Warepire

The clean-up steps are now done, you have my deepest thanks for helping me with my problem I'll probably purchase the full version of MBAM to assist AntiVir with keeping my PC safe.

This BSOD can be "decrypted" using the second parameter 0xE, this means the device specified was not found. I had this BSOD once during the summer... it was my hard drive that had started to fail. But others have also reported that RAM modules can cause these problems. This may not be the reason for your problems but it's a good idea to check it. I suggest that you run some kind of HD diagnostics program (I like SeaTools). Do a full scan, don't run any other programs while scanning, it can mess up the detection of bad blocks. Also run Memtest86+ (Use the bootable ISO download) Burn the ISO with your favorite burning program, reboot and boot from CD, let it run at least 10 passes. Sometimes RAM can be "dodgy" so you may want to run the test for each stick individually. [Only having one RAM stick in the PC at the time] Always when touching stuff inside your PC remember to ground yourself either by touching a radiator (electrical radiators don't count) or by using an ESD bracelet / carpet.

No re-infection yet, here's to hoping I am clean Your assistance have been deeply appreciated now, I believe this topic can be closed.

If I get another relapse of this I'll post an OTL log... Thank you so much for all your assistance and patience. I am deeply grateful Please keep this thread open for about a week.

I have been trying to find a pattern but there is none. The only site I had visited at all 4 times that this has come back is www.thelocal.se... but I go there ~2 times a day, so in my logic I would get infected a lot more often if that site was the cause... IF I am getting re-infected the most logical reason in my book is that an infected advertisement that is used by several sites is causing this problem. Here is the listing for C:\WINDOWS\Tasks: C:\WINDOWS\Tasks>dir Volume in drive C is System Volume Serial Number is EC43-8855 Directory of C:\WINDOWS\Tasks 2010-10-23 02:45 32

Sorry for the double posting... here is the AntiVir report from the most recent return of the malware, forgot to post it before I pressed Add Reply: Avira AntiVir Personal Report file date: den 20 oktober 2010 02:19 Scanning for 2944784 virus strains and unwanted programs. The program is running as an unrestricted full version. Online services are available: Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP x64 Edition Windows version : (Service Pack 2) [5.2.3790] Boot mode : Normally booted Username : SYSTEM Computer name : MINION Version information: BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00 AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 11:37:38 AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 11:57:04 LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 17:33:04 LUKERES.DLL : 10.0.0.1 12648 Bytes 2/10/2010 22:40:49 VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 08:05:36 VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 18:27:49 VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 16:37:42 VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 15:37:42 VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 10:29:03 VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 20:00:59 VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 20:01:03 VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 10:43:04 VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 20:14:07 VBASE009.VDF : 7.10.11.134 2048 Bytes 9/13/2010 20:14:07 VBASE010.VDF : 7.10.11.135 2048 Bytes 9/13/2010 20:14:07 VBASE011.VDF : 7.10.11.136 2048 Bytes 9/13/2010 20:14:07 VBASE012.VDF : 7.10.11.137 2048 Bytes 9/13/2010 20:14:07 VBASE013.VDF : 7.10.11.165 172032 Bytes 9/15/2010 09:24:56 VBASE014.VDF : 7.10.11.202 144384 Bytes 9/18/2010 09:52:32 VBASE015.VDF : 7.10.11.231 129024 Bytes 9/21/2010 09:52:33 VBASE016.VDF : 7.10.12.4 126464 Bytes 9/23/2010 14:00:05 VBASE017.VDF : 7.10.12.38 146944 Bytes 9/27/2010 17:00:56 VBASE018.VDF : 7.10.12.64 133120 Bytes 9/29/2010 09:51:07 VBASE019.VDF : 7.10.12.99 134144 Bytes 10/1/2010 13:14:27 VBASE020.VDF : 7.10.12.122 131584 Bytes 10/5/2010 11:45:29 VBASE021.VDF : 7.10.12.148 119296 Bytes 10/7/2010 11:44:46 VBASE022.VDF : 7.10.12.175 142848 Bytes 10/11/2010 16:20:40 VBASE023.VDF : 7.10.12.198 131584 Bytes 10/13/2010 12:07:00 VBASE024.VDF : 7.10.12.216 133120 Bytes 10/14/2010 16:21:40 VBASE025.VDF : 7.10.12.238 137728 Bytes 10/18/2010 14:49:06 VBASE026.VDF : 7.10.12.239 2048 Bytes 10/18/2010 14:49:06 VBASE027.VDF : 7.10.12.240 2048 Bytes 10/18/2010 14:49:06 VBASE028.VDF : 7.10.12.241 2048 Bytes 10/18/2010 14:49:06 VBASE029.VDF : 7.10.12.242 2048 Bytes 10/18/2010 14:49:06 VBASE030.VDF : 7.10.12.243 2048 Bytes 10/18/2010 14:49:06 VBASE031.VDF : 7.10.12.244 2048 Bytes 10/18/2010 14:49:06 Engineversion : 8.2.4.82 AEVDF.DLL : 8.1.2.1 106868 Bytes 8/19/2010 13:23:04 AESCRIPT.DLL : 8.1.3.45 1368443 Bytes 9/18/2010 09:46:47 AESCN.DLL : 8.1.6.1 127347 Bytes 7/8/2010 20:01:15 AESBX.DLL : 8.1.3.1 254324 Bytes 7/8/2010 20:01:16 AERDL.DLL : 8.1.9.2 635252 Bytes 9/24/2010 14:00:07 AEPACK.DLL : 8.2.3.11 471416 Bytes 10/12/2010 16:20:45 AEOFFICE.DLL : 8.1.1.8 201081 Bytes 7/22/2010 11:58:47 AEHEUR.DLL : 8.1.2.35 2961784 Bytes 10/16/2010 16:21:43 AEHELP.DLL : 8.1.14.0 246134 Bytes 10/12/2010 16:20:42 AEGEN.DLL : 8.1.3.23 401779 Bytes 10/2/2010 13:14:31 AEEMU.DLL : 8.1.2.0 393588 Bytes 7/8/2010 20:01:10 AECORE.DLL : 8.1.17.0 196982 Bytes 9/25/2010 21:44:58 AEBB.DLL : 8.1.1.0 53618 Bytes 7/8/2010 20:01:09 AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 11:03:38 AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 11:03:35 AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 15:47:40 AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 11:35:46 AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 11:39:51 AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 11:22:13 AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 08:53:30 SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 11:57:58 AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 14:38:56 NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 13:41:00 RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 12:10:20 RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 13:14:29 Configuration settings for the scan: Jobname.............................: avguard_async_scan Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_d6831b51\guard_slideup.avp Logging.............................: low Primary action......................: repair Secondary action....................: quarantine Scan master boot sector.............: on Scan boot sector....................: off Process scan........................: on Scan registry.......................: off Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: high Start of the scan: den 20 oktober 2010 02:19 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'SpybotSD.exe' - '1' Module(s) have been scanned Scan process 'foobar2000.exe' - '1' Module(s) have been scanned Scan process 'miranda32.exe' - '1' Module(s) have been scanned Scan process 'CTXFISPI.EXE' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'CTXFIHLP.EXE' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'DTLite.exe' - '1' Module(s) have been scanned Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned Scan process 'avshadow.exe' - '1' Module(s) have been scanned Scan process 'ToolTipFixer.exe' - '1' Module(s) have been scanned Scan process 'jqs.exe' - '1' Module(s) have been scanned Scan process 'FileZilla Server.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'CTAudSvc.exe' - '1' Module(s) have been scanned Starting the file scan: Begin scan in 'C:\Documents and Settings\Warepire\Local Settings\Temp\Ggw.exe' C:\Documents and Settings\Warepire\Local Settings\Temp\Ggw.exe [DETECTION] Is the TR/Crypt.EPACK.Gen2 Trojan [NOTE] The file was moved to the quarantine directory under the name '491b976b.qua'. End of the scan: den 20 oktober 2010 02:19 Used time: 00:07 Minute(s) The scan has been done completely. 0 Scanned directories 18 Files were scanned 1 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 1 Files were moved to quarantine 0 Files were renamed 0 Files cannot be scanned 17 Files not concerned 0 Archives were scanned 0 Warnings 1 Notes The scan results will be transferred to the Guard.

The last infection was immediately stopped by AntiVir (I had increased the process security for the program to Resistant, before that the infection stopped AntiVir)... so I don't have a log from the last infection (which was on the 20th) But here is the log from the infection prior to the final one (on the 14th): Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4825 Windows 5.2.3790 Service Pack 2 Internet Explorer 6.0.3790.1830 2010-10-14 23:32:47 mbam-log-2010-10-14 (23-32-47).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 165041 Time elapsed: 10 minute(s), 48 second(s) Memory Processes Infected: 1 Memory Modules Infected: 1 Registry Keys Infected: 5 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 8 Memory Processes Infected: C:\Documents and Settings\Warepire\Local Settings\Temp\Ggy.exe (Trojan.Downloader) -> Unloaded process successfully. Memory Modules Infected: C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\KOO9RV9K4Z (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\SMH2B46TDP (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koo9rv9k4z (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot. C:\Documents and Settings\Warepire\Local Settings\Temp\Ggy.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Warepire\Local Settings\Temp\Ggv.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Warepire\Local Settings\Temp\renmsxwaoc.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\SysWOW64\sshnas21.dll (Trojan.Downloader) -> Delete on reboot. C:\Documents and Settings\Warepire\Local Settings\Temp\Ggx.exe (Trojan.FakeAlert) -> Delete on reboot. C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Alright, I did however just realize I still have the files in MBAM's quarantine from the last infection... Let me know if you wish to take a look at them (in case that would be of any help). Otherwise please keep the thread open, it may be up to a week before the infection returns.

The scanning completed and reported that I am clean... just like AntiVir and MBAM does between re-appearances of this thing. ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=ebaf210aeab307489f58406392b5c1a3 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-10-22 05:10:00 # local_time=2010-10-22 07:10:00 (+0100, W. Europe Daylight Time) # country="Sweden" # lang=1033 # osver=5.2.3790 NT Service Pack 2 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=1797 16775125 100 93 149625 46859589 146212 0 # compatibility_mode=8192 67108863 100 0 622 622 0 0 # scanned=40538 # found=0 # cleaned=0 # scan_time=904

It's a little hard to tell because the infection goes unnoticed after MBAM and AntiVir "removes" it... then it comes back out of nowhere after a while (about a week). But I am crossing my fingers that it has been taken care of. Thanks for the help (so far), it's deeply appreciated

Ran that OTL fix and here is the log produced: All processes killed ========== OTL ========== Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 413308 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 402 bytes User: Warepire ->Temp folder emptied: 23547240 bytes ->Temporary Internet Files folder emptied: 82042250 bytes ->Java cache emptied: 10793872 bytes ->Opera cache emptied: 12932 bytes ->Flash cache emptied: 120265 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 2168024 bytes %systemroot%\System32 .tmp files removed: 202409 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 31629108 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 144,00 mb OTL by OldTimer - Version 3.2.16.0 log created on 10212010_230235 Files\Folders moved on Reboot... Registry entries deleted on Reboot... Files\Folders moved on Reboot... Registry entries deleted on Reboot... The system however felt compelled to blue screen after the reboot and I noticed I had forgotten to set the "don't reboot on blue screen" flag so I was unable to catch the error... I hope however this screen shot of the "Windows recovered from a problem" contains useful information: The blue screen happened only once... but I believe it was not supposed to happen under "normal" conditions. (Installing jre-6u22 as I type this)

Hi Elise. Thank you for taking time for my problem. The problem in detail is a bit difficult to give you because I don't know myself how I got this infection (I only use the infected computer code, browse programming forums and read the news). But when the infection takes hold of the computer I have google re-directs and random internet explorer popups (I am browsing the internet with Opera, I mostly use their beta builds because I hobby-test those for the Opera team). If the infection has taken hold of the computer only MBAM can stop it... but it seems to more cripple it, because it returns about 5-7 days later, and always on the exact moment that I shut down my browser. The files found and neutralized by MBAM are the Gg*.exe file I described in the opening post and a .job-file which doesn't really have a name, it's more like an ID that is never the same, example from the last "disinfection": {35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job. And before you ask, the disabled Security Center is my own doing, not the infection. The little red balloon telling me Windows Update is not configured properly drives me mad (I have it to install updates at shutdown instead of immediately after download). I was unable to make a Rootkit Unhooker log, the program crashed with the error, I tried to rename it to explorer.exe and svchost.exe but there was no difference: Do note that I have Windows XP Professional 64-bit and not Windows Server 2003 as reported. The OTL scan went better and it produced these logs: From OTL.txt: OTL logfile created on: 2010-10-21 20:54:05 - Run 1 OTL by OldTimer - Version 3.2.16.0 Folder = C:\Documents and Settings\Warepire\Desktop 64bit-Windows Server 2003 Service Pack 2 (Version = 5.2.3790) - Type = NTWorkstation Internet Explorer (Version = 6.0.3790.1830) Locale: 0000041D | Country: Sweden | Language: SVE | Date Format: yyyy-MM-dd 2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 72,00% Memory free 4,00 Gb Paging File | 3,00 Gb Available in Paging File | 85,00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files (x86) Drive C: | 74,52 Gb Total Space | 65,77 Gb Free Space | 88,26% Space Free | Partition Type: NTFS Drive D: | 465,76 Gb Total Space | 382,59 Gb Free Space | 82,14% Space Free | Partition Type: NTFS Computer Name: MINION | User Name: Warepire | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 90 Days ========== Processes (SafeList) ========== PRC - [2010-10-21 20:34:02 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Warepire\Desktop\OTL.exe PRC - [2010-09-16 17:37:30 | 000,824,176 | ---- | M] (Opera Software) -- C:\Program Files (x86)\Opera\opera.exe PRC - [2010-07-01 22:24:44 | 000,785,503 | ---- | M] ( ) -- C:\Applications\Internet\Miranda-IM\miranda32.exe PRC - [2010-04-01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Applications\Security\Avira\AntiVir Desktop\avguard.exe PRC - [2010-04-01 11:16:20 | 000,357,696 | ---- | M] (DT Soft Ltd) -- C:\Applications\CD & ISO\DAEMON Tools Lite\DTLite.exe PRC - [2010-03-02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Applications\Security\Avira\AntiVir Desktop\avgnt.exe PRC - [2010-02-24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Applications\Security\Avira\AntiVir Desktop\sched.exe PRC - [2010-01-14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Applications\Security\Avira\AntiVir Desktop\avshadow.exe PRC - [2009-12-31 01:24:34 | 000,703,488 | ---- | M] (FileZilla Project) -- C:\Applications\Internet\FileZilla Server\FileZilla server.exe PRC - [2009-06-04 00:55:16 | 000,025,600 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\SysWOW64\Ctxfihlp.exe PRC - [2009-06-04 00:49:56 | 001,213,440 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\SysWOW64\CTxfispi.exe PRC - [2009-03-05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Applications\Security\Spybot - Search & Destroy\TeaTimer.exe PRC - [2009-02-23 11:43:54 | 000,307,200 | ---- | M] (Creative Technology Ltd) -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe PRC - [2008-10-14 19:33:56 | 000,061,952 | ---- | M] (NeoSmart Technologies) -- C:\Program Files (x86)\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe ========== Modules (SafeList) ========== MOD - [2010-10-21 20:34:02 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Warepire\Desktop\OTL.exe MOD - [2010-09-07 18:04:52 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\wow64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_8D2E3180\comctl32.dll MOD - [2007-02-18 11:05:38 | 000,177,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\MSCTFIME.IME MOD - [2007-02-18 11:05:22 | 000,797,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\comres.dll MOD - [2005-03-25 14:00:00 | 000,178,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\wbem\framedyn.dll ========== Win32 Services (SafeList) ========== SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\xmlprov.dll -- (xmlprov) SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\wzcsvc.dll -- (WZCSVC) SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\wuauserv.dll -- (wuauserv) SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\advapi32.dll -- (Wmi) SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\ups.exe -- (UPS) SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\wdfmgr.exe -- (UMWdf) SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\tlntsvr.exe -- (TlntSvr) SRV:64bit: - File not found [Auto | Stopped] -- C:\WINDOWS\SysNative\smlogsvc.exe -- (SysmonLog) SRV:64bit: - File not found [Auto | Stopped] -- C:\WINDOWS\SysNative\srsvc.dll -- (srservice) SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\SCardSvr.exe -- (SCardSvr) SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\sessmgr.exe -- (RDSessMgr) SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\services.exe -- (PlugPlay) SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\nvsvc64.exe -- (nvsvc) SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\ntmssvc.dll -- (NtmsSvc) SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\netdde.exe -- (NetDDEdsdm) SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\netdde.exe -- (NetDDE) SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\mnmsrvc.exe -- (mnmsrvc) SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\msgsvc.dll -- (Messenger) SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\imapi.exe -- (ImapiService) SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\w3ssl.dll -- (HTTPFilter) SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\services.exe -- (Eventlog) SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\ersvc.dll -- (ERSvc) SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\dmserver.dll -- (dmserver) SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\dmadmin.exe -- (dmadmin) SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\clipsrv.exe -- (ClipSrv) SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\cisvc.exe -- (CiSvc) SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\appmgmts.dll -- (AppMgmt) SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\alrsvc.dll -- (Alerter) SRV - [2010-07-07 20:24:25 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service) SRV - [2010-06-17 09:06:38 | 000,144,712 | ---- | M] (H+H Software GmbH) [Disabled | Stopped] -- C:\Applications\CD & ISO\Virtual CD v10\System\VC10SecS.exe -- (VC10SecS) SRV - [2010-04-01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Applications\Security\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2010-02-24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Applications\Security\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2009-12-31 01:24:34 | 000,703,488 | ---- | M] (FileZilla Project) [Auto | Running] -- C:\Applications\Internet\FileZilla Server\FileZilla Server.exe -- (FileZilla Server) SRV - [2009-02-23 11:43:54 | 000,307,200 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService) SRV - [2008-10-14 19:33:56 | 000,061,952 | ---- | M] (NeoSmart Technologies) [Auto | Running] -- C:\Program Files (x86)\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe -- (ToolTipFixer) SRV - [2008-07-25 11:17:02 | 000,069,632 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) SRV - [2007-02-17 00:44:20 | 000,077,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc) SRV - [2005-03-25 14:00:00 | 000,039,424 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SysWOW64\wdfmgr.exe -- (UMWdf) ========== Driver Services (SafeList) ========== DRV:64bit: - File not found [Kernel | System | Running] -- C:\WINDOWS\SysNative\DRIVERS\vdrv1000.sys -- (vdrv1000) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\wdmaud.sys -- (wdmaud) DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\DRIVERS\vcd9bus.sys -- (vcd9bus) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\vcd10bus.sys -- (vcd10bus) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\update.sys -- (Update) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\sysaudio.sys -- (sysaudio) DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\swmidi.sys -- (swmidi) DRV:64bit: - File not found [File_System | Boot | Running] -- C:\WINDOWS\SysNative\DRIVERS\sr.sys -- (Sr) DRV:64bit: - File not found [Kernel | Boot | Running] -- C:\WINDOWS\SysNative\Drivers\sptd.sys -- (sptd) DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\splitter.sys -- (splitter) DRV:64bit: - File not found [Kernel | System | Running] -- C:\WINDOWS\SysNative\DRIVERS\redbook.sys -- (redbook) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\raspti.sys -- (Raspti) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\ptilink.sys -- (Ptilink) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\psched.sys -- (PSched) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\ctoss2k.sys -- (ossrv) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\nvnetbus.sys -- (nvnetbus) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\NVENETFD.sys -- (NVENETFD) DRV:64bit: - File not found [Kernel | Boot | Running] -- C:\WINDOWS\SysNative\DRIVERS\nvata64.sys -- (nvata64) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\nv4_mini.sys -- (nv) DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\kmixer.sys -- (kmixer) DRV:64bit: - File not found [Kernel | System | Running] -- C:\WINDOWS\SysNative\DRIVERS\ipsec.sys -- (IPSec) DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\DRIVERS\ipinip.sys -- (IpInIp) DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\DRIVERS\Ip6Fw.sys -- (Ip6Fw) DRV:64bit: - File not found [Kernel | System | Running] -- C:\WINDOWS\SysNative\DRIVERS\imapi.sys -- (imapi) DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\HH10Help.sys -- (HH10Help.sys) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\ha20x2k.sys -- (ha20x2k) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\msgpc.sys -- (Gpc) DRV:64bit: - File not found [Kernel | Boot | Running] -- C:\WINDOWS\SysNative\DRIVERS\ftdisk.sys -- (Ftdisk) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\emupia2k.sys -- (emupia) DRV:64bit: - File not found [Kernel | Boot | Running] -- C:\WINDOWS\SysNative\drivers\dmload.sys -- (dmload) DRV:64bit: - File not found [Kernel | Boot | Running] -- C:\WINDOWS\SysNative\drivers\dmio.sys -- (dmio) DRV:64bit: - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\SysNative\drivers\dmboot.sys -- (dmboot) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\ctsfm2k.sys -- (ctsfm2k) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\ctprxy2k.sys -- (ctprxy2k) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\CTHWIUT.SYS -- (CTHWIUT.SYS) DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\CTHWIUT.SYS -- (CTHWIUT) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\CTEXFIFX.SYS -- (CTEXFIFX.SYS) DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\CTEXFIFX.SYS -- (CTEXFIFX) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\ctac32k.sys -- (ctac32k) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\CT20XUT.SYS -- (CT20XUT.SYS) DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\CT20XUT.SYS -- (CT20XUT) DRV:64bit: - File not found [Kernel | Auto | Running] -- C:\WINDOWS\SysNative\DRIVERS\CdaD10BA.sys -- (CdaD10BA) DRV:64bit: - File not found [Kernel | Auto | Running] -- C:\WINDOWS\SysNative\DRIVERS\CdaC15BA.sys -- (CdaC15BA) DRV:64bit: - File not found [File_System | Auto | Running] -- C:\WINDOWS\SysNative\DRIVERS\avgntflt.sys -- (avgntflt) DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\audstub.sys -- (audstub) DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\DRIVERS\atmarpc.sys -- (Atmarpc) DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\aec.sys -- (aec) DRV - [2009-05-11 12:49:19 | 000,013,656 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Applications\Security\Avira\AntiVir Desktop\avgio64.sys -- (avgio) DRV - [2006-12-04 11:09:04 | 000,084,480 | ---- | M] (Arc <arc.sourceforge.net>) [Kernel | Disabled | Stopped] -- C:\Applications\Archives\Universal Extractor\bin\arc.exe -- (arc) DRV - [2005-03-25 14:00:00 | 000,033,792 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\SysWow64\mnmdd.dll -- (mnmdd) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1463431551-875748573-3134554072-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 Hosts file not found O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Applications\Security\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O2 - BHO: (IeMonitorBho Class) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Applications\Internet\MegaManager\MegaIEMn.dll (Megaupload Limited) O2 - BHO: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask) O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask) O3 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002\..\Toolbar\WebBrowser: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask) O4:64bit: - HKLM..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\IMKR6_1\imekrmig.exe (Microsoft Corporation) O4:64bit: - HKLM..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation) O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\SysNative\NvCpl.DLL File not found O4:64bit: - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe File not found O4:64bit: - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\SysNative\NvMcTray.DLL File not found O4:64bit: - HKLM..\Run: [PHIME2002A] C:\WINDOWS\SysNative\IME\TINTLGNT\TINTSETP.EXE File not found O4:64bit: - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\SysNative\IME\TINTLGNT\TINTSETP.EXE File not found O4 - HKLM..\Run: [avgnt] C:\Applications\Security\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\SysWow64\Ctxfihlp.exe (Creative Technology Ltd) O4 - HKLM..\Run: [FileZilla Server Interface] C:\Applications\Internet\FileZilla Server\FileZilla Server Interface.exe (FileZilla Project) O4 - HKLM..\Run: [iMJPMIG8.1] C:\WINDOWS\IME (x86)\imjp8_1\IMJPMIG.EXE (Microsoft Corporation) O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation) O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation) O4 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002..\Run: [DAEMON Tools Lite] C:\Applications\CD & ISO\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd) O4 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002..\Run: [spybotSD TeaTimer] C:\Applications\Security\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.) O4 - HKU\.DEFAULT..\RunOnce: [_nltide_3] C:\WINDOWS\SysWow64\advpack.dll (Microsoft Corporation) O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found O4 - HKU\S-1-5-18..\RunOnce: [_nltide_3] C:\WINDOWS\SysWow64\advpack.dll (Microsoft Corporation) O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found O4 - HKU\S-1-5-19..\RunOnce: [_nltide_3] C:\WINDOWS\SysWow64\advpack.dll (Microsoft Corporation) O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found O4 - HKU\S-1-5-20..\RunOnce: [_nltide_3] C:\WINDOWS\SysWow64\advpack.dll (Microsoft Corporation) O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 177 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = FF 00 00 00 [binary data] O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = FF 00 00 00 [binary data] O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255 O7 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1 O7 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 1 O7 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0 O9:64bit: - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O9:64bit: - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Applications\Security\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16) O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found O18:64bit: - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - Reg Error: Key error. File not found O18:64bit: - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\SysNative\wiascr.dll File not found O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O18:64bit: - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found O18:64bit: - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found O18:64bit: - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UIHost - (%SystemRoot%\system32\logonui.exe) - C:\WINDOWS\SysNative\logonui.exe File not found O20:64bit: - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - File not found O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: System - (lsass.exe) - File not found O20:64bit: - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - File not found O20:64bit: - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - File not found O20:64bit: - Winlogon\Notify\cscdll: DllName - cscdll.dll - File not found O20:64bit: - Winlogon\Notify\dimsntfy: DllName - dimsntfy.dll - File not found O20:64bit: - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found O20:64bit: - Winlogon\Notify\Schedule: DllName - wlnotify.dll - File not found O20:64bit: - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - File not found O20:64bit: - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - File not found O20:64bit: - Winlogon\Notify\termsrv: DllName - Reg Error: Key error. - File not found O20:64bit: - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - File not found O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - File not found O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - File not found O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - File not found O21:64bit: - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\SysNative\stobject.dll File not found O24 - Desktop WallPaper: C:\Documents and Settings\Warepire\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Warepire\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28:64bit: - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - File not found O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2010-07-07 20:17:34 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 90 Days ========== [2010-10-21 20:33:57 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Warepire\Desktop\OTL.exe [2010-10-14 23:20:15 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\SysWow64\drivers\mbamswissarmy.sys [2010-09-30 12:43:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Local Settings\Application Data\Apple Computer [2010-09-28 02:37:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\Malwarebytes [2010-09-28 02:37:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2010-09-28 02:28:40 | 000,000,000 | ---D | C] -- C:\Program Files\Prevx [2010-09-28 00:54:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI [2010-09-26 00:39:17 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Warepire\UserData [2010-09-19 18:54:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss [2010-09-19 18:16:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Virtual CDs [2010-09-19 18:13:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\DAEMON Tools Lite [2010-09-19 18:13:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite [2010-09-19 16:05:48 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Warepire\Application Data\Virtual CD v10 [2010-09-19 16:05:48 | 000,000,000 | --SD | C] -- C:\Documents and Settings\All Users\Documents\Virtual CD v10 [2010-09-19 02:36:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\ScummVM [2010-09-17 23:24:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Skype [2010-09-17 20:28:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Local Settings\Application Data\AskToolbar [2010-09-16 13:43:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Warepire\My Documents\My Videos [2010-09-16 13:43:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos [2010-09-06 16:43:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\ImgBurn [2010-09-03 00:01:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump [2010-08-29 16:07:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Local Settings\Application Data\Canneverbe_Limited [2010-08-28 14:50:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\My Documents\CDBurnerXP Projects [2010-08-28 14:50:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\Canneverbe_Limited [2010-08-28 13:42:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\My Documents\My Received Files [2010-08-25 16:13:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\Real [2010-08-25 15:35:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\OpenOffice.org [2010-08-25 13:43:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\Canneverbe Limited [2010-08-25 13:43:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited [2010-08-24 13:57:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun [2010-08-21 22:40:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\VBA-M [2010-08-21 22:39:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs [2010-08-21 22:13:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\Media Player Classic [2010-08-21 14:45:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\skypePM [2010-08-21 13:58:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Intel [2009-06-04 00:57:38 | 000,060,928 | ---- | C] ( ) -- C:\WINDOWS\SysWow64\a3d.dll [3 C:\WINDOWS\SysWow64\*.tmp files -> C:\WINDOWS\SysWow64\*.tmp -> ] [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 90 Days ========== [2010-10-21 20:34:07 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Warepire\Desktop\RKUnhookerLE.EXE [2010-10-21 20:34:02 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Warepire\Desktop\OTL.exe [2010-10-21 20:01:00 | 000,000,252 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job [2010-10-21 14:15:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010-10-17 02:55:36 | 000,000,984 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2010-10-17 02:54:45 | 000,541,770 | ---- | M] () -- C:\WINDOWS\SysWow64\PerfStringBackup.INI [2010-09-28 02:28:34 | 000,000,111 | ---- | M] () -- C:\WINDOWS\wininit.ini [2010-09-25 23:28:36 | 000,002,533 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Intel SSD Toolbox.lnk [2010-09-19 18:14:07 | 000,001,721 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DAEMON Tools Lite.lnk [2010-09-17 20:32:55 | 000,000,646 | ---- | M] () -- C:\Documents and Settings\Warepire\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk [2010-08-21 14:45:02 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\SysWow64\ezsidmv.dat [3 C:\WINDOWS\SysWow64\*.tmp files -> C:\WINDOWS\SysWow64\*.tmp -> ] [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2010-10-21 20:34:07 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Warepire\Desktop\RKUnhookerLE.EXE [2010-10-14 22:56:39 | 000,011,899 | ---- | C] () -- C:\Documents and Settings\Warepire\hs_err_pid2224.log [2010-09-27 19:42:40 | 000,000,111 | ---- | C] () -- C:\WINDOWS\wininit.ini [2010-09-25 22:44:25 | 000,011,998 | ---- | C] () -- C:\Documents and Settings\Warepire\hs_err_pid4328.log [2010-09-19 18:14:07 | 000,001,721 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DAEMON Tools Lite.lnk [2010-08-21 14:45:02 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\SysWow64\ezsidmv.dat [2010-08-21 13:58:08 | 000,002,533 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Intel SSD Toolbox.lnk [2010-07-07 23:16:27 | 000,056,320 | ---- | C] () -- C:\WINDOWS\SysWow64\iyvu9_32.dll [2010-07-07 23:13:39 | 000,085,504 | ---- | C] () -- C:\WINDOWS\SysWow64\ff_vfw.dll [2010-07-07 22:08:31 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI [2010-07-07 20:30:19 | 000,541,770 | ---- | C] () -- C:\WINDOWS\SysWow64\PerfStringBackup.INI [2009-08-03 00:21:54 | 000,197,912 | ---- | C] () -- C:\WINDOWS\SysWow64\physxcudart_20.dll [2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelTraditionalChinese.dll [2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelSwedish.dll [2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelSpanish.dll [2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelSimplifiedChinese.dll [2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelPortugese.dll [2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelKorean.dll [2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelJapanese.dll [2009-08-03 00:21:52 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelGerman.dll [2009-08-03 00:21:52 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelFrench.dll [2009-06-04 01:37:08 | 000,021,093 | ---- | C] () -- C:\WINDOWS\SysWow64\instwdm.ini [2009-06-04 01:37:06 | 000,000,054 | ---- | C] () -- C:\WINDOWS\SysWow64\ctzapxx.ini [2009-06-04 00:55:20 | 000,002,560 | ---- | C] () -- C:\WINDOWS\SysWow64\CtxfiRes.dll [2009-05-27 09:49:00 | 000,000,285 | ---- | C] () -- C:\WINDOWS\SysWow64\kill.ini [2009-01-25 23:10:48 | 000,179,200 | ---- | C] () -- C:\WINDOWS\SysWow64\xvidvfw.dll [2009-01-09 01:01:22 | 000,629,760 | ---- | C] () -- C:\WINDOWS\SysWow64\xvidcore.dll [2007-02-18 11:05:48 | 000,276,992 | ---- | C] () -- C:\WINDOWS\SysWow64\sbe.dll [2007-02-18 11:05:46 | 001,278,464 | ---- | C] () -- C:\WINDOWS\SysWow64\quartz.dll [2007-02-18 11:05:46 | 000,512,512 | ---- | C] () -- C:\WINDOWS\SysWow64\qedit.dll [2007-02-18 11:05:46 | 000,385,536 | ---- | C] () -- C:\WINDOWS\SysWow64\qdvd.dll [2007-02-18 11:05:46 | 000,279,040 | ---- | C] () -- C:\WINDOWS\SysWow64\qdv.dll [2007-02-18 11:05:46 | 000,192,512 | ---- | C] () -- C:\WINDOWS\SysWow64\qcap.dll [2007-02-18 11:05:40 | 000,355,112 | ---- | C] () -- C:\WINDOWS\SysWow64\msjetoledb40.dll [2007-02-18 11:05:34 | 000,062,464 | ---- | C] () -- C:\WINDOWS\SysWow64\mciqtz32.dll [2007-02-18 11:05:28 | 000,396,288 | ---- | C] () -- C:\WINDOWS\SysWow64\encdec.dll [2007-02-18 11:05:24 | 000,061,440 | ---- | C] () -- C:\WINDOWS\SysWow64\devenum.dll [2007-02-18 11:05:20 | 000,072,704 | ---- | C] () -- C:\WINDOWS\SysWow64\amstream.dll [2005-03-25 14:00:00 | 000,733,696 | ---- | C] () -- C:\WINDOWS\SysWow64\qedwipes.dll [2005-03-25 14:00:00 | 000,498,742 | ---- | C] () -- C:\WINDOWS\SysWow64\dxmasf.dll [2005-03-25 14:00:00 | 000,114,688 | ---- | C] () -- C:\WINDOWS\SysWow64\msencode.dll [2005-03-25 14:00:00 | 000,016,896 | ---- | C] () -- C:\WINDOWS\SysWow64\tsd32.dll [2005-03-25 14:00:00 | 000,014,336 | ---- | C] () -- C:\WINDOWS\SysWow64\msdmo.dll [2005-03-25 14:00:00 | 000,004,126 | ---- | C] () -- C:\WINDOWS\SysWow64\msdxmlc.dll ========== LOP Check ========== [2010-08-25 13:43:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited [2010-09-19 18:13:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite [2010-09-28 11:40:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI [2010-08-25 13:43:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\Canneverbe Limited [2010-08-29 16:06:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\Canneverbe_Limited [2010-09-19 18:17:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\DAEMON Tools Lite [2010-10-20 22:14:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\foobar2000 [2010-09-07 15:10:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\ImgBurn [2010-08-21 16:04:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\Miranda [2010-07-07 21:19:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\Mp3tag [2010-08-25 15:35:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\OpenOffice.org [2010-09-27 15:46:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\Opera [2010-09-19 02:36:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\ScummVM [2010-08-21 22:40:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\VBA-M [2010-09-19 17:45:18 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Warepire\Application Data\Virtual CD v10 [2010-10-21 02:47:37 | 000,032,430 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt [2010-10-21 20:01:00 | 000,000,252 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job ========== Purity Check ========== < End of report > From Extras.txt: OTL Extras logfile created on: 2010-10-21 20:54:05 - Run 1 OTL by OldTimer - Version 3.2.16.0 Folder = C:\Documents and Settings\Warepire\Desktop 64bit-Windows Server 2003 Service Pack 2 (Version = 5.2.3790) - Type = NTWorkstation Internet Explorer (Version = 6.0.3790.1830) Locale: 0000041D | Country: Sweden | Language: SVE | Date Format: yyyy-MM-dd 2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 72,00% Memory free 4,00 Gb Paging File | 3,00 Gb Available in Paging File | 85,00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files (x86) Drive C: | 74,52 Gb Total Space | 65,77 Gb Free Space | 88,26% Space Free | Partition Type: NTFS Drive D: | 465,76 Gb Total Space | 382,59 Gb Free Space | 82,14% Space Free | Partition Type: NTFS Computer Name: MINION | User Name: Warepire | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 90 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* .html[@ = Opera.HTML] -- C:\Program Files (x86)\Opera\opera.exe (Opera Software) .url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html [@ = Opera.HTML] -- C:\Program Files (x86)\Opera\opera.exe (Opera Software) ========== Shell Spawning ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* File not found cmdfile [open] -- "%1" %* File not found comfile [open] -- "%1" %* File not found cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* File not found exefile [open] -- "%1" %* File not found htmlfile [edit] -- Reg Error: Key error. http [open] -- "C:\Program Files (x86)\Opera\opera.exe" "%1" (Opera Software) https [open] -- "C:\Program Files (x86)\Opera\opera.exe" "%1" (Opera Software) inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 File not found InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l File not found piffile [open] -- "%1" %* File not found regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" File not found scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l File not found scrfile [open] -- "%1" /S File not found txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- Reg Error: Key error. http [open] -- "C:\Program Files (x86)\Opera\opera.exe" "%1" (Opera Software) https [open] -- "C:\Program Files (x86)\Opera\opera.exe" "%1" (Opera Software) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 1 "FirewallDisableNotify" = 1 "UpdatesDisableNotify" = 1 "AntiVirusOverride" = 0 "FirewallOverride" = 0 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 ========== System Restore Settings ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr] "Start" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService] "Start" = 2 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 0 "DisableNotifications" = 0 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found "C:\Program Files (x86)\Opera\opera.exe" = C:\Program Files (x86)\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software) "C:\Applications\Internet\Miranda-IM\miranda32.exe" = C:\Applications\Internet\Miranda-IM\miranda32.exe:*:Enabled:Miranda IM -- ( ) "C:\Program Files (x86)\Java\jre6\bin\javaw.exe" = C:\Program Files (x86)\Java\jre6\bin\javaw.exe:*:Enabled:Java Platform SE binary -- (Sun Microsystems, Inc.) "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found "C:\Program Files (x86)\Opera\opera.exe" = C:\Program Files (x86)\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software) "C:\Applications\Internet\Miranda-IM\miranda32.exe" = C:\Applications\Internet\Miranda-IM\miranda32.exe:*:Enabled:Miranda IM -- ( ) "C:\Program Files (x86)\Java\jre6\bin\javaw.exe" = C:\Program Files (x86)\Java\jre6\bin\javaw.exe:*:Enabled:Java Platform SE binary -- (Sun Microsystems, Inc.) ========== HKEY_LOCAL_MACHINE Uninstall List ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1" = Media Player Classic - Home Cinema v1.3.2002.0 x64 "{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "NVIDIA Drivers" = NVIDIA Drivers "NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager "WIC" = Windows Imaging Component "WinRAR archiver" = WinRAR archiver [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{10C51313-A308-4B40-90E3-B368D5882660}" = Virtual CD v10 "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java 6 Update 16 "{2E72DCF0-8F35-4B94-91FA-8AE38D8B7534}" = Opera 10.70 "{3B6E3FC6-274C-4B6C-BC85-5C3B15DE18E2}" = Mega Manager "{41BB38A4-ED84-4682-8329-042FEBD8C30B}" = Mega Manager "{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411 "{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable "{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar "{957E1902-30C7-4A35-890B-90EB94B956D6}" = Intel

Hi I got some problems with an infection (which I don't understand how I got...) of Crypt.EPACK.Gen2 [this is at least what AntiVir calls it], every now and then AntiVir alerts me of a file "Gg[].exe" where [] is a letter, so far I had Ggz, Ggx, Ggv and Ggy... I delete this file from my system, check my system with MBAM, AntiVir and Spybot S&D and they say I am clean, about a week later I have this infection again... I am guessing the root of the problem is still hiding somewhere in my system invisible to MBAM, AntiVir and Spybot S&D Any help to get rid of this would be greatly appreciated. I really don't feel like formatting my hard drive and re-installing right now. Thanks a lot. //Warepire