,029,696 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VClone.sys -- (VClone)
DRV - [2009/01/15 10:15:26 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\dc3d.sys -- (dc3d) USBCCGP filter driver (dc3d)
DRV - [2008/01/20 20:21:35 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 20:21:35 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 20:21:35 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 20:21:34 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 20:21:34 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 20:21:34 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 20:21:33 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 20:21:33 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 20:21:33 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2008/01/20 20:21:33 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 20:21:32 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 20:21:32 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 20:21:32 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 20:21:31 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 20:21:31 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 20:21:31 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 20:21:31 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 20:21:30 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 20:21:29 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 20:21:29 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 20:21:29 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 20:21:28 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 20:21:09 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 20:21:09 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 20:21:09 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/11/06 14:22:06 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2007/09/26 02:35:38 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2007/09/26 02:33:58 | 000,323,584 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/05/11 20:00:14 | 000,045,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HECI.sys -- (HECI) Intel(R)
DRV - [2007/04/10 11:08:46 | 000,596,480 | ---- | M] (Omnivision Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ov550i.sys -- (APL531)
DRV - [2007/03/21 12:58:56 | 000,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2006/11/02 03:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 03:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 03:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 03:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 03:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 03:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 03:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 03:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 03:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 03:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 03:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 02:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 02:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 02:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 02:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 02:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 02:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 01:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2005/02/23 15:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\afc.sys -- (Afc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1850265421-2837915182-2937492470-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1850265421-2837915182-2937492470-1001\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1850265421-2837915182-2937492470-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1850265421-2837915182-2937492470-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/03/27 11:42:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.14\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/07 03:15:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.14\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/01 11:03:57 | 000,000,000 | ---D | M]

[2008/09/28 00:21:01 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\mozilla\Extensions
[2010/06/05 16:46:47 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\mozilla\Firefox\Profiles\7hs93dud.default\extensions
[2009/12/24 11:06:27 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Roaa\AppData\Roaming\mozilla\Firefox\Profiles\7hs93dud.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/01 11:03:58 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/01 11:03:58 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/10/17 20:14:37 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: ([2006/09/18 15:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-1850265421-2837915182-2937492470-1001\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [MSSE] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Windows\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - File not found
O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\System32\DreamScene.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Roaa\Pictures\dontworrybeer.jpg
O24 - Desktop BackupWallPaper: C:\Users\Roaa\Pictures\dontworrybeer.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 15:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2000/05/11 04:13:12 | 000,000,046 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{4e9f7776-cb4d-11de-adf3-001cc017b7c1}\Shell - "" = AutoRun
O33 - MountPoints2\{4e9f7776-cb4d-11de-adf3-001cc017b7c1}\Shell\AutoRun\command - "" = G:\autorun.exe -- File not found
O33 - MountPoints2\{9c4e4861-6c62-11df-803d-001cc017b7c1}\Shell - "" = AutoRun
O33 - MountPoints2\{9c4e4861-6c62-11df-803d-001cc017b7c1}\Shell\AutoRun\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\{ea26fd60-752c-11dd-9691-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{ea26fd60-752c-11dd-9691-806e6f6e6963}\Shell\AutoRun\command - "" = D:\SETUP.EXE -- [2000/05/20 20:36:50 | 000,032,768 | R--- | M] ()
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\SETUP.EXE -- [2000/05/20 20:36:50 | 000,032,768 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/27 10:01:01 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Roaa\Desktop\OTL.exe
[2010/07/22 14:49:45 | 000,000,000 | ---D | C] -- C:\Program Files\Hijackthis
[2010/07/22 14:47:03 | 011,508,680 | ---- | C] (Microsoft Corporation) -- C:\Users\Roaa\Desktop\windows-kb890830-v3.9.exe
[2010/07/20 21:15:50 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/07/20 20:53:42 | 000,359,656 | ---- | C] (Microsoft Corporation) -- C:\Users\Roaa\Desktop\msicuu2.exe
[2010/07/20 20:36:53 | 000,756,776 | ---- | C] (Microsoft Corporation) -- C:\Users\Roaa\Desktop\OneCareCleanUp.exe
[2010/07/20 11:48:25 | 000,000,000 | ---D | C] -- C:\Users\Roaa\AppData\Roaming\Malwarebytes
[2010/07/20 11:44:37 | 007,315,936 | ---- | C] (Microsoft Corporation) -- C:\Users\Roaa\Desktop\mssefullinstall-x86fre-en-us-vista-win7.exe
[2010/07/20 11:44:36 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Roaa\Desktop\mbam-setup-1.46.exe
[2010/07/20 11:43:37 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Roaa\Desktop\steam.exe
[2010/07/20 11:12:00 | 000,000,000 | ---D | C] -- C:\WINSSLog
[2010/07/20 11:08:36 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/07/20 11:08:35 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/07/20 11:08:35 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/20 11:08:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/27 10:25:08 | 000,293,376 | ---- | M] () -- C:\Users\Roaa\Desktop\cjwtgeht.exe
[2010/07/27 10:21:25 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/07/27 10:19:39 | 001,841,852 | -H-- | M] () -- C:\Users\Roaa\AppData\Local\IconCache.db
[2010/07/27 10:19:00 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{D2DBB98F-8E5D-4C83-AFFF-B99A7A39F946}.job
[2010/07/27 10:18:52 | 000,139,673 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/07/27 10:18:52 | 000,139,673 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/07/27 10:18:40 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/07/27 10:15:11 | 000,003,840 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/07/27 10:15:11 | 000,003,840 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/07/27 10:15:08 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/07/27 10:10:59 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1850265421-2837915182-2937492470-1000UA.job
[2010/07/27 10:07:23 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1850265421-2837915182-2937492470-1001Core.job
[2010/07/27 10:07:18 | 180,776,906 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/07/27 10:02:32 | 003,145,728 | -HS- | M] () -- C:\Users\Roaa\NTUSER.DAT
[2010/07/27 10:02:03 | 000,293,376 | ---- | M] () -- C:\Users\Roaa\Desktop\mgztrfs8.exe
[2010/07/27 10:01:02 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Roaa\Desktop\OTL.exe
[2010/07/27 09:58:04 | 000,804,982 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/07/27 09:58:04 | 000,677,028 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/07/27 09:58:04 | 000,129,262 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/07/27 09:48:25 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1850265421-2837915182-2937492470-1001UA.job
[2010/07/27 09:48:19 | 000,000,422 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{0F7C84C4-714A-4C97-A897-BEB0B2DF102C}.job
[2010/07/27 09:47:25 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/07/27 09:47:25 | 000,000,864 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1850265421-2837915182-2937492470-1000Core.job
[2010/07/22 20:29:03 | 000,007,491 | ---- | M] () -- C:\Users\Roaa\Desktop\hijackthis2
[2010/07/22 20:27:14 | 000,002,037 | ---- | M] () -- C:\Users\Roaa\Desktop\Google Chrome.lnk
[2010/07/22 20:27:14 | 000,001,999 | ---- | M] () -- C:\Users\Roaa\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/07/22 20:23:34 | 000,524,288 | -HS- | M] () -- C:\Users\Roaa\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
[2010/07/22 20:23:34 | 000,065,536 | -HS- | M] () -- C:\Users\Roaa\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
[2010/07/22 20:13:46 | 000,001,356 | ---- | M] () -- C:\Users\Roaa\AppData\Local\d3d9caps.dat
[2010/07/22 14:49:46 | 000,000,772 | ---- | M] () -- C:\Users\Roaa\Desktop\Hijackthis.lnk
[2010/07/22 14:47:17 | 011,508,680 | ---- | M] (Microsoft Corporation) -- C:\Users\Roaa\Desktop\windows-kb890830-v3.9.exe
[2010/07/21 11:50:44 | 000,089,550 | ---- | M] () -- C:\Users\Roaa\Documents\cc_20100721_115041.reg
[2010/07/20 21:15:50 | 000,000,942 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk
[2010/07/20 20:53:45 | 000,359,656 | ---- | M] (Microsoft Corporation) -- C:\Users\Roaa\Desktop\msicuu2.exe
[2010/07/20 20:36:53 | 000,756,776 | ---- | M] (Microsoft Corporation) -- C:\Users\Roaa\Desktop\OneCareCleanUp.exe
[2010/07/20 11:43:42 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Roaa\Desktop\steam.exe
[2010/07/20 11:08:38 | 000,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/20 10:56:38 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Roaa\Desktop\mbam-setup-1.46.exe
[2010/07/20 10:54:48 | 007,315,936 | ---- | M] (Microsoft Corporation) -- C:\Users\Roaa\Desktop\mssefullinstall-x86fre-en-us-vista-win7.exe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/27 10:25:06 | 000,293,376 | ---- | C] () -- C:\Users\Roaa\Desktop\cjwtgeht.exe
[2010/07/27 10:07:18 | 180,776,906 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/07/27 10:02:00 | 000,293,376 | ---- | C] () -- C:\Users\Roaa\Desktop\mgztrfs8.exe
[2010/07/22 20:29:03 | 000,007,491 | ---- | C] () -- C:\Users\Roaa\Desktop\hijackthis2
[2010/07/22 14:49:46 | 000,000,772 | ---- | C] () -- C:\Users\Roaa\Desktop\Hijackthis.lnk
[2010/07/21 11:50:43 | 000,089,550 | ---- | C] () -- C:\Users\Roaa\Documents\cc_20100721_115041.reg
[2010/07/20 21:15:50 | 000,000,942 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk
[2010/07/20 11:08:38 | 000,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/06 21:28:38 | 000,009,728 | ---- | C] () -- C:\Windows\System32\BASSMOD.dll
[2009/11/06 21:24:15 | 000,685,816 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2009/11/06 11:58:04 | 000,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009/09/11 07:51:27 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/02/16 23:17:41 | 000,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2008/09/27 11:28:07 | 000,139,128 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2008/08/27 21:37:08 | 000,910,464 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2008/08/27 21:37:08 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1268.dll
[2008/01/20 20:23:41 | 000,081,158 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2007/11/06 14:19:28 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
[2006/11/02 06:34:20 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 01:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2001/10/05 09:50:58 | 000,008,575 | ---- | C] () -- C:\Windows\System32\D125UFW.INI

========== LOP Check ==========

[2010/02/13 17:12:34 | 000,000,000 | ---D | M] -- C:\Users\Deeling\AppData\Roaming\Launchy
[2010/04/04 17:11:48 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\.minecraft
[2010/02/14 04:29:51 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\Auslogics
[2009/04/10 19:02:36 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\CopyTrans
[2009/11/06 21:22:08 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\DAEMON Tools
[2009/11/06 21:30:11 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\DAEMON Tools Pro
[2008/10/05 16:00:18 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\fizzy
[2010/02/12 22:27:49 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\Launchy
[2009/05/14 14:51:51 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\SaintXi
[2009/05/14 13:37:16 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\The Creative Assembly
[2009/10/17 21:26:21 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\Turbine
[2010/07/27 09:54:26 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\uTorrent
[2010/07/22 14:09:43 | 000,032,628 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/07/27 09:48:19 | 000,000,422 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{0F7C84C4-714A-4C97-A897-BEB0B2DF102C}.job
[2010/07/27 10:19:00 | 000,000,416 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{D2DBB98F-8E5D-4C83-AFFF-B99A7A39F946}.job

========== Purity Check ==========


< End of report >
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: HijackThis log =( - got a normal HJT log

Unread postby strelet007 » July 27th, 2010, 12:30 pm

Extras.txt

OTL Extras logfile created on: 7/27/2010 10:24:05 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Roaa\Desktop
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 85.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 152.80 Gb Free Space | 32.81% Space Free | Partition Type: NTFS
Drive D: | 581.94 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 465.76 Gb Total Space | 465.65 Gb Free Space | 99.98% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DEELING-PC
Current User Name: Roaa
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1850265421-2837915182-2937492470-1001\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- C:\Users\Roaa\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0882F273-1C76-414E-9891-1CF8A3B6BA3F}" = lport=58245 | protocol=6 | dir=in | name=pando media booster |
"{0B225BEB-7608-49E6-B8D7-E71BF16673B8}" = lport=137 | protocol=17 | dir=in | app=system |
"{0E789480-46FC-4DD6-9A23-D98B5906EA4B}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{31AA182F-2309-4877-8E52-8D2E5269EB26}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{4B138D7A-AF5A-4293-8A76-1E74874C60B4}" = rport=137 | protocol=17 | dir=out | app=system |
"{52D14CDE-A4F3-4984-BD1F-635DBB553D5C}" = lport=445 | protocol=6 | dir=in | app=system |
"{531712F8-D5E7-4B87-9BB7-2306563518D7}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{624C0DD3-C1AA-4597-85E3-718B7384AE4D}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{67A17652-E0C5-4C08-88D9-8EC59AB8C853}" = lport=63331 | protocol=6 | dir=in | name=windows live onecare |
"{89D358FA-05A6-4CDF-8DA2-F4C75EFD61FE}" = rport=445 | protocol=6 | dir=out | app=system |
"{959D1822-6044-4BA0-93E4-25F24F27FC3A}" = rport=138 | protocol=17 | dir=out | app=system |
"{9B595F07-91F9-41E4-9399-7B1150FB103E}" = rport=139 | protocol=6 | dir=out | app=system |
"{A39D60E8-77F3-44EE-B707-66AD736DBAA7}" = lport=6112 | protocol=6 | dir=in | name=wc3 |
"{CF37AE0B-1EED-4D94-A9B8-4F7899D6D3EF}" = lport=2869 | protocol=6 | dir=in | app=system |
"{D0D5CEBC-4153-484D-92CD-772127643086}" = lport=138 | protocol=17 | dir=in | app=system |
"{E2516AA8-2A2B-4CE8-990D-8C4BE27345BB}" = lport=6112 | protocol=17 | dir=in | name=wc3 |
"{EE33B1D3-DC31-4BF4-9F09-493676340E4C}" = lport=58245 | protocol=17 | dir=in | name=pando media booster |
"{FB41D500-DD7C-46DF-9FA5-ED745F64D3CA}" = lport=139 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01C7BE20-2ADA-482E-A8A4-36CFB01F59B2}" = protocol=17 | dir=in | app=c:\program files\windsolutions\copytrans suite\copytrans.exe |
"{030E6117-FA79-44CA-AD26-00C5BF14CA95}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\dawn of war 2\dow2.exe |
"{0587CBA5-83A2-4D84-9A5F-61582F94799D}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{13E1D66B-25F6-435C-B40F-39C1515BF99D}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\majesty 2\m2editor.exe |
"{157AE0F0-520A-4343-9B73-76748AA80BC1}" = protocol=17 | dir=in | app=c:\program files\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe |
"{163AFE6C-A8BF-484B-8626-EA5549C2FE24}" = dir=in | app=c:\program files\windows live\messenger\livecall.exe |
"{172DA0DF-5135-4E7B-9F3B-4A9F45FF5F8C}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\instago@hotmail.com\pirates, vikings, and knights ii\hl2.exe |
"{1AA107BF-E756-4911-8122-60A0F5F3FD7E}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{1BD39469-012E-453D-BD54-C03F112DA170}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\grand theft auto iv\rgsc\rgsclauncher.exe |
"{289954F0-2FC6-4A8B-9C64-266ED6D4882E}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{29E4AAE2-D907-4C3A-B1A2-45B43B97F777}" = protocol=17 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{2A021095-14BC-4BCA-BEE7-BA69DB58C349}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\medieval ii total war\launcher.exe |
"{2E409F52-EF1E-4B79-9949-2B6293AEBD2A}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\empire total war\empire.exe |
"{303BB84D-07C4-4054-AB65-E4908731D591}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{34A16EF6-B91C-4573-AA86-790F08C11759}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\majesty 2\majesty2.exe |
"{35F2FF4A-9ED0-407E-A4F0-50A56552A0E2}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\sid meier's civilization iv beyond the sword\beyond the sword\civ4beyondsword.exe |
"{37FEB452-5F53-429D-9BDA-6934F67F0D08}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{3CAA82ED-380B-400D-BB09-762FFE9B956B}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\grand theft auto iv\gtaiv\launchgtaiv.exe |
"{3DEC2BDE-9803-40B2-9685-44D0F9571781}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{41DEDF3F-2CE5-42C4-942D-8795B7C4AB35}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\grand theft auto iv\gtaiv\gtaiv.exe |
"{4239C9FF-06EE-4759-B77D-9E133C1FB101}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{43208F9C-445F-47A5-9346-D8FC76DDDE03}" = protocol=6 | dir=in | app=c:\program files\curse\curseclient.exe |
"{5108F01E-E5C3-42D8-8FF4-CCE183393189}" = protocol=17 | dir=in | app=c:\program files\microsoft games\age of empires iii\age3y.exe |
"{518B5FFF-02F3-4978-A303-5370AE6A2542}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\majesty 2\m2editor.exe |
"{52F92158-6EF5-48AC-90F3-DA54F2C254FA}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{547A511A-511F-4569-A066-693DA13602C0}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\red orchestra\system\redorchestra.exe |
"{54EFC82C-99CF-461F-B82C-3AB7560B9ACB}" = protocol=6 | dir=in | app=c:\program files\microsoft games\age of empires iii\age3y.exe |
"{55C03A8C-7F0A-4031-B125-7CF20592B3C5}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\company of heroes\reliccoh.exe |
"{5A7CC89F-645E-41E4-B5CD-F0700AC2A41E}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\majesty 2\majesty2.exe |
"{5BB9A526-8DF5-47D1-90FD-5245D5679EC2}" = protocol=6 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
"{5E0184BE-1C4E-4FEA-BC56-863AEFCDB8D5}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\instago@hotmail.com\counter-strike source\hl2.exe |
"{666A4CD4-04AD-46C1-AADB-CA174978D0D3}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{667E0F99-39D3-4650-9CD5-17BEF2270F44}" = protocol=6 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{70C410F2-53BD-4B07-962B-3843CD567FC3}" = protocol=6 | dir=in | app=c:\program files\electronic arts\battlefield bad company 2\bfbc2updater.exe |
"{7921B5C3-1278-4E44-8831-62F24003AE38}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\warhammer online age of reckoning\runme.exe |
"{7D2FA8CB-B5C2-4649-97B9-8198E965D312}" = protocol=6 | dir=in | app=c:\program files\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe |
"{80E30C8C-F7D7-4022-8316-7216979E600C}" = protocol=17 | dir=in | app=c:\program files\electronic arts\battlefield bad company 2\bfbc2updater.exe |
"{8D8EE2C4-C382-44CB-AA3D-0DAB679EE2FA}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\instago@hotmail.com\counter-strike source\hl2.exe |
"{8E2DFF16-6B98-49D3-9AA0-E48F105A0D9B}" = protocol=17 | dir=in | app=c:\program files\microsoft games\age of empires iii\age3x.exe |
"{97294357-393D-4530-8211-270DB55D798D}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\company of heroes\reliccoh.exe |
"{9B1BAA4B-B9D6-4AAD-A669-60934E6127B5}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\warhammer online age of reckoning\runme.exe |
"{9C9BB2B2-B68E-4879-BCE1-F8C2D28C54C3}" = protocol=6 | dir=in | app=c:\program files\ubisoft\tom clancy's splinter cell conviction\src\system\conviction_game.exe |
"{A0645E6A-7DAF-4153-BB86-5A3AC4577324}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{A2C354FC-D8A3-4C17-8519-45626C290C32}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\instago@hotmail.com\pirates, vikings, and knights ii\hl2.exe |
"{A35EED87-0F3D-4F37-B1FA-0B93764A3EBD}" = protocol=17 | dir=in | app=c:\program files\ubisoft\tom clancy's splinter cell conviction\src\system\conviction_game.exe |
"{A489FB78-F7B7-4A68-AFE6-0C548E88CF47}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{A492DEA8-598E-4C42-B6D0-D6396EAA6640}" = protocol=6 | dir=in | app=c:\program files\windsolutions\copytrans suite\copytrans.exe |
"{A86CA981-E029-4580-B0B1-92F7B142D18F}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\medieval ii total war\launcher.exe |
"{AA2F870C-7614-490D-9DC8-CBC33537837A}" = protocol=6 | dir=in | app=c:\program files\ubisoft\tom clancy's splinter cell conviction\src\system\gu.exe |
"{B8D37BDE-6F75-4C76-B3C7-B5D7D398B0C4}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\red orchestra\system\redorchestra.exe |
"{BB073208-1BF0-4BFE-8AA8-2B2D1D405711}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\grand theft auto iv\rgsc\rgsclauncher.exe |
"{BDDEBCF7-E174-4B3A-B01F-7FE9DFD6CF56}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\sid meier's civilization iv beyond the sword\beyond the sword\civ4beyondsword.exe |
"{CAA1E4A2-1725-4803-9705-B84418C9C4D1}" = protocol=17 | dir=in | app=c:\program files\ubisoft\tom clancy's splinter cell conviction\src\system\gu.exe |
"{CFB80ACC-24FE-4E99-AA58-1F1EC618CA60}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\grand theft auto iv\gtaiv\launchgtaiv.exe |
"{D14F2AB2-7B2F-4B21-A216-5A4A1F5A8602}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\grand theft auto iv\gtaiv\gtaiv.exe |
"{D24DB0A5-05F0-434A-A811-4A324D007732}" = protocol=17 | dir=in | app=c:\program files\electronic arts\battlefield bad company 2 - beta\bfbc2betaupdater.exe |
"{D7098302-4F3B-46C4-88D9-1D203A916E88}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\empire total war\empire.exe |
"{D72B0739-AA13-4C5A-B986-76297FFEC320}" = protocol=6 | dir=in | app=c:\program files\microsoft games\age of empires iii\age3x.exe |
"{D95D1376-1004-434E-A12C-9827B958FA89}" = protocol=17 | dir=in | app=c:\program files\curse\curseclient.exe |
"{ED816116-CFF1-459C-8707-D66615946870}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{F15AE86E-1635-4745-BA3E-A5CB2AE6CFB2}" = protocol=17 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
"{FA671EA9-7D61-44F1-B90C-3F0FD8FD14AE}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{FE3106D1-7B5A-4F6B-B881-5FD357C196A2}" = protocol=6 | dir=in | app=c:\program files\electronic arts\battlefield bad company 2 - beta\bfbc2betaupdater.exe |
"{FFEB7E8A-E789-4607-B2E5-6961EDB442ED}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\dawn of war 2\dow2.exe |
"TCP Query User{7525E5D6-397E-44D4-BA3D-BAADDD75179C}C:\program files\steam\steam.exe" = protocol=6 | dir=in | app=c:\program files\steam\steam.exe |
"TCP Query User{91A3F5BE-7A4A-4C9F-86D4-0AD05E07F588}C:\program files\firaxis games\sid meier's civilization 4\beyond the sword\civ4beyondsword.exe" = protocol=6 | dir=in | app=c:\program files\firaxis games\sid meier's civilization 4\beyond the sword\civ4beyondsword.exe |
"TCP Query User{A74BEB7B-0AA7-4242-8B96-9E8EA24FCEDF}C:\program files\steam\steamapps\distortedwaffle\counter-strike source\hl2.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\distortedwaffle\counter-strike source\hl2.exe |
"UDP Query User{6AABEC74-12CE-41F6-BF40-1C08F89B42F6}C:\program files\steam\steam.exe" = protocol=17 | dir=in | app=c:\program files\steam\steam.exe |
"UDP Query User{8125A11B-56EA-44FE-8F91-32D08B39C51C}C:\program files\firaxis games\sid meier's civilization 4\beyond the sword\civ4beyondsword.exe" = protocol=17 | dir=in | app=c:\program files\firaxis games\sid meier's civilization 4\beyond the sword\civ4beyondsword.exe |
"UDP Query User{A05EF182-7021-4757-8008-F4B9856D7736}C:\program files\steam\steamapps\distortedwaffle\counter-strike source\hl2.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\distortedwaffle\counter-strike source\hl2.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{063E409E-3D7C-4A4A-95AB-2F124B9224B3}" = ArcSoft PhotoImpression 6
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1C08A24C-B168-407E-A826-68FAF5F20710}" = Age of Empires III - The WarChiefs
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 20
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{3AC8457C-0385-4BEA-A959-E095F05D6D67}" = Battlefield: Bad Company™ 2
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{5DE1B7CF-7429-40CA-987F-6BEE09B63787}" = Prime95
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D8DDB4A-C263-40DE-BA16-AFDAD159D59A}" = Tom Clancy's Splinter Cell Conviction
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel(R) PRO Network Connections 12.1.12.0
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III
"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C69A537-1CED-4863-BB30-FB566217528C}" = Stanford University
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95774351-6087-3A3B-8CA8-70BEE49D2BD5}" = Google Gears
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A1C962E2-2426-49C6-A38B-9A07E40D607C}" = Microsoft Games for Windows - LIVE
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A746CE98-A755-4AD7-B4B8-346DC74CDECD}" = OVT Scanner
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{C43C1415-3DFC-4089-9A32-0BECF28A6046}" = Age of Empires III - The Asian Dynasties
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5A9DA4B-E4F9-FB49-017D-769FC540F1F0}" = EA Download Manager UI
"{DCAF959E-BE84-4E56-91B1-3E962AED5BF4}" = Dolby Control Center Link
"{DEA314C4-0929-4250-BC92-98E4C105F28D}" = NVIDIA PhysX
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F1CBC6F7-D82D-4DC5-B81C-9A14F418593A}_is1" = WC3Banlist
"{F54AC413-D2C6-4A24-B324-370C223C6250}" = Adobe Photoshop Elements 6.0
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"7-Zip" = 7-Zip 4.65
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 6" = Adobe Photoshop Elements 6.0
"Blitzkrieg" = Blitzkrieg Mod
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"com.ea.Vault.919CACB699904AC5D41B606703500DD39747C02D.1" = EA Download Manager UI
"Diablo II" = Diablo II
"Download Manager" = Download Manager 2.3.7
"EA Download Manager" = EA Download Manager
"HECI" = Intel® Management Engine Interface
"HijackThis" = HijackThis 1.99.1
"Hijackthis_is1" = Hijackthis 1.99.1
"hon" = Heroes of Newerth
"InstallShield_{1C08A24C-B168-407E-A826-68FAF5F20710}" = Age of Empires III - The WarChiefs
"InstallShield_{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III
"InstallShield_{C43C1415-3DFC-4089-9A32-0BECF28A6046}" = Age of Empires III - The Asian Dynasties
"LastFM_is1" = Last.fm 1.5.4.24567
"Launchy_21344213_is1" = Launchy 2.1.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"Mozilla Firefox (3.0.14)" = Mozilla Firefox (3.0.14)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Picasa 3" = Picasa 3
"PodUtil_is1" = PodUtil 2.5.2
"PROR" = Microsoft Office Professional 2007
"PROSetDX" = Intel(R) PRO Network Connections 12.1.12.0
"PunkBusterSvc" = PunkBuster Services
"RealPlayer 6.0" = RealPlayer
"SSIII Solo Ultratus" = SSIII Solo Ultratus 1.1
"Starcraft" = Starcraft
"Steam App 10500" = Empire: Total War
"Steam App 1200" = Red Orchestra
"Steam App 12210" = Grand Theft Auto IV
"Steam App 15620" = Warhammer 40,000: Dawn of War II
"Steam App 17570" = Pirates, Vikings, and Knights II
"Steam App 240" = Counter-Strike: Source
"Steam App 25980" = Majesty 2
"Steam App 4780" = Medieval II: Total War - Kingdoms
"Steam App 8800" = Sid Meier's Civilization IV: Beyond the Sword
"Steam App 9340" = Company of Heroes: Opposing Fronts
"UltSounds" = Windows Sound Schemes
"UltSounds2" = Ultimate Extras sounds from Microsoft® Tinker™
"VirtualCloneDrive" = VirtualCloneDrive
"VLC media player" = VLC media player 1.0.5
"Warcraft III" = Warcraft III
"WinPcapInst" = WinPcap 4.0.2
"WinRAR archiver" = WinRAR archiver
"World of Warcraft" = World of Warcraft

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1850265421-2837915182-2937492470-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"090215de958f1060" = Curse Client
"Google Chrome" = Google Chrome
"HuluDesktop" = Hulu Desktop
"Stainless_Steel_6.0_Part1of2" = Stainless_Steel_6.0_Part1of2
"Stainless_Steel_6.0_Part2of2" = Stainless_Steel_6.0_Part2of2
"Third Age - Total War 1.0 Part1" = Third Age - Total War 1.0 Part1
"Third Age - Total War 1.0 Part2" = Third Age - Total War 1.0 Part2
"Third Age - Total War Hotfix1" = Third Age - Total War Hotfix1
"Third Age - Total War Patch 1.1" = Third Age - Total War Patch 1.1
"Third Age - Total War Patch 1.2" = Third Age - Total War Patch 1.2
"Third Age - Total War Patch 1.3" = Third Age - Total War Patch 1.3
"Third Age - Total War Patch 1.4" = Third Age - Total War Patch 1.4

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/20/2010 10:29:36 PM | Computer Name = Deeling-PC | Source = WinMgmt | ID = 10
Description =

Error - 7/20/2010 11:36:00 PM | Computer Name = Deeling-PC | Source = EventSystem | ID = 4609
Description =

Error - 7/20/2010 11:36:54 PM | Computer Name = Deeling-PC | Source = WinMgmt | ID = 10
Description =

Error - 7/21/2010 1:30:41 PM | Computer Name = Deeling-PC | Source = EventSystem | ID = 4609
Description =

Error - 7/21/2010 1:31:35 PM | Computer Name = Deeling-PC | Source = WinMgmt | ID = 10
Description =

Error - 7/22/2010 4:26:46 PM | Computer Name = Deeling-PC | Source = EventSystem | ID = 4609
Description =

Error - 7/22/2010 4:27:38 PM | Computer Name = Deeling-PC | Source = WinMgmt | ID = 10
Description =

Error - 7/27/2010 11:54:04 AM | Computer Name = Deeling-PC | Source = EventSystem | ID = 4609
Description =

Error - 7/27/2010 11:54:59 AM | Computer Name = Deeling-PC | Source = WinMgmt | ID = 10
Description =

Error - 7/27/2010 12:21:55 PM | Computer Name = Deeling-PC | Source = EventSystem | ID = 4609
Description =

[ OSession Events ]
Error - 6/28/2009 6:33:59 PM | Computer Name = Deeling-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 4
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/16/2009 2:52:59 PM | Computer Name = Deeling-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 5
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/25/2009 9:59:17 AM | Computer Name = Deeling-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 7
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 7/27/2010 11:54:59 AM | Computer Name = Deeling-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 7/27/2010 11:54:59 AM | Computer Name = Deeling-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 7/27/2010 12:07:22 PM | Computer Name = Deeling-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 10:02:53 AM on 7/27/2010 was unexpected.

Error - 7/27/2010 12:15:08 PM | Computer Name = Deeling-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 10:12:14 AM on 7/27/2010 was unexpected.

Error - 7/27/2010 12:21:26 PM | Computer Name = Deeling-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 10:19:00 AM on 7/27/2010 was unexpected.

Error - 7/27/2010 12:21:49 PM | Computer Name = Deeling-PC | Source = DCOM | ID = 10005
Description =

Error - 7/27/2010 12:21:55 PM | Computer Name = Deeling-PC | Source = DCOM | ID = 10005
Description =

Error - 7/27/2010 12:21:57 PM | Computer Name = Deeling-PC | Source = DCOM | ID = 10005
Description =

Error - 7/27/2010 12:22:50 PM | Computer Name = Deeling-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 7/27/2010 12:22:50 PM | Computer Name = Deeling-PC | Source = Service Control Manager | ID = 7026
Description =


< End of report >
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: HijackThis log =( - got a normal HJT log

Unread postby strelet007 » July 27th, 2010, 1:10 pm

Just to clarify, so far I've been able to follow all of your directions but only in safe mode.

I've tried using GMER as you've suggested but it hangs on "\devices\harddiskvolumeshadowcopy1" when scanning. A dialog pops up saying that it's encountered a problem. If I try to run GMER again, I get a BSOD. I took a screenshot of this. It lists a couple of files before the screenshotted error window pops up.
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: HijackThis log =( - got a normal HJT log

Unread postby Jack&Jill » July 28th, 2010, 2:23 am

Hello strelet007 :),

Please retry GMER with the same options, plus Devices unchecked.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: HijackThis log =( - got a normal HJT log

Unread postby strelet007 » July 28th, 2010, 2:50 pm

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-28 12:37:47
Windows 6.0.6002 Service Pack 2
Running: cjwtgeht.exe; Driver: C:\Users\Roaa\AppData\Local\Temp\pxtdifod.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\Windows\System32\Drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload 8ED7741B 5 Bytes JMP 86A63770

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7F 0xF5 0x62 0x1A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7F 0xF5 0x62 0x1A ...

---- EOF - GMER 1.0.15 ----
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: HijackThis log =( - got a normal HJT log

Unread postby Jack&Jill » July 29th, 2010, 12:41 pm

Hello strelet007 :),

Can anything be done in Normal mode? Please try to do the following steps in Normal mode. If they do not work, try in Safe mode.

--------------------

Please download Rootkit Unhooker and save it to your desktop. Click here..
  • Double click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Ensure the following are checked (ticked):
    • Drivers
    • Stealth Code
    • Files
    • Code Hooks
  • Uncheck the rest, then click OK. An initial scan will be performed.
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK.
  • Wait until the scanner is done, then click on File at the pull down menu, followed by Save Report.
  • Save the report somewhere you can find it. Click Close to exit.
  • Copy the entire contents of the report and paste it in your next reply.

You may get a warning about parasite detection. Please click OK to continue.

--------------------

I want you to update MBAM and run a scan.
  • Open MBAM and click on the Update tab, then Check for Updates.
  • When completed, go to back to the Scanner tab and select Perform full scan. Click Scan.
  • Leave the default options as it is and click on Start Scan.
  • If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
  • After it has removed the items, a log in Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware. If you receive an (Error Loading) error on reboot, please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.

--------------------

Please describe to me in details what symptoms do you experience in Normal mode.

Possible to run OTL in Normal mode? Please try it too and post back the log.

--------------------

Please post back:
1. the answer to my question about Normal mode
2. the Rookit Unhooker result
3. MBAM report
4. symptoms
5. new OTL log in Normal mode
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: HijackThis log =( - got a normal HJT log

Unread postby strelet007 » July 30th, 2010, 8:15 pm

Hi Jack&Jill,

On a hunch, I disabled UAC in safe mode. I'm now not getting any explorer.exe crashes and I can download and run some programs I couldn't before. While I can run MBAM in normal mode, it scans and only completes 2 seconds before it crashes. However, disabling UAC has let me run OTL.

Also, I've left RKUnhooker.exe running for a couple hours and I'm never prompted to select a disk to scan. Trying to end its process or task doesn't work either. It just sits and uses 25% CPU. This happens in safe mode also.

As far as symptoms go, I really don't have much to add other than what I've already posted. Before I disabled UAC, I couldn't download files. I also couldn't install or uninstall programs without explorer crashing. Programs like MBAM, installers (like for Microsoft Security Essentials) wouldn't install either. But in safe mode, I wasn't aware of any problems.

As I've just disabled UAC and had a bit of success getting things to run that wouldn't before, I'm not entirely sure how all of the symptoms have changed. But it looks like things are working a bit better, minus what I've already noted (like MBAM unable to scan).

Some days ago I tried installing Microsoft Security Essentials (I think this was just before I posted here). It hasn't been able to start one of its services. Right now I'm trying to uninstall it (in normal mode). While I can actually run the installer and see the progress bar moving, it doesn't appear to actually be doing anything. I also tried to uninstall one of my old games, Splinter Cell, and encountered a similar problem. The installer would run, a window would open for it, but it would crash without me being able to actually initialize the uninstallation.

I tried installing CCleaner and it looks like that worked.
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: HijackThis log =( - got a normal HJT log

Unread postby strelet007 » July 30th, 2010, 9:06 pm

Here are the OTL logs from normal mode (yay!):


OTL logfile created on: 7/30/2010 7:02:29 PM - Run 4
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Roaa\Desktop
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 82.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 149.10 Gb Free Space | 32.01% Space Free | Partition Type: NTFS
Drive D: | 581.94 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 465.76 Gb Total Space | 465.65 Gb Free Space | 99.98% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DEELING-PC
Current User Name: Roaa
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/27 10:01:02 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Roaa\Desktop\OTL.exe
PRC - [2010/06/01 14:53:46 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2009/04/11 00:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/09/26 02:33:57 | 000,303,104 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\sttray.exe
PRC - [2007/09/11 00:43:54 | 000,067,488 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
PRC - [2007/03/21 13:00:00 | 000,174,872 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe


========== Modules (SafeList) ==========

MOD - [2010/07/27 10:01:02 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Roaa\Desktop\OTL.exe
MOD - [2009/09/24 20:10:10 | 000,974,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\WindowsCodecs.dll
MOD - [2009/04/11 00:28:19 | 000,114,176 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\EhStorShell.dll
MOD - [2009/04/11 00:28:18 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cscapi.dll
MOD - [2009/04/11 00:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2008/01/20 20:22:45 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe -- (OcHealthMon)
SRV - [2010/05/30 22:16:14 | 000,395,048 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/04/21 11:46:17 | 000,373,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2010/04/21 11:46:17 | 000,373,760 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2010/04/03 16:59:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/09/24 19:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/04/11 00:28:17 | 000,052,224 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2008/08/28 08:11:19 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/01/20 20:21:41 | 000,272,952 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/11/06 14:22:26 | 000,092,792 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 11:31:54 | 000,098,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2007/09/11 00:45:04 | 000,124,832 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)
SRV - [2007/03/21 13:00:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\igdkmd32.sys -- (igfx)
DRV - [2010/04/03 16:55:31 | 011,573,800 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/03/25 21:30:22 | 000,042,368 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2009/12/17 16:25:12 | 000,026,024 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\System32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2009/11/06 21:24:16 | 000,685,816 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/08/09 15:25:56 | 000,029,696 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VClone.sys -- (VClone)
DRV - [2009/01/15 10:15:26 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\dc3d.sys -- (dc3d) USBCCGP filter driver (dc3d)
DRV - [2008/01/20 20:21:35 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 20:21:35 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 20:21:35 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 20:21:34 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 20:21:34 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 20:21:34 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 20:21:33 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 20:21:33 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 20:21:33 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2008/01/20 20:21:33 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 20:21:32 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 20:21:32 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 20:21:32 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 20:21:31 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 20:21:31 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 20:21:31 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 20:21:31 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 20:21:30 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 20:21:29 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 20:21:29 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 20:21:29 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 20:21:28 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 20:21:09 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 20:21:09 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 20:21:09 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/11/06 14:22:06 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2007/09/26 02:35:38 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2007/09/26 02:33:58 | 000,323,584 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/05/11 20:00:14 | 000,045,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HECI.sys -- (HECI) Intel(R)
DRV - [2007/04/10 11:08:46 | 000,596,480 | ---- | M] (Omnivision Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ov550i.sys -- (APL531)
DRV - [2007/03/21 12:58:56 | 000,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2006/11/02 03:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 03:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 03:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 03:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 03:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 03:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 03:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 03:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 03:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 03:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 03:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 02:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 02:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 02:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 02:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 02:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 02:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 01:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2005/02/23 15:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\afc.sys -- (Afc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1850265421-2837915182-2937492470-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1850265421-2837915182-2937492470-1001\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1850265421-2837915182-2937492470-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1850265421-2837915182-2937492470-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/03/27 11:42:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.14\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/07 03:15:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.14\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/01 11:03:57 | 000,000,000 | ---D | M]

[2008/09/28 00:21:01 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\mozilla\Extensions
[2010/06/05 16:46:47 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\mozilla\Firefox\Profiles\7hs93dud.default\extensions
[2009/12/24 11:06:27 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Roaa\AppData\Roaming\mozilla\Firefox\Profiles\7hs93dud.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/01 11:03:58 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/01 11:03:58 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/10/17 20:14:37 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: ([2006/09/18 15:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-1850265421-2837915182-2937492470-1001\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [MSSE] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Windows\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - File not found
O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\System32\DreamScene.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Roaa\Pictures\dontworrybeer.jpg
O24 - Desktop BackupWallPaper: C:\Users\Roaa\Pictures\dontworrybeer.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 15:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2000/05/11 04:13:12 | 000,000,046 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{4e9f7776-cb4d-11de-adf3-001cc017b7c1}\Shell - "" = AutoRun
O33 - MountPoints2\{4e9f7776-cb4d-11de-adf3-001cc017b7c1}\Shell\AutoRun\command - "" = G:\autorun.exe -- File not found
O33 - MountPoints2\{9c4e4861-6c62-11df-803d-001cc017b7c1}\Shell - "" = AutoRun
O33 - MountPoints2\{9c4e4861-6c62-11df-803d-001cc017b7c1}\Shell\AutoRun\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\{ea26fd60-752c-11dd-9691-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{ea26fd60-752c-11dd-9691-806e6f6e6963}\Shell\AutoRun\command - "" = D:\SETUP.EXE -- [2000/05/20 20:36:50 | 000,032,768 | R--- | M] ()
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\SETUP.EXE -- [2000/05/20 20:36:50 | 000,032,768 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/27 10:01:01 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Roaa\Desktop\OTL.exe
[2010/07/22 14:49:45 | 000,000,000 | ---D | C] -- C:\Program Files\Hijackthis
[2010/07/22 14:47:03 | 011,508,680 | ---- | C] (Microsoft Corporation) -- C:\Users\Roaa\Desktop\windows-kb890830-v3.9.exe
[2010/07/20 21:15:50 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/07/20 20:53:42 | 000,359,656 | ---- | C] (Microsoft Corporation) -- C:\Users\Roaa\Desktop\msicuu2.exe
[2010/07/20 20:36:53 | 000,756,776 | ---- | C] (Microsoft Corporation) -- C:\Users\Roaa\Desktop\OneCareCleanUp.exe
[2010/07/20 11:48:25 | 000,000,000 | ---D | C] -- C:\Users\Roaa\AppData\Roaming\Malwarebytes
[2010/07/20 11:44:37 | 007,315,936 | ---- | C] (Microsoft Corporation) -- C:\Users\Roaa\Desktop\mssefullinstall-x86fre-en-us-vista-win7.exe
[2010/07/20 11:44:36 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Roaa\Desktop\mbam-setup-1.46.exe
[2010/07/20 11:43:37 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Roaa\Desktop\steam.exe
[2010/07/20 11:12:00 | 000,000,000 | ---D | C] -- C:\WINSSLog
[2010/07/20 11:08:36 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/07/20 11:08:35 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/07/20 11:08:35 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/20 11:08:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/30 19:02:00 | 000,000,422 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{0F7C84C4-714A-4C97-A897-BEB0B2DF102C}.job
[2010/07/30 18:59:37 | 000,139,673 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/07/30 18:59:37 | 000,139,673 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/07/30 18:59:28 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/07/30 18:59:00 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{D2DBB98F-8E5D-4C83-AFFF-B99A7A39F946}.job
[2010/07/30 18:58:10 | 000,003,840 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/07/30 18:58:10 | 000,003,840 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/07/30 18:58:07 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/07/30 18:58:07 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/07/30 18:58:06 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/07/30 18:58:05 | 3483,996,160 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/30 18:55:42 | 003,145,728 | -HS- | M] () -- C:\Users\Roaa\NTUSER.DAT
[2010/07/30 18:30:38 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1850265421-2837915182-2937492470-1001UA.job
[2010/07/30 18:29:26 | 000,002,037 | ---- | M] () -- C:\Users\Roaa\Desktop\Google Chrome.lnk
[2010/07/30 18:29:26 | 000,001,999 | ---- | M] () -- C:\Users\Roaa\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/07/30 18:18:05 | 000,000,804 | ---- | M] () -- C:\Users\Roaa\Desktop\CCleaner.lnk
[2010/07/30 18:14:55 | 000,000,772 | ---- | M] () -- C:\Users\Roaa\Desktop\Hijackthis.lnk
[2010/07/30 18:10:59 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1850265421-2837915182-2937492470-1000UA.job
[2010/07/30 15:56:13 | 000,524,288 | -HS- | M] () -- C:\Users\Roaa\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
[2010/07/30 15:56:13 | 000,065,536 | -HS- | M] () -- C:\Users\Roaa\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
[2010/07/30 15:40:38 | 001,813,271 | -H-- | M] () -- C:\Users\Roaa\AppData\Local\IconCache.db
[2010/07/30 15:10:59 | 000,000,864 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1850265421-2837915182-2937492470-1000Core.job
[2010/07/30 14:29:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1850265421-2837915182-2937492470-1001Core.job
[2010/07/30 12:48:42 | 000,133,632 | ---- | M] () -- C:\Users\Roaa\Desktop\RKUnhookerLE.EXE
[2010/07/28 20:38:49 | 000,001,356 | ---- | M] () -- C:\Users\Roaa\AppData\Local\d3d9caps.dat
[2010/07/28 12:40:18 | 491,675,594 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/07/27 11:00:31 | 000,804,982 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/07/27 11:00:31 | 000,129,262 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/07/27 11:00:31 | 000,000,000 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/07/27 10:25:08 | 000,293,376 | ---- | M] () -- C:\Users\Roaa\Desktop\cjwtgeht.exe
[2010/07/27 10:02:03 | 000,293,376 | ---- | M] () -- C:\Users\Roaa\Desktop\mgztrfs8.exe
[2010/07/27 10:01:02 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Roaa\Desktop\OTL.exe
[2010/07/22 20:29:03 | 000,007,491 | ---- | M] () -- C:\Users\Roaa\Desktop\hijackthis2
[2010/07/22 14:47:17 | 011,508,680 | ---- | M] (Microsoft Corporation) -- C:\Users\Roaa\Desktop\windows-kb890830-v3.9.exe
[2010/07/21 11:50:44 | 000,089,550 | ---- | M] () -- C:\Users\Roaa\Documents\cc_20100721_115041.reg
[2010/07/20 21:15:50 | 000,000,942 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk
[2010/07/20 20:53:45 | 000,359,656 | ---- | M] (Microsoft Corporation) -- C:\Users\Roaa\Desktop\msicuu2.exe
[2010/07/20 20:36:53 | 000,756,776 | ---- | M] (Microsoft Corporation) -- C:\Users\Roaa\Desktop\OneCareCleanUp.exe
[2010/07/20 11:43:42 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Roaa\Desktop\steam.exe
[2010/07/20 11:08:38 | 000,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/20 10:56:38 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Roaa\Desktop\mbam-setup-1.46.exe
[2010/07/20 10:54:48 | 007,315,936 | ---- | M] (Microsoft Corporation) -- C:\Users\Roaa\Desktop\mssefullinstall-x86fre-en-us-vista-win7.exe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/30 13:00:14 | 3483,996,160 | -HS- | C] () -- C:\hiberfil.sys
[2010/07/30 12:48:41 | 000,133,632 | ---- | C] () -- C:\Users\Roaa\Desktop\RKUnhookerLE.EXE
[2010/07/27 10:25:06 | 000,293,376 | ---- | C] () -- C:\Users\Roaa\Desktop\cjwtgeht.exe
[2010/07/27 10:07:18 | 491,675,594 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/07/27 10:02:00 | 000,293,376 | ---- | C] () -- C:\Users\Roaa\Desktop\mgztrfs8.exe
[2010/07/22 20:29:03 | 000,007,491 | ---- | C] () -- C:\Users\Roaa\Desktop\hijackthis2
[2010/07/22 14:49:46 | 000,000,772 | ---- | C] () -- C:\Users\Roaa\Desktop\Hijackthis.lnk
[2010/07/21 11:50:43 | 000,089,550 | ---- | C] () -- C:\Users\Roaa\Documents\cc_20100721_115041.reg
[2010/07/20 21:15:50 | 000,000,942 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk
[2010/07/20 11:08:38 | 000,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/06 21:28:38 | 000,009,728 | ---- | C] () -- C:\Windows\System32\BASSMOD.dll
[2009/11/06 21:24:15 | 000,685,816 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2009/11/06 11:58:04 | 000,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009/09/11 07:51:27 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/02/16 23:17:41 | 000,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2008/09/27 11:28:07 | 000,139,128 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2008/08/27 21:37:08 | 000,910,464 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2008/08/27 21:37:08 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1268.dll
[2008/01/20 20:23:41 | 000,081,158 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2007/11/06 14:19:28 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
[2006/11/02 06:34:20 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 01:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2001/10/05 09:50:58 | 000,008,575 | ---- | C] () -- C:\Windows\System32\D125UFW.INI

========== LOP Check ==========

[2010/02/13 17:12:34 | 000,000,000 | ---D | M] -- C:\Users\Deeling\AppData\Roaming\Launchy
[2010/04/04 17:11:48 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\.minecraft
[2010/02/14 04:29:51 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\Auslogics
[2009/04/10 19:02:36 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\CopyTrans
[2009/11/06 21:22:08 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\DAEMON Tools
[2009/11/06 21:30:11 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\DAEMON Tools Pro
[2008/10/05 16:00:18 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\fizzy
[2010/02/12 22:27:49 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\Launchy
[2009/05/14 14:51:51 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\SaintXi
[2009/05/14 13:37:16 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\The Creative Assembly
[2009/10/17 21:26:21 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\Turbine
[2010/07/27 09:54:26 | 000,000,000 | ---D | M] -- C:\Users\Roaa\AppData\Roaming\uTorrent
[2010/07/30 15:55:47 | 000,032,628 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/07/30 19:02:00 | 000,000,422 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{0F7C84C4-714A-4C97-A897-BEB0B2DF102C}.job
[2010/07/30 18:59:00 | 000,000,416 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{D2DBB98F-8E5D-4C83-AFFF-B99A7A39F946}.job

========== Purity Check ==========


< End of report >
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: HijackThis log =( - got a normal HJT log

Unread postby strelet007 » July 30th, 2010, 9:06 pm

OTL Extras logfile created on: 7/30/2010 7:02:29 PM - Run 4
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Roaa\Desktop
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 82.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 149.10 Gb Free Space | 32.01% Space Free | Partition Type: NTFS
Drive D: | 581.94 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 465.76 Gb Total Space | 465.65 Gb Free Space | 99.98% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DEELING-PC
Current User Name: Roaa
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1850265421-2837915182-2937492470-1001\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- C:\Users\Roaa\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0882F273-1C76-414E-9891-1CF8A3B6BA3F}" = lport=58245 | protocol=6 | dir=in | name=pando media booster |
"{0B225BEB-7608-49E6-B8D7-E71BF16673B8}" = lport=137 | protocol=17 | dir=in | app=system |
"{0E789480-46FC-4DD6-9A23-D98B5906EA4B}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{31AA182F-2309-4877-8E52-8D2E5269EB26}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{4B138D7A-AF5A-4293-8A76-1E74874C60B4}" = rport=137 | protocol=17 | dir=out | app=system |
"{52D14CDE-A4F3-4984-BD1F-635DBB553D5C}" = lport=445 | protocol=6 | dir=in | app=system |
"{531712F8-D5E7-4B87-9BB7-2306563518D7}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{624C0DD3-C1AA-4597-85E3-718B7384AE4D}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{67A17652-E0C5-4C08-88D9-8EC59AB8C853}" = lport=63331 | protocol=6 | dir=in | name=windows live onecare |
"{89D358FA-05A6-4CDF-8DA2-F4C75EFD61FE}" = rport=445 | protocol=6 | dir=out | app=system |
"{959D1822-6044-4BA0-93E4-25F24F27FC3A}" = rport=138 | protocol=17 | dir=out | app=system |
"{9B595F07-91F9-41E4-9399-7B1150FB103E}" = rport=139 | protocol=6 | dir=out | app=system |
"{A39D60E8-77F3-44EE-B707-66AD736DBAA7}" = lport=6112 | protocol=6 | dir=in | name=wc3 |
"{CF37AE0B-1EED-4D94-A9B8-4F7899D6D3EF}" = lport=2869 | protocol=6 | dir=in | app=system |
"{D0D5CEBC-4153-484D-92CD-772127643086}" = lport=138 | protocol=17 | dir=in | app=system |
"{E2516AA8-2A2B-4CE8-990D-8C4BE27345BB}" = lport=6112 | protocol=17 | dir=in | name=wc3 |
"{EE33B1D3-DC31-4BF4-9F09-493676340E4C}" = lport=58245 | protocol=17 | dir=in | name=pando media booster |
"{FB41D500-DD7C-46DF-9FA5-ED745F64D3CA}" = lport=139 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01C7BE20-2ADA-482E-A8A4-36CFB01F59B2}" = protocol=17 | dir=in | app=c:\program files\windsolutions\copytrans suite\copytrans.exe |
"{030E6117-FA79-44CA-AD26-00C5BF14CA95}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\dawn of war 2\dow2.exe |
"{0587CBA5-83A2-4D84-9A5F-61582F94799D}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{13E1D66B-25F6-435C-B40F-39C1515BF99D}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\majesty 2\m2editor.exe |
"{157AE0F0-520A-4343-9B73-76748AA80BC1}" = protocol=17 | dir=in | app=c:\program files\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe |
"{163AFE6C-A8BF-484B-8626-EA5549C2FE24}" = dir=in | app=c:\program files\windows live\messenger\livecall.exe |
"{172DA0DF-5135-4E7B-9F3B-4A9F45FF5F8C}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\instago@hotmail.com\pirates, vikings, and knights ii\hl2.exe |
"{1AA107BF-E756-4911-8122-60A0F5F3FD7E}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{1BD39469-012E-453D-BD54-C03F112DA170}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\grand theft auto iv\rgsc\rgsclauncher.exe |
"{289954F0-2FC6-4A8B-9C64-266ED6D4882E}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{29E4AAE2-D907-4C3A-B1A2-45B43B97F777}" = protocol=17 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{2A021095-14BC-4BCA-BEE7-BA69DB58C349}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\medieval ii total war\launcher.exe |
"{2E409F52-EF1E-4B79-9949-2B6293AEBD2A}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\empire total war\empire.exe |
"{303BB84D-07C4-4054-AB65-E4908731D591}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{34A16EF6-B91C-4573-AA86-790F08C11759}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\majesty 2\majesty2.exe |
"{35F2FF4A-9ED0-407E-A4F0-50A56552A0E2}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\sid meier's civilization iv beyond the sword\beyond the sword\civ4beyondsword.exe |
"{37FEB452-5F53-429D-9BDA-6934F67F0D08}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{3CAA82ED-380B-400D-BB09-762FFE9B956B}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\grand theft auto iv\gtaiv\launchgtaiv.exe |
"{3DEC2BDE-9803-40B2-9685-44D0F9571781}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{41DEDF3F-2CE5-42C4-942D-8795B7C4AB35}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\grand theft auto iv\gtaiv\gtaiv.exe |
"{4239C9FF-06EE-4759-B77D-9E133C1FB101}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{43208F9C-445F-47A5-9346-D8FC76DDDE03}" = protocol=6 | dir=in | app=c:\program files\curse\curseclient.exe |
"{5108F01E-E5C3-42D8-8FF4-CCE183393189}" = protocol=17 | dir=in | app=c:\program files\microsoft games\age of empires iii\age3y.exe |
"{518B5FFF-02F3-4978-A303-5370AE6A2542}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\majesty 2\m2editor.exe |
"{52F92158-6EF5-48AC-90F3-DA54F2C254FA}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{547A511A-511F-4569-A066-693DA13602C0}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\red orchestra\system\redorchestra.exe |
"{54EFC82C-99CF-461F-B82C-3AB7560B9ACB}" = protocol=6 | dir=in | app=c:\program files\microsoft games\age of empires iii\age3y.exe |
"{55C03A8C-7F0A-4031-B125-7CF20592B3C5}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\company of heroes\reliccoh.exe |
"{5A7CC89F-645E-41E4-B5CD-F0700AC2A41E}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\majesty 2\majesty2.exe |
"{5BB9A526-8DF5-47D1-90FD-5245D5679EC2}" = protocol=6 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
"{5E0184BE-1C4E-4FEA-BC56-863AEFCDB8D5}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\instago@hotmail.com\counter-strike source\hl2.exe |
"{666A4CD4-04AD-46C1-AADB-CA174978D0D3}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{667E0F99-39D3-4650-9CD5-17BEF2270F44}" = protocol=6 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{70C410F2-53BD-4B07-962B-3843CD567FC3}" = protocol=6 | dir=in | app=c:\program files\electronic arts\battlefield bad company 2\bfbc2updater.exe |
"{7921B5C3-1278-4E44-8831-62F24003AE38}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\warhammer online age of reckoning\runme.exe |
"{7D2FA8CB-B5C2-4649-97B9-8198E965D312}" = protocol=6 | dir=in | app=c:\program files\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe |
"{80E30C8C-F7D7-4022-8316-7216979E600C}" = protocol=17 | dir=in | app=c:\program files\electronic arts\battlefield bad company 2\bfbc2updater.exe |
"{8D8EE2C4-C382-44CB-AA3D-0DAB679EE2FA}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\instago@hotmail.com\counter-strike source\hl2.exe |
"{8E2DFF16-6B98-49D3-9AA0-E48F105A0D9B}" = protocol=17 | dir=in | app=c:\program files\microsoft games\age of empires iii\age3x.exe |
"{97294357-393D-4530-8211-270DB55D798D}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\company of heroes\reliccoh.exe |
"{9B1BAA4B-B9D6-4AAD-A669-60934E6127B5}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\warhammer online age of reckoning\runme.exe |
"{9C9BB2B2-B68E-4879-BCE1-F8C2D28C54C3}" = protocol=6 | dir=in | app=c:\program files\ubisoft\tom clancy's splinter cell conviction\src\system\conviction_game.exe |
"{A0645E6A-7DAF-4153-BB86-5A3AC4577324}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{A2C354FC-D8A3-4C17-8519-45626C290C32}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\instago@hotmail.com\pirates, vikings, and knights ii\hl2.exe |
"{A35EED87-0F3D-4F37-B1FA-0B93764A3EBD}" = protocol=17 | dir=in | app=c:\program files\ubisoft\tom clancy's splinter cell conviction\src\system\conviction_game.exe |
"{A489FB78-F7B7-4A68-AFE6-0C548E88CF47}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{A492DEA8-598E-4C42-B6D0-D6396EAA6640}" = protocol=6 | dir=in | app=c:\program files\windsolutions\copytrans suite\copytrans.exe |
"{A86CA981-E029-4580-B0B1-92F7B142D18F}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\medieval ii total war\launcher.exe |
"{AA2F870C-7614-490D-9DC8-CBC33537837A}" = protocol=6 | dir=in | app=c:\program files\ubisoft\tom clancy's splinter cell conviction\src\system\gu.exe |
"{B8D37BDE-6F75-4C76-B3C7-B5D7D398B0C4}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\red orchestra\system\redorchestra.exe |
"{BB073208-1BF0-4BFE-8AA8-2B2D1D405711}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\grand theft auto iv\rgsc\rgsclauncher.exe |
"{BDDEBCF7-E174-4B3A-B01F-7FE9DFD6CF56}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\sid meier's civilization iv beyond the sword\beyond the sword\civ4beyondsword.exe |
"{CAA1E4A2-1725-4803-9705-B84418C9C4D1}" = protocol=17 | dir=in | app=c:\program files\ubisoft\tom clancy's splinter cell conviction\src\system\gu.exe |
"{CFB80ACC-24FE-4E99-AA58-1F1EC618CA60}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\grand theft auto iv\gtaiv\launchgtaiv.exe |
"{D14F2AB2-7B2F-4B21-A216-5A4A1F5A8602}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\grand theft auto iv\gtaiv\gtaiv.exe |
"{D24DB0A5-05F0-434A-A811-4A324D007732}" = protocol=17 | dir=in | app=c:\program files\electronic arts\battlefield bad company 2 - beta\bfbc2betaupdater.exe |
"{D7098302-4F3B-46C4-88D9-1D203A916E88}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\empire total war\empire.exe |
"{D72B0739-AA13-4C5A-B986-76297FFEC320}" = protocol=6 | dir=in | app=c:\program files\microsoft games\age of empires iii\age3x.exe |
"{D95D1376-1004-434E-A12C-9827B958FA89}" = protocol=17 | dir=in | app=c:\program files\curse\curseclient.exe |
"{ED816116-CFF1-459C-8707-D66615946870}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{F15AE86E-1635-4745-BA3E-A5CB2AE6CFB2}" = protocol=17 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
"{FA671EA9-7D61-44F1-B90C-3F0FD8FD14AE}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{FE3106D1-7B5A-4F6B-B881-5FD357C196A2}" = protocol=6 | dir=in | app=c:\program files\electronic arts\battlefield bad company 2 - beta\bfbc2betaupdater.exe |
"{FFEB7E8A-E789-4607-B2E5-6961EDB442ED}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\dawn of war 2\dow2.exe |
"TCP Query User{7525E5D6-397E-44D4-BA3D-BAADDD75179C}C:\program files\steam\steam.exe" = protocol=6 | dir=in | app=c:\program files\steam\steam.exe |
"TCP Query User{91A3F5BE-7A4A-4C9F-86D4-0AD05E07F588}C:\program files\firaxis games\sid meier's civilization 4\beyond the sword\civ4beyondsword.exe" = protocol=6 | dir=in | app=c:\program files\firaxis games\sid meier's civilization 4\beyond the sword\civ4beyondsword.exe |
"TCP Query User{A74BEB7B-0AA7-4242-8B96-9E8EA24FCEDF}C:\program files\steam\steamapps\distortedwaffle\counter-strike source\hl2.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\distortedwaffle\counter-strike source\hl2.exe |
"UDP Query User{6AABEC74-12CE-41F6-BF40-1C08F89B42F6}C:\program files\steam\steam.exe" = protocol=17 | dir=in | app=c:\program files\steam\steam.exe |
"UDP Query User{8125A11B-56EA-44FE-8F91-32D08B39C51C}C:\program files\firaxis games\sid meier's civilization 4\beyond the sword\civ4beyondsword.exe" = protocol=17 | dir=in | app=c:\program files\firaxis games\sid meier's civilization 4\beyond the sword\civ4beyondsword.exe |
"UDP Query User{A05EF182-7021-4757-8008-F4B9856D7736}C:\program files\steam\steamapps\distortedwaffle\counter-strike source\hl2.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\distortedwaffle\counter-strike source\hl2.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{063E409E-3D7C-4A4A-95AB-2F124B9224B3}" = ArcSoft PhotoImpression 6
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1C08A24C-B168-407E-A826-68FAF5F20710}" = Age of Empires III - The WarChiefs
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 20
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{3AC8457C-0385-4BEA-A959-E095F05D6D67}" = Battlefield: Bad Company™ 2
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{5DE1B7CF-7429-40CA-987F-6BEE09B63787}" = Prime95
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D8DDB4A-C263-40DE-BA16-AFDAD159D59A}" = Tom Clancy's Splinter Cell Conviction
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel(R) PRO Network Connections 12.1.12.0
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III
"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C69A537-1CED-4863-BB30-FB566217528C}" = Stanford University
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95774351-6087-3A3B-8CA8-70BEE49D2BD5}" = Google Gears
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A1C962E2-2426-49C6-A38B-9A07E40D607C}" = Microsoft Games for Windows - LIVE
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A746CE98-A755-4AD7-B4B8-346DC74CDECD}" = OVT Scanner
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{C43C1415-3DFC-4089-9A32-0BECF28A6046}" = Age of Empires III - The Asian Dynasties
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5A9DA4B-E4F9-FB49-017D-769FC540F1F0}" = EA Download Manager UI
"{DCAF959E-BE84-4E56-91B1-3E962AED5BF4}" = Dolby Control Center Link
"{DEA314C4-0929-4250-BC92-98E4C105F28D}" = NVIDIA PhysX
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F1CBC6F7-D82D-4DC5-B81C-9A14F418593A}_is1" = WC3Banlist
"{F54AC413-D2C6-4A24-B324-370C223C6250}" = Adobe Photoshop Elements 6.0
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"7-Zip" = 7-Zip 4.65
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 6" = Adobe Photoshop Elements 6.0
"Blitzkrieg" = Blitzkrieg Mod
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"com.ea.Vault.919CACB699904AC5D41B606703500DD39747C02D.1" = EA Download Manager UI
"Diablo II" = Diablo II
"Download Manager" = Download Manager 2.3.7
"EA Download Manager" = EA Download Manager
"HECI" = Intel® Management Engine Interface
"HijackThis" = HijackThis 1.99.1
"Hijackthis_is1" = Hijackthis 1.99.1
"hon" = Heroes of Newerth
"InstallShield_{1C08A24C-B168-407E-A826-68FAF5F20710}" = Age of Empires III - The WarChiefs
"InstallShield_{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III
"InstallShield_{C43C1415-3DFC-4089-9A32-0BECF28A6046}" = Age of Empires III - The Asian Dynasties
"LastFM_is1" = Last.fm 1.5.4.24567
"Launchy_21344213_is1" = Launchy 2.1.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"Mozilla Firefox (3.0.14)" = Mozilla Firefox (3.0.14)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Picasa 3" = Picasa 3
"PodUtil_is1" = PodUtil 2.5.2
"PROR" = Microsoft Office Professional 2007
"PROSetDX" = Intel(R) PRO Network Connections 12.1.12.0
"PunkBusterSvc" = PunkBuster Services
"RealPlayer 6.0" = RealPlayer
"SSIII Solo Ultratus" = SSIII Solo Ultratus 1.1
"Starcraft" = Starcraft
"Steam App 10500" = Empire: Total War
"Steam App 1200" = Red Orchestra
"Steam App 12210" = Grand Theft Auto IV
"Steam App 15620" = Warhammer 40,000: Dawn of War II
"Steam App 17570" = Pirates, Vikings, and Knights II
"Steam App 240" = Counter-Strike: Source
"Steam App 25980" = Majesty 2
"Steam App 4780" = Medieval II: Total War - Kingdoms
"Steam App 8800" = Sid Meier's Civilization IV: Beyond the Sword
"Steam App 9340" = Company of Heroes: Opposing Fronts
"UltSounds" = Windows Sound Schemes
"UltSounds2" = Ultimate Extras sounds from Microsoft® Tinker™
"VirtualCloneDrive" = VirtualCloneDrive
"VLC media player" = VLC media player 1.0.5
"Warcraft III" = Warcraft III
"WinPcapInst" = WinPcap 4.0.2
"WinRAR archiver" = WinRAR archiver
"World of Warcraft" = World of Warcraft

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1850265421-2837915182-2937492470-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"090215de958f1060" = Curse Client
"Google Chrome" = Google Chrome
"HuluDesktop" = Hulu Desktop
"Stainless_Steel_6.0_Part1of2" = Stainless_Steel_6.0_Part1of2
"Stainless_Steel_6.0_Part2of2" = Stainless_Steel_6.0_Part2of2
"Third Age - Total War 1.0 Part1" = Third Age - Total War 1.0 Part1
"Third Age - Total War 1.0 Part2" = Third Age - Total War 1.0 Part2
"Third Age - Total War Hotfix1" = Third Age - Total War Hotfix1
"Third Age - Total War Patch 1.1" = Third Age - Total War Patch 1.1
"Third Age - Total War Patch 1.2" = Third Age - Total War Patch 1.2
"Third Age - Total War Patch 1.3" = Third Age - Total War Patch 1.3
"Third Age - Total War Patch 1.4" = Third Age - Total War Patch 1.4

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/28/2010 1:45:07 PM | Computer Name = Deeling-PC | Source = Perflib | ID = 1010
Description =

Error - 7/28/2010 1:45:07 PM | Computer Name = Deeling-PC | Source = PerfNet | ID = 2004
Description =

Error - 7/28/2010 1:45:38 PM | Computer Name = Deeling-PC | Source = LoadPerf | ID = 3002
Description =

Error - 7/28/2010 2:41:22 PM | Computer Name = Deeling-PC | Source = EventSystem | ID = 4609
Description =

Error - 7/28/2010 2:41:52 PM | Computer Name = Deeling-PC | Source = WinMgmt | ID = 10
Description =

Error - 7/28/2010 2:45:04 PM | Computer Name = Deeling-PC | Source = LoadPerf | ID = 3002
Description =

Error - 7/30/2010 2:44:58 PM | Computer Name = Deeling-PC | Source = EventSystem | ID = 4609
Description =

Error - 7/30/2010 2:45:31 PM | Computer Name = Deeling-PC | Source = WinMgmt | ID = 10
Description =

Error - 7/30/2010 2:48:43 PM | Computer Name = Deeling-PC | Source = LoadPerf | ID = 3002
Description =

Error - 7/30/2010 2:58:12 PM | Computer Name = Deeling-PC | Source = EventSystem | ID = 4609
Description =

[ OSession Events ]
Error - 6/28/2009 6:33:59 PM | Computer Name = Deeling-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 4
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/16/2009 2:52:59 PM | Computer Name = Deeling-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 5
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/25/2009 9:59:17 AM | Computer Name = Deeling-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 7
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 7/30/2010 2:44:58 PM | Computer Name = Deeling-PC | Source = DCOM | ID = 10005
Description =

Error - 7/30/2010 2:45:31 PM | Computer Name = Deeling-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 7/30/2010 2:45:31 PM | Computer Name = Deeling-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 7/30/2010 2:48:15 PM | Computer Name = Deeling-PC | Source = DCOM | ID = 10005
Description =

Error - 7/30/2010 2:58:06 PM | Computer Name = Deeling-PC | Source = DCOM | ID = 10005
Description =

Error - 7/30/2010 2:58:12 PM | Computer Name = Deeling-PC | Source = DCOM | ID = 10005
Description =

Error - 7/30/2010 2:58:14 PM | Computer Name = Deeling-PC | Source = DCOM | ID = 10005
Description =

Error - 7/30/2010 2:58:14 PM | Computer Name = Deeling-PC | Source = DCOM | ID = 10005
Description =

Error - 7/30/2010 2:58:14 PM | Computer Name = Deeling-PC | Source = DCOM | ID = 10005
Description =

Error - 7/30/2010 8:58:07 PM | Computer Name = Deeling-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 6:56:05 PM on 7/30/2010 was unexpected.


< End of report >
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: HijackThis log =( - got a normal HJT log

Unread postby strelet007 » July 31st, 2010, 12:16 am

(safe mode scan)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4372

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18928

7/30/2010 8:13:37 PM
mbam-log-2010-07-30 (20-13-37).txt

Scan type: Full scan (C:\|)
Objects scanned: 412840
Time elapsed: 1 hour(s), 4 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: HijackThis log =( - got a normal HJT log

Unread postby Jack&Jill » July 31st, 2010, 12:08 pm

Hello strelet007 :),

Please do the following in Normal mode.

For Windows Vista or Windows 7, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

Please download FixPolicies© by Bill Castner and save it to your desktop. Click here.
  • Double click on FixPolicies.exe to run the self extracting archive.
  • Click the Install button and a new folder named FixPolicies will be created.
  • Go into the folder and then double click the file Fix_Policies.cmd.
  • A black box will briefly appear and then close.

This fix may only be temporary because active malware can revert the changes on your next startup. You may rerun it again as necessary.

--------------------

Now, try Rootkit Unhooker again and post back its log.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 494 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware