Jump to content
dsj1000

Help Removing Trojan: NTOSKRNL-HOOK 1st Logs

Recommended Posts

Thanks for getting back to me with my problem. I can only use the pc in Safe Mode; trying to start normally crashes after logging in. I am still having the same problem after downloading Malwarebytes and running the Quick Scan. (I already had this program on my pc - that I ran several days ago, which initially fouund two Trojans, and I discribed this in my first post). Today, after uninstalling the first version, then reinstalling the new one and running it, it did not find any problems. Following your reply - I downloaded Trendmicro's Hijackthis and ran the scan. As requested, here are the two logs.

Again, thanks very much for your expert help!

Don

M-Log:

7/16/2009 5:43:57 PM Scan Started: 07/16/2009 05:43:57 PM

7/16/2009 5:43:58 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

7/16/2009 5:43:58 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

7/16/2009 5:45:50 PM Total objects scanned: 4204

7/16/2009 5:45:50 PM Objects detected: 2

7/16/2009 5:45:50 PM Scan Done: 07/16/2009 05:45:50 PM

7/16/2009 6:14:50 PM Scan Started: 07/16/2009 06:14:50 PM

7/16/2009 6:14:54 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

7/16/2009 6:14:54 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

7/16/2009 6:15:01 PM Total objects scanned: 30

7/16/2009 6:15:01 PM Objects detected: 2

7/16/2009 6:15:01 PM Scan Done: 07/16/2009 06:15:01 PM

7/17/2009 5:09:33 PM Scan Started: 07/17/2009 05:09:33 PM

7/17/2009 5:09:34 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

7/17/2009 5:09:34 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

7/17/2009 5:09:37 PM Total objects scanned: 30

7/17/2009 5:09:37 PM Objects detected: 2

7/17/2009 5:09:37 PM Scan Done: 07/17/2009 05:09:37 PM

7/18/2009 11:13:51 AM Scan Started: 07/18/2009 11:13:51 AM

7/18/2009 11:13:52 AM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

7/18/2009 11:13:52 AM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

7/18/2009 11:13:58 AM Total objects scanned: 34

7/18/2009 11:13:58 AM Objects detected: 2

7/18/2009 11:13:58 AM Scan Done: 07/18/2009 11:13:58 AM

hijackthislog:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:33:52 PM, on 7/21/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18248)

Boot mode: Safe mode with network support

Running processes:

C:\Windows\Explorer.EXE

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\system32\wbem\unsecapp.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: PE_IE_Helper Class - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [NvMediaCenter] "C:\Windows\system32\RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] "C:\Windows\system32\RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [Replay AV] "C:\Program Files\Replay AV 8\ReplayAV.exe" -quiet

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...678/mcfscan.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe

O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FYMMY - Unknown owner - C:\Users\DON2~1\AppData\Local\Temp\FYMMY.exe (file missing)

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 8388 bytes

M_ScanLog18Jul09.txt

hijackthis21Jul09.txt

M_ScanLog18Jul09.txt

hijackthis21Jul09.txt

Share this post


Link to post
Share on other sites

Hello dsj

Stop running "fixes" on your own. Do not self-medicate.

Also, please stop making new threads and just reply here, to this one.

Do not use the atatchment option to put your logs. Always put them within body of reply box (after you have done a copy).

In other words, copy and then Paste into body of reply.

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

After that, also do this:

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

=

Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

  • the contents of OTL.txt;
  • the contents of Extras.txt ; and
  • the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Share this post


Link to post
Share on other sites
Hello dsj

Stop running "fixes" on your own. Do not self-medicate.

Also, please stop making new threads and just reply here, to this one.

Do not use the atatchment option to put your logs. Always put them within body of reply box (after you have done a copy).

In other words, copy and then Paste into body of reply.

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Show all files:

  • Click the Start button, and then click Computer.

  • On the Organize menu, click Folder and Search Options.

  • Click the View tab.

  • Locate and uncheck Hide file extensions for known file types.

  • Locate and uncheck Hide protected operating system files (Recommended).

  • Locate and click Show hidden files and folders.

  • Click Apply > OK.

After that, also do this:

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

=

Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.

  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".

  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.

  • It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.

  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!

  • Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check

  • Follow the onscreen instructions inside of the command window.

  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

  • the contents of OTL.txt;

  • the contents of Extras.txt ; and

  • the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Maurice:

Thanks very much for your response, and careful guidance. I will stop self-medicating while you assist me clean up this mess!

Here are the three logs you requested (I was successful in executing each step in your above inistructions):

OTL logfile created on: 7/25/2009 7:32:37 PM - Run 1

OTL by OldTimer - Version 3.0.10.3 Folder = C:\Users\Don\Desktop

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 372.61 Gb Total Space | 332.24 Gb Free Space | 89.17% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 698.63 Gb Total Space | 602.30 Gb Free Space | 86.21% Space Free | Partition Type: NTFS

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DON-PC

Current User Name: Don

Logged in as Administrator.

Current Boot Mode: SafeMode with Networking

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe

PRC - [2008/10/29 08:29:41 | 02,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Explorer.EXE

PRC - [2008/01/19 09:33:39 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe

PRC - [2008/01/19 09:33:33 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe

PRC - [2009/03/03 04:16:04 | 00,247,296 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\wmiprvse.exe

PRC - [2009/01/08 20:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe

PRC - [2009/01/08 20:30:26 | 00,645,328 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe

PRC - [2009/07/25 19:29:03 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/05/15 16:08:40 | 00,182,576 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe -- (accoca [Auto | Stopped])

SRV - [2009/02/02 02:33:18 | 00,317,440 | ---- | M] (Amazon.com) -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe -- (Amazon Download Agent [Auto | Stopped])

SRV - [2009/06/05 11:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Stopped])

SRV - [2008/11/05 17:35:08 | 00,085,096 | ---- | M] (Autodesk) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service [On_Demand | Stopped])

SRV - [2008/12/12 12:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Stopped])

SRV - [2008/07/27 20:03:13 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])

SRV - [2008/01/19 09:33:09 | 00,292,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand | Stopped])

SRV - [2006/11/02 14:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Stopped])

SRV - [2006/11/02 14:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart [Auto | Stopped])

SRV - [2008/01/19 09:36:53 | 01,013,760 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wevtsvc.dll -- (Eventlog [Auto | Running])

SRV - [2008/06/20 03:14:44 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])

SRV - File not found -- -- (FYMMY [On_Demand | Stopped])

SRV - [2009/03/22 15:59:04 | 00,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe -- (GoToAssist [On_Demand | Stopped])

SRV - [2005/11/14 02:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])

SRV - [2008/06/20 03:14:31 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [unknown | Stopped])

SRV - [2007/04/13 17:49:00 | 00,101,528 | ---- | M] () -- C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE -- (IJPLMSVC [Auto | Stopped])

SRV - [2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService [Auto | Stopped])

SRV - [2009/06/05 13:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])

SRV - [2006/12/15 02:49:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Stopped])

SRV - [2008/07/26 08:27:42 | 00,141,848 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher [Auto | Stopped])

SRV - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Stopped])

SRV - [2009/01/08 20:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])

SRV - [2009/01/09 11:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Stopped])

SRV - [2009/04/01 14:21:30 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])

SRV - [2009/01/09 08:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Stopped])

SRV - [2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [unknown | Stopped])

SRV - [2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Stopped])

SRV - [2007/08/24 07:59:20 | 00,068,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])

SRV - [2009/07/21 01:16:21 | 00,059,904 | RHS- | M] (Microsoft Corporation) -- C:\Windows\System32\acpkcs201n.exe -- (MicrosoftTHREADORDER [Auto | Stopped])

SRV - [2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService [Auto | Running])

SRV - [2008/06/20 03:14:31 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])

SRV - [2006/12/24 02:54:04 | 00,262,144 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Stopped])

SRV - [2008/11/04 22:34:50 | 00,203,296 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe -- (nvsvc [Auto | Stopped])

SRV - [2007/08/24 04:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])

SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

SRV - [2008/01/19 09:35:27 | 00,052,736 | ---- | M] (Hewlett-Packard) -- C:\Windows\System32\HPZipm12.dll -- (Pml Driver HPZ12 [Auto | Stopped])

SRV - [2007/01/25 19:31:34 | 00,093,048 | ---- | M] (CACE Technologies) -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd [On_Demand | Stopped])

SRV - [2009/06/02 10:10:08 | 00,637,952 | ---- | M] (Nokia.) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer [On_Demand | Stopped])

SRV - [2008/01/19 09:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [On_Demand | Stopped])

SRV - [2008/01/19 09:33:39 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [Auto | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2006/11/02 11:51:38 | 00,420,968 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx [Disabled | Stopped])

DRV - [2006/11/02 11:51:32 | 00,297,576 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci [Disabled | Stopped])

DRV - [2006/11/02 11:50:35 | 00,098,408 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m [Disabled | Stopped])

DRV - [2006/11/02 11:51:00 | 00,147,048 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320 [Disabled | Stopped])

DRV - [2005/02/23 23:58:56 | 00,011,776 | ---- | M] (Arcsoft, Inc.) -- C:\Windows\System32\drivers\Afc.sys -- (Afc [On_Demand | Running])

DRV - [2006/11/02 11:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx [Disabled | Stopped])

DRV - [2006/11/02 11:49:20 | 00,014,952 | ---- | M] (Acer Laboratories Inc.) -- C:\Windows\system32\drivers\aliide.sys -- (aliide [Disabled | Stopped])

DRV - [2006/11/02 11:50:09 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arc.sys -- (arc [Disabled | Stopped])

DRV - [2006/11/02 11:50:10 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas [Disabled | Stopped])

DRV - [2008/06/27 02:36:48 | 00,057,216 | ---- | M] (AVerMedia TECHNOLOGIES, Inc.) -- C:\Windows\System32\DRIVERS\AVerBas.sys -- (AVMNgBasM780 [On_Demand | Stopped])

DRV - [2008/06/27 02:36:50 | 00,366,976 | ---- | M] (AVerMedia TECHNOLOGIES, Inc.) -- C:\Windows\System32\DRIVERS\AVerCap.sys -- (AVMNgCapM780 [On_Demand | Stopped])

DRV - [2008/06/27 02:36:50 | 00,165,120 | ---- | M] (AVerMedia TECHNOLOGIES, Inc.) -- C:\Windows\System32\DRIVERS\AVerTun.sys -- (AVMNgTunM780 [On_Demand | Stopped])

DRV - [2006/11/02 10:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo [On_Demand | Stopped])

DRV - [2006/11/02 10:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp [On_Demand | Stopped])

DRV - [2006/11/02 10:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserid.sys -- (Brserid [Disabled | Stopped])

DRV - [2006/11/02 10:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm [Disabled | Stopped])

DRV - [2006/11/02 10:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm [Disabled | Stopped])

DRV - [2006/11/02 10:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer [On_Demand | Stopped])

DRV - [2006/11/02 11:49:28 | 00,016,488 | ---- | M] (CMD Technology, Inc.) -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide [Disabled | Stopped])

DRV - [2008/01/15 13:39:38 | 00,097,792 | ---- | M] (OMNIKEY) -- C:\Windows\System32\DRIVERS\cxbu0wdm.sys -- (cxbu0wdm [On_Demand | Running])

DRV - [2006/11/02 09:30:54 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\Windows\System32\DRIVERS\E1G60I32.sys -- (E1G60 [On_Demand | Stopped])

DRV - [2006/11/02 11:51:34 | 00,316,520 | ---- | M] (Emulex) -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor [Disabled | Stopped])

DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\Windows\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])

DRV - [2006/11/02 11:50:10 | 00,037,480 | ---- | M] (Hewlett-Packard Company) -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs [Disabled | Stopped])

DRV - [2006/11/02 11:51:25 | 00,232,040 | ---- | M] (Intel Corporation) -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV [Disabled | Stopped])

DRV - [2006/11/02 11:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp [Disabled | Stopped])

DRV - [2007/03/02 01:21:10 | 01,744,928 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService [On_Demand | Stopped])

DRV - [2006/11/02 11:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi [Disabled | Stopped])

DRV - [2006/11/02 11:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid [Disabled | Stopped])

DRV - [2006/11/02 11:50:04 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC [Disabled | Stopped])

DRV - [2006/11/02 11:50:05 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS [Disabled | Stopped])

DRV - [2006/11/02 11:50:10 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI [Disabled | Stopped])

DRV - [2006/11/02 09:41:48 | 00,503,296 | ---- | M] (Agere Systems) -- C:\Windows\System32\DRIVERS\ltmdmnt.sys -- (ltmodem5 [On_Demand | Stopped])

DRV - [2007/10/11 18:59:02 | 02,142,488 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\DRIVERS\LVMVDrv.sys -- (LVMVDrv [On_Demand | Stopped])

DRV - [2007/10/12 03:59:12 | 01,920,920 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\DRIVERS\lvpopflt.sys -- (lvpopflt [On_Demand | Stopped])

DRV - [2008/12/17 08:00:12 | 00,768,024 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\DRIVERS\lvrs.sys -- (LVRS [On_Demand | Stopped])

DRV - [2008/12/17 08:01:20 | 00,041,752 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\drivers\LVUSBSta.sys -- (LVUSBSta [On_Demand | Stopped])

DRV - [2008/12/17 08:01:42 | 06,364,440 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\DRIVERS\lvuvc.sys -- (LVUVC [On_Demand | Stopped])

DRV - [2006/11/02 11:49:53 | 00,028,776 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\megasas.sys -- (megasas [Disabled | Stopped])

DRV - [2009/03/25 11:06:28 | 00,079,880 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Stopped])

DRV - [2009/03/25 11:06:28 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Stopped])

DRV - [2009/03/25 11:06:28 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk [system | Running])

DRV - [2009/03/25 11:05:54 | 00,034,216 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Stopped])

DRV - [2009/03/25 11:06:30 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Stopped])

DRV - [2008/10/23 13:08:54 | 00,130,424 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\Drivers\Mpfp.sys -- (MPFP [system | Running])

DRV - [2006/11/02 11:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x [Disabled | Stopped])

DRV - [2006/11/02 11:50:19 | 00,045,160 | ---- | M] (IBM Corporation) -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960 [Disabled | Stopped])

DRV - [2007/01/25 19:31:34 | 00,042,000 | ---- | M] (CACE Technologies) -- C:\Windows\System32\drivers\npf.sys -- (NPF [On_Demand | Stopped])

DRV - [2006/11/02 09:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi [Disabled | Stopped])

DRV - [2007/11/18 03:39:50 | 01,040,544 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\DRIVERS\nvmfdx32.sys -- (NVENETFD [On_Demand | Running])

DRV - [2008/11/04 22:34:47 | 07,380,896 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\DRIVERS\nvlddmkm.sys -- (nvlddmkm [On_Demand | Stopped])

DRV - [2006/11/02 11:50:24 | 00,088,680 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid [Disabled | Stopped])

DRV - [2007/01/05 21:59:42 | 00,035,920 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor [boot | Running])

DRV - [2007/08/09 18:12:30 | 00,110,624 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\DRIVERS\nvstor32.sys -- (nvstor32 [boot | Running])

DRV - [2008/08/26 10:26:12 | 00,018,816 | ---- | M] (Nokia) -- C:\Windows\System32\DRIVERS\pccsmcfd.sys -- (pccsmcfd [On_Demand | Stopped])

DRV - [2006/11/02 11:51:45 | 00,900,712 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300 [Disabled | Stopped])

DRV - [2006/11/02 11:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx [Disabled | Stopped])

DRV - [2006/11/02 08:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv [Auto | Stopped])

DRV - [2006/11/02 11:50:10 | 00,038,504 | ---- | M] (Silicon Integrated Systems Corp.) -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2 [Disabled | Stopped])

DRV - [2006/11/02 11:50:16 | 00,071,784 | ---- | M] (Silicon Integrated Systems) -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4 [Disabled | Stopped])

DRV - [2008/01/19 08:14:10 | 00,009,216 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\DRIVERS\serscan.sys -- (StillCam [On_Demand | Stopped])

DRV - [2006/11/02 11:50:05 | 00,035,944 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx [Disabled | Stopped])

DRV - [2006/11/02 11:49:56 | 00,031,848 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi [Disabled | Stopped])

DRV - [2006/11/02 11:50:03 | 00,034,920 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3 [Disabled | Stopped])

DRV - [2008/01/19 09:42:12 | 00,045,624 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tpm.sys -- (TPM [On_Demand | Stopped])

DRV - [2006/11/02 11:51:25 | 00,235,112 | ---- | M] (ULi Electronics Inc.) -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci [Disabled | Stopped])

DRV - [2006/11/02 11:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata [Disabled | Stopped])

DRV - [2006/11/02 11:50:45 | 00,115,816 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2 [Disabled | Stopped])

DRV - [2008/01/19 07:53:23 | 00,073,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])

DRV - [2006/11/02 11:49:30 | 00,017,512 | ---- | M] (VIA Technologies, Inc.) -- C:\Windows\system32\drivers\viaide.sys -- (viaide [Disabled | Stopped])

DRV - [2006/11/02 11:50:41 | 00,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid [Disabled | Stopped])

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AIM Search"

FF - prefs.js..browser.search.defaulturl: "http://search.aol.com/aolcom/search?invocationType=tbff50ie7&query="

FF - prefs.js..browser.search.selectedEngine: "AIM Search"

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"

FF - prefs.js..keyword.URL: "http://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query="

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/09/20 16:12:48 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/03/20 19:41:03 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/06/24 10:59:19 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2009/07/14 17:20:50 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 1.5\Extensions\\Components: C:\Program Files\Mozilla Firefox\Components [2009/07/17 17:14:51 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 1.5\Extensions\\Plugins: C:\Program Files\Mozilla Firefox\Plugins [2009/07/14 15:32:40 | 00,000,000 | ---D | M]

[2008/09/06 20:11:48 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\mozilla\Firefox\Profiles\45zlaw1e.default\extensions

[2007/12/09 15:46:29 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\mozilla\Firefox\Profiles\45zlaw1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

[2008/09/10 17:49:01 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\mozilla\Firefox\Profiles\45zlaw1e.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}

[2008/09/06 20:11:46 | 00,000,246 | ---- | M] () -- C:\Users\Don\AppData\Roaming\Mozilla\FireFox\Profiles\45zlaw1e.default\searchplugins\AIM Search.src

[2008/09/10 17:49:10 | 00,001,010 | ---- | M] () -- C:\Users\Don\AppData\Roaming\Mozilla\FireFox\Profiles\45zlaw1e.default\searchplugins\aimsearch.gif

[2008/09/10 17:49:10 | 00,000,301 | ---- | M] () -- C:\Users\Don\AppData\Roaming\Mozilla\FireFox\Profiles\45zlaw1e.default\searchplugins\aimsearch.src

[2008/11/22 12:00:04 | 00,000,275 | ---- | M] () -- C:\Users\Don\AppData\Roaming\Mozilla\FireFox\Profiles\45zlaw1e.default\searchplugins\search.xml

[2009/01/05 18:26:58 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions

[2007/10/06 11:21:02 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

[2007/10/06 11:20:51 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

[2008/04/10 12:14:23 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

[2008/08/08 22:26:01 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

[2009/01/05 18:26:58 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

[2007/10/06 11:20:53 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\realplayer@partners.mozilla.com

[2007/10/06 11:20:50 | 00,060,526 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll

[2007/10/06 11:20:51 | 00,049,256 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll

[2007/10/06 11:20:50 | 00,166,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll

[2003/03/18 21:20:00 | 01,060,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\mfc71.dll

[2003/02/21 04:42:22 | 00,348,160 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\msvcr71.dll

[2009/01/05 18:26:35 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll

[2008/01/04 23:57:08 | 01,335,600 | ---- | M] (DivX,Inc.) -- C:\Program Files\mozilla firefox\plugins\npdivx32.dll

[2008/01/08 01:14:26 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll

[2009/05/19 10:05:00 | 00,155,648 | ---- | M] (IBM Corporation) -- C:\Program Files\mozilla firefox\plugins\npmfv.dll

[2007/10/06 11:20:51 | 00,017,032 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll

[2006/10/26 20:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL

[2007/05/10 23:52:34 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll

[2007/10/06 11:22:06 | 00,140,624 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nppl3260.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll

[2007/10/06 11:22:18 | 00,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprjplug.dll

[2007/10/06 11:21:56 | 00,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprpjplug.dll

[2005/08/09 20:42:53 | 00,057,344 | ---- | M] (America Online, Inc.) -- C:\Program Files\mozilla firefox\plugins\npunagi2.dll

[2007/10/06 11:20:52 | 00,000,680 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.png

[2007/10/06 11:20:52 | 00,000,741 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.src

[2007/10/06 11:20:52 | 00,001,150 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.png

[2007/10/06 11:20:52 | 00,000,539 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.src

[2007/10/06 11:20:52 | 00,000,356 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.png

[2007/10/06 11:20:52 | 00,001,007 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.src

[2007/10/06 11:20:52 | 00,000,210 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.gif

[2007/10/06 11:20:52 | 00,001,056 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.src

[2007/10/06 11:20:52 | 00,001,076 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.gif

[2007/10/06 11:20:52 | 00,000,718 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.src

[2007/10/06 11:20:52 | 00,000,088 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.gif

[2007/10/06 11:20:52 | 00,001,122 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.src

O1 HOSTS File: (761 bytes) - C:\Windows\System32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (PE_IE_Helper Class) - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll (IBM Corporation)

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (AOL Toolbar Launcher) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)

O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

O3 - HKLM\..\Toolbar: (AIM Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O3 - HKCU\..\Toolbar\WebBrowser: (AIM Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O4 - HKLM..\Run: [accrdsub] C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity)

O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\system32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\system32\NvMcTray.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)

O4 - HKCU..\Run: [PC Suite Tray] C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe (Nokia)

O4 - HKCU..\Run: [Replay AV] C:\Program Files\Replay AV 8\ReplayAV.exe (Applian Technologies Inc.)

O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)

O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)

O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)

O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...678/mcfscan.cab (McFreeScan Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 83.169.185.33 83.169.185.97

O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)

O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)

O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\Explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 23:43:36 | 00,000,024 | ---- | M] () - F:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck) - File not found

O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)

O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/07/25 19:29:01 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe

[2009/07/24 15:53:43 | 00,000,733 | ---- | C] () -- C:\Users\Don\Desktop\NTREGOPT.lnk

[2009/07/24 15:53:43 | 00,000,714 | ---- | C] () -- C:\Users\Don\Desktop\ERUNT.lnk

[2009/07/24 15:53:42 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT

[2009/07/22 17:14:11 | 00,000,000 | ---D | C] -- C:\Avenger

[2009/07/21 18:33:31 | 00,001,874 | ---- | C] () -- C:\Users\Don\Desktop\HijackThis.lnk

[2009/07/21 18:33:31 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2009/07/21 18:27:52 | 00,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/07/21 18:27:50 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2009/07/21 18:27:49 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2009/07/21 01:16:24 | 00,002,316 | --S- | C] () -- C:\Windows\System32\3383780972.dat

[2009/07/21 01:16:21 | 00,059,904 | RHS- | C] (Microsoft Corporation) -- C:\Windows\System32\acpkcs201n.exe

[2009/07/20 17:53:40 | 00,009,829 | ---- | C] () -- C:\Users\Public\Documents\PCS Sales.xlsx

[2009/07/19 14:09:16 | 01,818,097 | ---- | C] () -- C:\Users\Public\Documents\Sale-items-Germany.docx

[2009/07/18 15:23:16 | 00,029,276 | ---- | C] () -- C:\GetenNOW.dmp

[2009/07/18 13:50:49 | 00,000,000 | ---D | C] -- C:\Users\Don\AppData\Local\temp

[2009/07/18 13:50:09 | 00,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2009/07/18 11:43:16 | 00,219,648 | ---- | C] () -- C:\Windows\PEV.exe

[2009/07/18 11:43:16 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe

[2009/07/18 11:43:16 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2009/07/18 11:43:16 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2009/07/18 11:43:16 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2009/07/18 11:43:16 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2009/07/18 11:43:16 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2009/07/18 11:43:16 | 00,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2009/07/18 11:43:06 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT

[2009/07/18 11:42:47 | 00,000,000 | ---D | C] -- C:\Qoobox

[2009/07/18 11:06:35 | 00,000,014 | ---- | C] () -- C:\settings.dat

[2009/07/17 19:32:38 | 00,000,000 | ---D | C] -- C:\!KillBox

[2009/07/17 17:21:08 | 00,000,000 | ---D | C] -- C:\Windows\McAfee.com

[2009/07/16 18:03:11 | 00,000,014 | ---- | C] () -- C:\Windows\System32\settings.dat

[2009/07/15 18:48:39 | 00,015,477 | ---- | C] () -- C:\Windows\System32\lpd

[2009/07/14 17:20:33 | 00,000,000 | -HSD | C] -- C:\Config.Msi

[2009/07/14 17:20:15 | 00,000,000 | ---D | C] -- C:\Program Files\PC Connectivity Solution

[2009/07/14 15:33:26 | 00,002,231 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk

[2009/07/14 15:33:20 | 00,000,000 | ---D | C] -- C:\Program Files\iPod

[2009/07/14 15:32:37 | 00,001,726 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk

[2009/07/14 15:32:31 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime

[2009/07/13 09:52:35 | 02,033,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys

[2009/07/13 09:52:33 | 00,636,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\localspl.dll

[2009/07/13 09:52:31 | 00,784,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rpcrt4.dll

[2009/07/13 09:52:29 | 03,581,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll

[2009/07/13 09:52:27 | 06,069,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieframe.dll

[2009/07/13 09:52:27 | 01,166,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\urlmon.dll

[2009/07/13 09:52:26 | 00,827,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wininet.dll

[2009/07/13 09:52:26 | 00,458,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll

[2009/07/13 09:52:26 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll

[2009/07/13 09:52:26 | 00,270,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iertutil.dll

[2009/07/13 09:52:26 | 00,230,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll

[2009/07/13 09:52:25 | 00,671,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll

[2009/07/13 09:52:25 | 00,389,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec

[2009/07/13 09:52:25 | 00,102,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\occache.dll

[2009/07/13 09:52:25 | 00,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll

[2009/07/13 09:52:25 | 00,026,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe

[2009/07/13 09:52:24 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll

[2009/07/13 09:52:23 | 01,383,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb

[2009/07/12 21:39:46 | 00,469,504 | ---- | C] ( ) -- C:\GetenNOW.exe

[2009/05/09 17:43:09 | 00,081,110 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini

[2009/03/22 16:08:04 | 00,000,250 | ---- | C] () -- C:\Windows\gmer.ini

[2009/03/22 16:07:58 | 00,884,736 | ---- | C] () -- C:\Windows\gmer.dll

[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll

[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll

[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll

[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll

[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll

[2008/06/11 10:02:34 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll

[2008/06/11 10:02:32 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll

[2008/06/11 10:02:32 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll

[2008/06/11 10:02:32 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll

[2008/06/05 09:58:26 | 00,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll

[2008/04/11 13:14:17 | 00,011,776 | ---- | C] () -- C:\Windows\System32\pmsbfn32.dll

[2008/04/11 13:13:05 | 00,000,412 | ---- | C] () -- C:\Windows\MAXLINK.INI

[2008/01/04 23:58:50 | 03,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll

[2008/01/04 23:57:22 | 00,000,416 | ---- | C] () -- C:\Windows\System32\dtu100.dll.manifest

[2008/01/04 23:57:22 | 00,000,416 | ---- | C] () -- C:\Windows\System32\dpl100.dll.manifest

[2008/01/04 23:56:24 | 00,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll

[2007/09/26 17:40:12 | 00,241,664 | ---- | C] () -- C:\Windows\System32\cmabout.dll

[2007/09/26 17:40:12 | 00,010,357 | ---- | C] () -- C:\Windows\System32\cmdiag.ini

[2007/09/26 17:40:12 | 00,000,142 | ---- | C] () -- C:\Windows\System32\cmabout.ini

[2007/07/03 22:58:58 | 00,000,020 | ---- | C] () -- C:\Windows\Hposcv07.INI

[2007/06/26 18:53:09 | 00,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini

[2007/05/12 19:58:19 | 01,936,528 | ---- | C] () -- C:\Windows\System32\ltmm15.dll

[2007/05/11 10:54:12 | 00,065,536 | ---- | C] () -- C:\Windows\System32\chksvrn.dll

[2007/03/29 23:00:40 | 00,203,264 | ---- | C] () -- C:\Windows\System32\CddbCdda.dll

[2007/03/09 09:12:32 | 00,027,648 | -HS- | C] () -- C:\Windows\System32\AVSredirect.dll

[2007/03/06 11:14:48 | 00,010,752 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll

[2007/03/06 11:14:48 | 00,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest

[2007/01/25 19:31:36 | 00,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll

[2006/11/02 14:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006/11/02 12:23:31 | 00,000,639 | ---- | C] () -- C:\Windows\win.ini

[2006/11/02 12:23:31 | 00,000,215 | ---- | C] () -- C:\Windows\system.ini

[2006/11/02 09:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2006/04/30 00:34:04 | 00,049,152 | ---- | C] () -- C:\Windows\System32\WbxRMenu.dll

[2006/04/13 23:18:24 | 00,196,608 | ---- | C] () -- C:\Windows\System32\atonres.dll

[2006/04/13 23:18:24 | 00,131,072 | ---- | C] () -- C:\Windows\System32\WbxMSAI.dll

[2006/04/13 23:18:24 | 00,098,304 | ---- | C] () -- C:\Windows\System32\atonecli.dll

========== Files - Modified Within 30 Days ==========

[3 C:\Windows\System32\*.tmp files]

[2009/07/25 19:29:19 | 01,955,822 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2009/07/25 19:29:19 | 00,566,634 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2009/07/25 19:29:19 | 00,005,064 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI

[2009/07/25 19:29:03 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe

[2009/07/25 19:25:17 | 00,006,743 | ---- | M] () -- C:\Windows\System32\Config.MPF

[2009/07/25 19:24:54 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2009/07/25 19:23:32 | 00,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2009/07/25 19:23:32 | 00,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2009/07/25 19:23:29 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2009/07/25 19:23:06 | 00,000,000 | ---- | M] () -- C:\Windows\System32\drivers\lvuvc.hs

[2009/07/24 15:53:43 | 00,000,733 | ---- | M] () -- C:\Users\Don\Desktop\NTREGOPT.lnk

[2009/07/24 15:53:43 | 00,000,714 | ---- | M] () -- C:\Users\Don\Desktop\ERUNT.lnk

[2009/07/24 14:34:57 | 00,002,032 | ---- | M] () -- C:\Users\Don\AppData\Local\d3d9caps.dat

[2009/07/23 18:36:45 | 23,269,8972 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2009/07/23 05:47:01 | 00,002,231 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk

[2009/07/22 17:06:39 | 00,474,304 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2009/07/21 21:23:34 | 00,000,414 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{09FC0A04-5003-4B4F-9F6B-0F4197BFE6BC}.job

[2009/07/21 18:33:31 | 00,001,874 | ---- | M] () -- C:\Users\Don\Desktop\HijackThis.lnk

[2009/07/21 18:27:52 | 00,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/07/21 17:06:39 | 00,002,316 | --S- | M] () -- C:\Windows\System32\3383780972.dat

[2009/07/21 01:16:21 | 00,059,904 | RHS- | M] (Microsoft Corporation) -- C:\Windows\System32\acpkcs201n.exe

[2009/07/20 17:53:40 | 00,009,829 | ---- | M] () -- C:\Users\Public\Documents\PCS Sales.xlsx

[2009/07/20 10:18:00 | 00,000,472 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job

[2009/07/19 17:00:16 | 00,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini

[2009/07/19 15:49:00 | 00,002,585 | ---- | M] () -- C:\Users\Don\Desktop\Microsoft Office Excel 2007.lnk

[2009/07/19 15:11:25 | 01,818,097 | ---- | M] () -- C:\Users\Public\Documents\Sale-items-Germany.docx

[2009/07/18 15:23:53 | 00,029,276 | ---- | M] () -- C:\GetenNOW.dmp

[2009/07/18 15:22:45 | 00,000,014 | ---- | M] () -- C:\settings.dat

[2009/07/18 13:47:31 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini

[2009/07/18 11:05:51 | 00,469,504 | ---- | M] ( ) -- C:\GetenNOW.exe

[2009/07/16 18:29:21 | 00,000,014 | ---- | M] () -- C:\Windows\System32\settings.dat

[2009/07/15 18:48:39 | 00,015,477 | ---- | M] () -- C:\Windows\System32\lpd

[2009/07/15 01:00:00 | 00,000,336 | ---- | M] () -- C:\Windows\tasks\McDefragTask.job

[2009/07/14 17:20:51 | 00,001,903 | ---- | M] () -- C:\Users\Public\Desktop\Nokia PC Suite.lnk

[2009/07/14 15:32:37 | 00,001,726 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk

[2009/07/13 13:36:34 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2009/07/13 13:36:12 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2009/07/13 05:48:54 | 00,219,648 | ---- | M] () -- C:\Windows\PEV.exe

========== LOP Check ==========

[2009/07/14 17:20:39 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming

[2008/09/02 21:18:52 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\acccore

[2008/07/13 12:53:47 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Ahead

[2008/09/02 21:18:23 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\AIM

[2008/11/12 19:38:04 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Autodesk

[2009/06/07 18:28:28 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Canon

[2007/08/20 18:47:38 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Centra

[2008/04/13 12:34:35 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Intuit

[2008/09/02 19:07:40 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Leadertech

[2006/11/02 14:37:34 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Media Center Programs

[2009/03/27 00:41:46 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Nokia

[2008/10/13 16:41:07 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\NSeries

[2007/05/11 16:28:15 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Opera

[2008/10/13 16:41:20 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\PC Suite

[2009/06/12 17:43:15 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\PureEdge

[2008/04/11 13:13:00 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\ScanSoft

[2007/07/03 22:59:14 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Share-to-Web Upload Folder

[2007/05/10 18:21:16 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Template

[2009/07/20 10:18:00 | 00,000,472 | ---- | M] () -- C:\Windows\Tasks\Ad-Aware Update (Weekly).job

[2009/07/15 01:00:00 | 00,000,336 | ---- | M] () -- C:\Windows\Tasks\McDefragTask.job

[2009/06/01 01:00:10 | 00,000,328 | ---- | M] () -- C:\Windows\Tasks\McQcTask.job

[2009/07/25 19:23:29 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT

[2009/07/21 21:36:30 | 00,032,648 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

[2009/07/21 21:23:34 | 00,000,414 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{09FC0A04-5003-4B4F-9F6B-0F4197BFE6BC}.job

========== Purity Check ==========

< End of report >

Next log report:

OTL Extras logfile created on: 7/25/2009 7:32:37 PM - Run 1

OTL by OldTimer - Version 3.0.10.3 Folder = C:\Users\Don\Desktop

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 372.61 Gb Total Space | 332.24 Gb Free Space | 89.17% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 698.63 Gb Total Space | 602.30 Gb Free Space | 86.21% Space Free | Partition Type: NTFS

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DON-PC

Current User Name: Don

Logged in as Administrator.

Current Boot Mode: SafeMode with Networking

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 0

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4041010409-2044806714-3416792504-1002]

"EnableNotifications" = 0

"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{005D9A63-62CB-48AD-ABC6-EEFC47871A40}" = lport=2869 | protocol=6 | dir=in | app=system |

"{188F5DA0-B8D4-403B-AF57-FFE7F701036B}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{1C622559-D8E5-44F8-BD75-569AE2EC2BF4}" = lport=10243 | protocol=6 | dir=in | app=system |

"{2EE75835-BD84-48DD-A841-917F47B130DD}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{756D76D4-28D5-42D4-859D-5E6F0A3D26F7}" = lport=80 | protocol=6 | dir=out | app=c:\program files\common files\intuit\update service\intuitupdateservice.exe |

"{8544F72A-6EF4-4E1D-8D6D-142883D22163}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{9DED61C8-9EBD-4D5D-8DA4-13770E3E0F02}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{9F6DCC35-ED2E-401C-9207-69EF3F678BF0}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{A0015F7B-FEB5-4F10-B443-B76BEA6BDA7F}" = rport=10243 | protocol=6 | dir=out | app=system |

"{AE94A8B0-B2FF-4BA6-9576-B26A461B8FA6}" = lport=80 | protocol=6 | dir=out | app=c:\program files\common files\intuit\update service\intuitupdater.exe |

"{DA12EA7E-5E5E-4B86-B225-D0FBA1C882D5}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |

"{E9304DD5-C454-484F-A23C-7190F2017943}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{010E5ADF-A38E-4C64-B3E2-4F19D10E243B}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{02F154A9-70C7-4757-B811-4F958E9C5E28}" = protocol=6 | dir=out | app=system |

"{1D25230D-5D4F-40BB-9EB8-54A409F792CB}" = protocol=6 | dir=in | app=c:\program files\turbotax\deluxe 2007\32bit\ttax.exe |

"{1F0B6AC6-F3F3-49EF-996F-9FD50A09BC30}" = protocol=17 | dir=in | app=c:\program files\aim6\aim6.exe |

"{261D4995-1B8B-4049-AFB9-28D8CCFB7F85}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{275EE434-58BD-4CFC-A871-8DC20B09B480}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |

"{3BDA8FD9-96C3-45DF-99F4-B08B0614E5EF}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |

"{3CDCF971-B8EB-44FC-88B8-5B5AD3ED5BF6}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{3E6E6886-6097-4119-BDC7-332A1AD74330}" = protocol=17 | dir=in | app=c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe |

"{42CF1DB9-28B5-444B-97A6-B16923FD7336}" = dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |

"{4BD72278-859D-4CF5-998D-DF4E39522F8A}" = protocol=6 | dir=in | app=c:\program files\turbotax\deluxe 2007\32bit\updatemgr.exe |

"{4BE9D286-CA36-4AF3-B22C-CE0011D21BDC}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |

"{50F2CDD6-8581-4C12-97A4-412ABB13582F}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{527E43B0-EF43-4844-89F9-B0EDF4E209AA}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |

"{578DE249-9B2D-4132-8B9D-2252CF91F8B8}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{58CEF473-F77B-4C94-9BCE-C648CABB027E}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{5EE2F825-E5F6-46F3-A315-3C04EEE23723}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |

"{733BD80A-528C-4C15-BABF-40E5B60F750B}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{755F003E-3F2C-44D5-BF1F-B7F139630ACB}" = protocol=17 | dir=in | app=c:\program files\turbotax\deluxe 2007\32bit\ttax.exe |

"{75824053-E9C0-451A-BC4C-D21A13B9A0BA}" = protocol=6 | dir=in | app=c:\program files\aim6\aim6.exe |

"{75C7EB4D-684C-40A8-ACC5-D25D5EE52019}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{76E398C2-AA52-43B0-A026-9C24AB6FFCED}" = protocol=17 | dir=in | app=c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe |

"{796AFA25-F04D-45DD-A063-099C9829FA17}" = protocol=6 | dir=in | app=c:\program files\google\google talk\googletalk.exe |

"{7CA194A8-333E-403F-9902-EA58FF4A6680}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{94647C72-CE77-4C37-AB40-8E9895DF6E95}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{B3577CA9-FC10-4ADF-A440-43A5B1BCA6CB}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{BECA3A6D-63AC-4C42-BE22-9E2F5D77A874}" = protocol=17 | dir=in | app=c:\program files\turbotax\deluxe 2007\32bit\updatemgr.exe |

"{C1CBD49B-4071-4A1C-A2C1-B9193AD3AC5D}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |

"{C5C75448-C434-42D9-96CD-0C0ADAF7EC5A}" = protocol=6 | dir=in | app=c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe |

"{D1D2EB3B-3366-42FB-B91E-68A3FEC7BFA5}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"{D6D54D31-CBEA-4F22-8C68-C4ABEBBADAAB}" = protocol=6 | dir=in | app=c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe |

"{D8079791-5878-43FC-970E-45ED8E222E6D}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"{E0F3B925-A4C9-4490-BF7C-C8D5A9DC95C6}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{E1517C79-E3B6-4D7D-9BA0-94F62A8BFEBF}" = protocol=17 | dir=in | app=c:\program files\google\google talk\googletalk.exe |

"{ED986F49-075C-4C9F-8046-D4209FF9A846}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{004B0DCB-4C60-465B-8F01-44B0A4111187}" = SlingPlayer

"{03528A01-7E5E-4C5F-94DF-1D8012E969EF}" = Nokia Map Loader

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{0C973594-7DDF-4BD0-84ED-3517F7622037}" = PC Connectivity Solution

"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX850_series" = Canon MX850 series

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86

"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)

"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java 6 Update 11

"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation

"{2CCBABCB-6427-4A55-B091-49864623C43F}" = Google Toolbar for Firefox

"{2D21ECE3-8EC1-4315-AE4E-1970FB3AF17A}" = Nokia Nseries Video Manager

"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine

"{301BEB64-7C38-4BB5-8F94-62E6160532C8}" = Nokia Download!

"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0

"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java SE Runtime Environment 6 Update 1

"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java 6 Update 2

"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java 6 Update 3

"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5

"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7

"{32DA464B-1B35-4FE6-B44C-48D6847D11C9}" = ArcSoft Software Suite

"{3D39E775-DDDA-4327-B747-0BDC5F191331}" = Nokia PC Suite

"{52D02A2B-03D2-4E34-A358-DC5D951FD296}" = Nokia Connectivity Cable Driver

"{5783F2D7-7009-0409-0002-0060B0CE6BBA}" = AutoCAD LT 2009 - English

"{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7

"{5D601655-6D54-4384-B52C-17EC5385FBBD}" = iTunes

"{5FE1E412-D114-46E8-A891-5BE087B256A5}" = MVision

"{664708B3-C730-11D5-ADE7-00B0D07D157A}" = StreetSmart Pro

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec

"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English

"{7EE94A24-188A-4D98-9018-37857701996E}" = Nokia Photos

"{82C0BCC7-A3ED-4AD9-9C94-6E71CAFC939E}" = Nokia NSeries Application Installer

"{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support

"{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver

"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine

"{89A33B7F-A5C2-4F18-AD71-AC29278507B7}" = Nokia NSeries One Touch Access

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player

"{8BE37EEF-82D2-40CF-9FD4-173F947B7ABA}" = Nokia Software Updater

"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger

"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007

"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007

"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007

"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007

"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007

"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007

"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007

"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90870373-8351-4F73-B5C1-73A9A01BAAEA}" = Nokia NSeries Content Copier

"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007

"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{92271486-E286-4CF1-AE6D-F889F83CBF84}" = Opera 9.61

"{97B21A40-E5B6-4887-9CC4-38FB416A2998}" = Nokia NSeries System Utilities

"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime

"{A0BBF7AB-2F47-47DC-BB02-4C826F2BC73C}" = IBM Lotus Forms Viewer 3.5

"{A7E07C2B-2220-4415-87E3-784D5814BC93}" = NVIDIA PhysX v8.09.04

"{A87B11AC-4344-4E5D-8B12-8F471A87DAD9}" = LightScribe 1.4.136.1

"{AC194855-F7AC-4D04-B4C9-07BA46FCB697}" = ActivClient CAC 6.1 AFR

"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2

"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8

"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter

"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper

"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport

"{B28B351F-1232-46EA-85EF-B8EA91641033}" = Nero 7 Essentials

"{B3EA8C67-C182-40E5-BCC7-6F132DA46AAD}" = Logitech Harmony Remote Software 7

"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player

"{C73A3AB4-99A4-45E5-B77F-09A3065E0D6A}" = Microsoft IntelliType Pro 6.1

"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime

"{CA585226-334C-4411-8F52-0C7F58BC932A}" = Nokia NSeries Music Manager

"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader

"{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}" = Presto! PageManager 7.15.20

"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware

"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01

"{F7DAC756-8358-484B-928C-457F4E0E4B82}" = Cherry Smart Device Package V1.7 Build 7

"{FD0955C7-C64C-45DC-A991-FDC4E50C4E09}" = Multimedia Card Reader

"{FE893E2C-11B4-47CB-88F6-6647D90C6A13}" = ScanSoft OmniPage SE 4

"0C5EDC3653FED5B121F464339EAC12534D253B25" = Windows Driver Package - Nokia Modem (02/15/2007 3.1)

"Ad-Aware" = Ad-Aware

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"AIM Toolbar" = AIM Toolbar 5.0

"AIM_6" = AIM 6

"Amazon Games & Software Downloader_is1" = Amazon Games & Software Downloader

"AutoCAD LT 2009 - English" = AutoCAD LT 2009 - English

"Canon MX850 series User Registration" = Canon MX850 series User Registration

"Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility

"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool

"CANONIJPLM100" = PIXMA Extended Survey Program

"CanonMyPrinter" = Canon My Printer

"CanonSolutionMenu" = Canon Utilities Solution Menu

"CentraClient" = Centra Client

"Dziobas Rar Player_is1" = Dziobas Rar Player 0.009.39

"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX

"ENTERPRISER" = Microsoft Office Enterprise 2007

"ERUNT_is1" = ERUNT 1.1j

"GoToAssist" = GoToAssist 8.0.0.516

"HijackThis" = HijackThis 2.0.2

"HP Photo Printing Software" = HP Photo Printing Software

"InstallShield_{004B0DCB-4C60-465B-8F01-44B0A4111187}" = SlingPlayer

"InstallShield_{FD0955C7-C64C-45DC-A991-FDC4E50C4E09}" = Multimedia Card Reader

"lvdrivers_11.50" = Logitech QuickCam Driver Package

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Mozilla Firefox (1.5)" = Mozilla Firefox (1.5)

"MP Navigator EX 1.1" = Canon MP Navigator EX 1.1

"MSC" = McAfee SecurityCenter

"Nokia NSeries Application Installer" = Nokia NSeries Application Installer 6.83.11

"Nokia NSeries Content Copier" = Nokia NSeries Content Copier 6.83.11

"Nokia NSeries Music Manager" = Nokia NSeries Music Manager 6.83.11

"Nokia NSeries One Touch Access" = Nokia NSeries One Touch Access 6.83.11

"Nokia NSeries System Utilities" = Nokia NSeries System Utilities 6.83.11

"Nokia PC Suite" = Nokia PC Suite

"NVIDIA Drivers" = NVIDIA Drivers

"RealPlayer 6.0" = RealPlayer

"Replay_AV_807" = Replay AV 8

"Replay_Converter_1" = Replay Converter 2.75C

"TurboTax 2008" = TurboTax 2008

"TurboTax Deluxe 2007" = TurboTax Deluxe 2007

"WinPcapInst" = WinPcap 4.0

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

Third log report:

Results of screen317's Security Check version 0.98.5

Windows Vista Service Pack 1

Out of date service pack!!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

WMIC entry does not exist for antivirus; attempting automatic update.

``````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Malwarebytes' Anti-Malware

Gmer

HijackThis 2.0.2

Java 6 Update 11

Java SE Runtime Environment 6 Update 1

Java 6 Update 2

Java 6 Update 3

Java 6 Update 5

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 8.1.2

Adobe Reader 8.1.2 Security Update 1 (KB403742)

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Very random)

`````````End of Log```````````

Looking forward to the next step!

Thanks again in advance!

Don

Share this post


Link to post
Share on other sites

First, when making replies here, use the ADDReply button and NOT the "Reply button (which by default does a quote of previous post ---- making for a lengthy & undesired copy).

Do the following, and at end retry booting up in normal mode. and advise of same.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not dsjNeedsHelp and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools. Save any open work documents and exit your apps.

  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :filesC:\Windows\System32\3383780972.datC:\Windows\System32\acpkcs201n.exeC:\$RECYCLE.BINC:\GetenNOW.exeC:\GetenNOW.dmpC:\recyclerD:\recyclere:\recyclerf:\recyclerg:\recyclerh:\recyclerI:\recycler
    :Commands[purity][emptytemp][reboot]


  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

This system has older versions of Java Run-time.

Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.

If you see any other Java versions there, such as

Java

Share this post


Link to post
Share on other sites

Maurice:

Thanks a bunch for your specific steps. I was successful in performing each one as indicated. During the last part - Trend Micro's DCE I received one indication that a file was missing - but the scan run successfully. You asked for the first log:

"navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post."

=

All processes killed

========== FILES ==========

C:\Windows\System32\3383780972.dat moved successfully.

C:\Windows\System32\acpkcs201n.exe moved successfully.

C:\$RECYCLE.BIN\S-1-5-21-4041010409-2044806714-3416792504-1004 moved successfully.

C:\$RECYCLE.BIN\S-1-5-21-4041010409-2044806714-3416792504-1002 moved successfully.

C:\$RECYCLE.BIN moved successfully.

C:\GetenNOW.exe moved successfully.

C:\GetenNOW.dmp moved successfully.

File\Folder C:\recycler not found.

File\Folder D:\recycler not found.

File\Folder e:\recycler not found.

File\Folder f:\recycler not found.

File\Folder g:\recycler not found.

File\Folder h:\recycler not found.

File\Folder I:\recycler not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Don

->Temp folder emptied: 2538933 bytes

->Temporary Internet Files folder emptied: 5913736 bytes

->Java cache emptied: 25146569 bytes

->FireFox cache emptied: 13122264 bytes

->Opera cache emptied: 7963755 bytes

User: Don 2

->Temp folder emptied: 404540 bytes

->Temporary Internet Files folder emptied: 7782889 bytes

->Java cache emptied: 1673989 bytes

->FireFox cache emptied: 1577316 bytes

->Opera cache emptied: 2669620 bytes

User: Public

User: Tien

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 112161 bytes

->Java cache emptied: 27297 bytes

->FireFox cache emptied: 10238496 bytes

->Opera cache emptied: 341867 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 527677 bytes

Windows Temp folder emptied: 16772 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 76.38 mb

OTL by OldTimer - Version 3.0.10.3 log created on 07302009_165209

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

end of OTL log file

Next - Java was updated exactly as requested.

Results of the "sysclean.com" log is below:

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2009-2010, Trend Micro, Inc. |

| http://www.trendmicro.com |

\--------------------------------------------------------------/

2009-07-30, 22:00:52, Auto-clean mode specified.

2009-07-30, 22:00:52, Running scanner "C:\DCE\TSC.BIN"...

2009-07-30, 22:01:08, Scanner "C:\DCE\TSC.BIN" has finished running.

2009-07-30, 22:01:08, TSC Log:

Share this post


Link to post
Share on other sites

Maurice:

I am still having the same problem just after rebooting - after I replied to your last post asking for the "sysclean.log", about 15 minutes ago. I can only use the computer in safe mode again.

Something that I would like to add about the symptoms is that during boot up -- if I notice a slightly longer delay in the boot process, right after the Microsoft Copr screen (with the small rectangle near center bottom of monitor - with the green indicator flowing across from left to right in the rectangle (indicating boot up)), and before the Windows Vista Log On icon appears - I notice the following:

The monitor goes black (which is normal), then, a SMALL white cursor arrow appears in the center, then, a SMALL blue green circle appears at 1 oclock position (next to the cursor), then both disappear. Each time this happens, after I log in as a user at the Windows Log On Screen - the blue screen with crash dump appears - withing two seconds. don't know if this is important.

Anyway, I tried rebooting five times in normal but each time the same "crash dump".

Help!

Thanks in advance!

Don

Share this post


Link to post
Share on other sites
  • Please RIGHT-click OTL.exe otlDesktopIcon.png and choose Run As Administrator to run it.
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :filesF:\Program Files\bio.exeF:\Users\ERiC\Desktop\New Folder\Desktop\Cryptedbot.exe


  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

See if you can restart in normal mode. If not, use Safe mode With Networking.

Reply with copy of the new OTL MovedFiles log

Share this post


Link to post
Share on other sites

OK, here is the results of the last OTL log file:

========== FILES ==========

File\Folder F:\Program Files\bio.exe not found.

File\Folder F:\Users\ERiC\Desktop\New Folder\Desktop\Cryptedbot.exe not found.

OTL by OldTimer - Version 3.0.10.3 log created on 07312009_215311

It seems that my Mcafee ran just before this action, and found more virus' and delted something. Maybe it explains the missing files???

What next?

Don

Share this post


Link to post
Share on other sites

Maurice:

I am still not able to oot in normal; only in Safe Mode. What next?

Don

Share this post


Link to post
Share on other sites

Hello Don,

Let's do this:

  • Please RIGHT-click OTL.exe otlDesktopIcon.png and choose Run As Administrator to start it.
  • Now, look at the buttons on top (upper) left of OTL window. Click once on the None button.
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    dir C:\_OTL\MovedFiles\*.* /s/c


  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the Blue-colored button Run Scan.
  • Once you see a message box "Scan complete! Click OK to open the scan log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Share this post


Link to post
Share on other sites

1 Aug 09:

Mauricee:

OK! <_<

One more detail - I noticed that the blue screen - "crash dump" occurs even if I do not log on at the Windows user screen. Just before posting, and before I read your post, I paused before log on for about three minutes, and got crash dump. Don't know if it means anything.

Here's the next OTL log:

OTL logfile created on: 8/1/2009 6:47:21 PM - Run 3

OTL by OldTimer - Version 3.0.10.3 Folder = C:\Users\Don\Desktop

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 372.61 Gb Total Space | 332.20 Gb Free Space | 89.15% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 698.63 Gb Total Space | 602.31 Gb Free Space | 86.21% Space Free | Partition Type: NTFS

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DON-PC

Current User Name: Don

Logged in as Administrator.

Current Boot Mode: SafeMode with Networking

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Custom Scans ==========

< dir C:\_OTL\MovedFiles\*.* /s/c >

Volume in drive C has no label.

Volume Serial Number is 5CF6-EEBD

Directory of C:\_OTL\MOVEDFILES

07/31/2009 09:53 PM <DIR> .

07/31/2009 09:53 PM <DIR> ..

07/30/2009 04:52 PM <DIR> 07302009_165209

07/31/2009 06:08 AM 4,126 07302009_165209.log

07/31/2009 09:53 PM <DIR> 07312009_215311

07/31/2009 09:53 PM 458 07312009_215311.log

2 File(s) 4,584 bytes

Directory of C:\_OTL\MOVEDFILES\07302009_165209

07/30/2009 04:52 PM <DIR> .

07/30/2009 04:52 PM <DIR> ..

07/30/2009 04:52 PM <DIR> $RECYCLE.BIN

07/18/2009 03:23 PM 29,276 GetenNOW.dmp

07/18/2009 11:05 AM 469,504 GetenNOW.exe

07/30/2009 04:52 PM <DIR> Windows

2 File(s) 498,780 bytes

Directory of C:\_OTL\MOVEDFILES\07302009_165209\$RECYCLE.BIN

07/30/2009 04:52 PM <DIR> .

07/30/2009 04:52 PM <DIR> ..

0 File(s) 0 bytes

Directory of C:\_OTL\MOVEDFILES\07302009_165209\Windows

07/30/2009 04:52 PM <DIR> .

07/30/2009 04:52 PM <DIR> ..

07/30/2009 10:56 PM <DIR> System32

0 File(s) 0 bytes

Directory of C:\_OTL\MOVEDFILES\07302009_165209\Windows\System32

07/30/2009 10:56 PM <DIR> .

07/30/2009 10:56 PM <DIR> ..

0 File(s) 0 bytes

Directory of C:\_OTL\MOVEDFILES\07312009_215311

07/31/2009 09:53 PM <DIR> .

07/31/2009 09:53 PM <DIR> ..

0 File(s) 0 bytes

Total Files Listed:

4 File(s) 503,364 bytes

17 Dir(s) 356,695,412,736 bytes free

< End of report >

What's next?

Don

Share this post


Link to post
Share on other sites

Maurice:

I just could not resist - have run Malwarebytes scan and here's the result:

Also, Macafee runs automatically, and here's the last several scans:

Don

Macafee:

7/22/2009 5:22:32 PM Scan Started: 07/22/2009 05:22:32 PM

7/22/2009 5:22:34 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

7/22/2009 5:22:34 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

7/22/2009 5:25:15 PM Total objects scanned: 4222

7/22/2009 5:25:15 PM Objects detected: 2

7/22/2009 5:25:15 PM Scan Done: 07/22/2009 05:25:15 PM

7/23/2009 6:05:00 PM Scan Started: 07/23/2009 06:05:00 PM

7/23/2009 6:05:02 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

7/23/2009 6:05:02 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

7/23/2009 6:17:01 PM Total objects scanned: 4224

7/23/2009 6:17:01 PM Objects detected: 2

7/23/2009 6:17:01 PM Scan Done: 07/23/2009 06:17:01 PM

7/27/2009 5:31:50 PM Scan Started: 07/27/2009 05:31:50 PM

7/27/2009 5:31:52 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

7/27/2009 5:31:52 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

7/27/2009 5:34:36 PM Total objects scanned: 4224

7/27/2009 5:34:36 PM Objects detected: 2

7/27/2009 5:34:36 PM Scan Done: 07/27/2009 05:34:36 PM

7/31/2009 4:37:50 PM Scan Started: 07/31/2009 04:37:50 PM

7/31/2009 4:37:52 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

7/31/2009 4:37:52 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

7/31/2009 4:41:04 PM Total objects scanned: 4257

7/31/2009 4:41:04 PM Objects detected: 2

7/31/2009 4:41:04 PM Scan Done: 07/31/2009 04:41:04 PM

8/1/2009 7:15:03 PM Scan Started: 08/01/2009 07:15:03 PM

8/1/2009 7:15:05 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

8/1/2009 7:15:05 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

8/1/2009 7:17:46 PM Total objects scanned: 4219

8/1/2009 7:17:46 PM Objects detected: 2

8/1/2009 7:17:46 PM Scan Done: 08/01/2009 07:17:46 PM

Malwarebytes:

Malwarebytes' Anti-Malware 1.39

Database version: 2541

Windows 6.0.6001 Service Pack 1

8/1/2009 6:58:15 PM

mbam-log-2009-08-01 (18-58-15).txt

Scan type: Quick Scan

Objects scanned: 101769

Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\System32\geyekrnntptbvt.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\System32\geyekrnntptbvt.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

Still have crash dump every time!

don

Share this post


Link to post
Share on other sites

Don,

Let's restore 1 file that was moved before. Then see if it helps out afterwards:

  • Please RIGHT-click OTL.exe otlDesktopIcon.png and choose Run As Administrator to start it.
  • Now, look at the buttons on top (upper) left of OTL window. Click once on the None button.
  • Copy all the lines in between the **** stars **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    **********************************************************
    copy C:\_OTL\MOVEDFILES\07302009_165209\Windows\acpkcs201n.exe C:\Windows\System32\acpkcs201n.exe /c
    copy C:\_OTL\MOVEDFILES\07302009_165209\Windows\system32\acpkcs201n.exe C:\Windows\System32\acpkcs201n.exe /c
    **********************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the Blue-colored button Run Scan.
  • Once you see a message box "Scan complete! Click OK to open the scan log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Logoff and Restart the system fresh. Do not wait before logging in, if prompted; login as ssson as prompted.

Tell me if Normal mode is useable again.

Share this post


Link to post
Share on other sites

Marice:

OK, but it did not run without errors. I have not rebooted yet. Here's the log:

Error: Unable to interpret <copy C:\_OTL\MOVEDFILES\07302009_165209\Windows\acpkcs201n.exe C:\Windows\System32\acpkcs201n.exe /c> in the current context!

Error: Unable to interpret <copy C:\_OTL\MOVEDFILES\07302009_165209\Windows\system32\acpkcs201n.exe C:\Windows\System32\acpkcs201n.exe /c> in the current context!

OTL by OldTimer - Version 3.0.10.3 log created on 08012009_193700

One interesting thing though - after Mcafee ran, I was able to reboot normally. However, it does not stay that way.

Don

Share this post


Link to post
Share on other sites

Go ahead and restart system, if you have not done so already. We continue to want to see if normal mode is available.

Regarding McAfee scan: is it finished? did you start it yourself? did it have results?

Share this post


Link to post
Share on other sites

Marice:

Sorry about that, I hit the wrong button! Here's the results of "Run Scan":

OTL logfile created on: 8/1/2009 7:42:15 PM - Run 4

OTL by OldTimer - Version 3.0.10.3 Folder = C:\Users\Don\Desktop

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 372.61 Gb Total Space | 329.17 Gb Free Space | 88.34% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 698.63 Gb Total Space | 602.31 Gb Free Space | 86.21% Space Free | Partition Type: NTFS

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DON-PC

Current User Name: Don

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Custom Scans ==========

< copy C:\_OTL\MOVEDFILES\07302009_165209\Windows\acpkcs201n.exe C:\Windows\System32\acpkcs201n.exe /c >

The system cannot find the file specified.

< copy C:\_OTL\MOVEDFILES\07302009_165209\Windows\system32\acpkcs201n.exe C:\Windows\System32\acpkcs201n.exe /c >

The system cannot find the file specified.

< End of report >

Will try to reboot now.

Don

Share this post


Link to post
Share on other sites

OK. Take a break now. I missed one of your earlier posts because there have been many today.

Let me put together another plan.

Please wait for my next reply. I'm going to have you take steps to hunt for and squash rootkits.

Your MBAM run from today still shows traces of rootkit infection.

Share this post


Link to post
Share on other sites

Don,

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

Friendly reminder Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

These steps are for member dsjNeedsHelp only. If you are a casual viewer, do NOT try this on your system!

If you are not dsjNeedsHelp and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

NOW, Next, download & save SysProt Antirootkit from >>> this link <<<

It is at the bottom of the page under "Attachments".

Unzip it into a folder on your Desktop. Do NOT run it now. We will run it later.

=

1. Close any open browsers.

Next physically disconnect the connection of this pc to your modem or router

2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Driver::

geyekrserv

geyekrsrv

File::

c:\windows\system32\geyekrnntptbvt.dll

C:\recycler

D:\recycler

e:\recycler

f:\recycler

g:\recycler

h:\recycler

i:\recycler

C:\resycled

d:\resycled

e:\resycled

f:\resycled

g:\resycled

h:\resycled

i:\resycled

Save this as CFScript.txt, in the same location as ComboFix.exe (the Desktop)

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe {the red lion icon}

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

=

  • Right-click Sysprot.exe and then select "Run as Administrator" to start the program.
  • Click on the Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to.
    Open the text file and copy/paste the log here.

=

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Logoff and Restart the system fresh.

RE-Enable your AntiVirus and AntiSpyware applications.

Now, reconnect this pc to your modem or router.

Reply with copy of the C:\Combofix.txt

and the Sysprot log

and the latest MBAM scan log

Share this post


Link to post
Share on other sites

Maurice:

Several problems running these. Finally got all of them to run and produce the logs and here they are:

ComboFix Log:

ComboFix 09-07-31.04 - Don 08/01/2009 23:19.3.2 - NTFSx86

Microsoft

Share this post


Link to post
Share on other sites

Don,

Ahh, yes, that last bit on the network connection may very likley be the most important clue.

Disconnect any "other" computers on this network from the internet.

{The other computers may well have to be scanned for malware; but do NOT mix them in here; each one would have to be handled separate; and I'll leave those to you.}

On this pc Logoff Windows and and select shutdown.

Power off your pc.

If it has a physical connection to a modem or router, disconnect it as well.

If you have a router, power it OFF and unplug it.

Power up the pc (while it is NOT connected to modem or router). Login to Windows in Normal mode (otherwise, in Safe Mode with Networking}.

Start your MBAM.

Click the Settings Tab. Make sure all option lines have a checkmark.

When done, click the Scanner tab.

Do a Quick Scan. Let it quarantine or remove tagged items. Get a copy of that log in your next reply.

Locate your HijackThis at this folder C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

and then right click Hijackthis.exe and select RENAME

and rename it to FINDEM.exe

Start Findem {Hijackthis} and do a Scan and Save log.

=

Please RIGHT-click OTL.exe otlDesktopIcon.png and choose Run As Administratorto run it.

Then press the pink-colored Quick Scan button. Wait for the log report to finish.

Keep the other pc's disconnected from the internet.

Power up & Reconnect router if unplugged and wait for it to display all lights, and connected.

Reconnect the connections of this pc to the modem or router.

Wait and make sure that pc has internet connectivity.

Reply with copy of the MBAM log

and the new HijackThis log

and the new OTL.txt log

Share this post


Link to post
Share on other sites

Maurice:

Thanks again for staying with me on this solution. Haven't found it yet, but still searching.

Here's results of the latest scans:

MBAM log 2 Aug09:

Malwarebytes' Anti-Malware 1.39

Database version: 2541

Windows 6.0.6001 Service Pack 1

8/2/2009 9:57:30 AM

mbam-log-2009-08-02 (09-57-30).txt

Scan type: Quick Scan

Objects scanned: 103936

Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\System32\geyekrnntptbvt.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\System32\geyekrnntptbvt.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:06:11 AM, on 8/2/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18248)

Boot mode: Safe mode with network support

Running processes:

C:\Windows\Explorer.EXE

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Trend Micro\HijackThis\FINDEM.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: PE_IE_Helper Class - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [NvMediaCenter] "C:\Windows\system32\RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] "C:\Windows\system32\RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [Replay AV] "C:\Program Files\Replay AV 8\ReplayAV.exe" -quiet

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...678/mcfscan.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe

O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FYMMY - Unknown owner - C:\Users\DON2~1\AppData\Local\Temp\FYMMY.exe (file missing)

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: Microsoft Office Groove Audit Service MicrosoftTHREADORDER (MicrosoftTHREADORDER) - Unknown owner - C:\Windows\system32\acpkcs201n.exe (file missing)

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 7662 bytes

OTL log 2 Aug 09:

OTL logfile created on: 8/2/2009 10:08:20 AM - Run 5

OTL by OldTimer - Version 3.0.10.3 Folder = C:\Users\Don\Desktop

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 372.61 Gb Total Space | 332.21 Gb Free Space | 89.16% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 698.63 Gb Total Space | 602.31 Gb Free Space | 86.21% Space Free | Partition Type: NTFS

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DON-PC

Current User Name: Don

Logged in as Administrator.

Current Boot Mode: SafeMode with Networking

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe

PRC - [2008/10/29 08:29:41 | 02,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Explorer.EXE

PRC - [2008/01/19 09:33:33 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe

PRC - [2009/03/03 04:16:04 | 00,247,296 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\wmiprvse.exe

PRC - [2009/01/08 20:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe

PRC - [2009/01/08 20:30:26 | 00,645,328 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe

PRC - [2009/07/31 21:49:55 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/05/15 16:08:40 | 00,182,576 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe -- (accoca [Auto | Stopped])

SRV - [2009/02/02 02:33:18 | 00,317,440 | ---- | M] (Amazon.com) -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe -- (Amazon Download Agent [Auto | Stopped])

SRV - [2009/06/05 11:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Stopped])

SRV - [2008/11/05 17:35:08 | 00,085,096 | ---- | M] (Autodesk) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service [On_Demand | Stopped])

SRV - [2008/12/12 12:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Stopped])

SRV - [2008/07/27 20:03:13 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])

SRV - [2008/01/19 09:33:09 | 00,292,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand | Stopped])

SRV - [2006/11/02 14:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Stopped])

SRV - [2006/11/02 14:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart [Auto | Stopped])

SRV - [2008/01/19 09:36:53 | 01,013,760 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wevtsvc.dll -- (Eventlog [Auto | Running])

SRV - [2008/06/20 03:14:44 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])

SRV - File not found -- -- (FYMMY [On_Demand | Stopped])

SRV - [2009/03/22 15:59:04 | 00,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe -- (GoToAssist [On_Demand | Stopped])

SRV - [2005/11/14 02:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])

SRV - [2008/06/20 03:14:31 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [unknown | Stopped])

SRV - [2007/04/13 17:49:00 | 00,101,528 | ---- | M] () -- C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE -- (IJPLMSVC [Auto | Stopped])

SRV - [2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService [Auto | Stopped])

SRV - [2009/06/05 13:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])

SRV - [2006/12/15 02:49:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Stopped])

SRV - [2008/07/26 08:27:42 | 00,141,848 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher [Auto | Stopped])

SRV - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Stopped])

SRV - [2009/01/08 20:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])

SRV - [2009/01/09 11:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Stopped])

SRV - [2009/04/01 14:21:30 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])

SRV - [2009/01/09 08:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Stopped])

SRV - [2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [unknown | Stopped])

SRV - [2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Stopped])

SRV - [2007/08/24 07:59:20 | 00,068,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])

SRV - File not found -- -- (MicrosoftTHREADORDER [Auto | Stopped])

SRV - [2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService [Auto | Running])

SRV - [2008/06/20 03:14:31 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])

SRV - [2006/12/24 02:54:04 | 00,262,144 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Stopped])

SRV - [2008/11/04 22:34:50 | 00,203,296 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe -- (nvsvc [Auto | Stopped])

SRV - [2007/08/24 04:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])

SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

SRV - [2008/01/19 09:35:27 | 00,052,736 | ---- | M] (Hewlett-Packard) -- C:\Windows\System32\HPZipm12.dll -- (Pml Driver HPZ12 [Auto | Stopped])

SRV - [2007/01/25 19:31:34 | 00,093,048 | ---- | M] (CACE Technologies) -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd [On_Demand | Stopped])

SRV - [2009/06/02 10:10:08 | 00,637,952 | ---- | M] (Nokia.) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer [On_Demand | Stopped])

SRV - [2008/01/19 09:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [On_Demand | Stopped])

SRV - [2008/01/19 09:33:39 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [Auto | Stopped])

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AIM Search"

FF - prefs.js..browser.search.defaulturl: "http://search.aol.com/aolcom/search?invocationType=tbff50ie7&query="

FF - prefs.js..browser.search.selectedEngine: "AIM Search"

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"

FF - prefs.js..keyword.URL: "http://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query="

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/09/20 16:12:48 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/03/20 19:41:03 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/06/24 10:59:19 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2009/07/14 17:20:50 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 1.5\Extensions\\Components: C:\Program Files\Mozilla Firefox\Components [2009/07/17 17:14:51 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 1.5\Extensions\\Plugins: C:\Program Files\Mozilla Firefox\Plugins [2009/07/14 15:32:40 | 00,000,000 | ---D | M]

[2008/09/06 20:11:48 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\mozilla\Firefox\Profiles\45zlaw1e.default\extensions

[2007/12/09 15:46:29 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\mozilla\Firefox\Profiles\45zlaw1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

[2008/09/10 17:49:01 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\mozilla\Firefox\Profiles\45zlaw1e.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}

[2008/09/06 20:11:46 | 00,000,246 | ---- | M] () -- C:\Users\Don\AppData\Roaming\Mozilla\FireFox\Profiles\45zlaw1e.default\searchplugins\AIM Search.src

[2008/09/10 17:49:10 | 00,001,010 | ---- | M] () -- C:\Users\Don\AppData\Roaming\Mozilla\FireFox\Profiles\45zlaw1e.default\searchplugins\aimsearch.gif

[2008/09/10 17:49:10 | 00,000,301 | ---- | M] () -- C:\Users\Don\AppData\Roaming\Mozilla\FireFox\Profiles\45zlaw1e.default\searchplugins\aimsearch.src

[2008/11/22 12:00:04 | 00,000,275 | ---- | M] () -- C:\Users\Don\AppData\Roaming\Mozilla\FireFox\Profiles\45zlaw1e.default\searchplugins\search.xml

[2009/07/30 17:20:06 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions

[2007/10/06 11:21:02 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

[2007/10/06 11:20:51 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

[2009/07/30 17:20:06 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

[2007/10/06 11:20:53 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\realplayer@partners.mozilla.com

[2007/10/06 11:20:50 | 00,060,526 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll

[2007/10/06 11:20:51 | 00,049,256 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll

[2007/10/06 11:20:50 | 00,166,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll

[2003/03/18 21:20:00 | 01,060,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\mfc71.dll

[2003/02/21 04:42:22 | 00,348,160 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\msvcr71.dll

[2009/07/30 17:19:52 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll

[2008/01/04 23:57:08 | 01,335,600 | ---- | M] (DivX,Inc.) -- C:\Program Files\mozilla firefox\plugins\npdivx32.dll

[2008/01/08 01:14:26 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll

[2009/05/19 10:05:00 | 00,155,648 | ---- | M] (IBM Corporation) -- C:\Program Files\mozilla firefox\plugins\npmfv.dll

[2007/10/06 11:20:51 | 00,017,032 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll

[2006/10/26 20:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL

[2007/05/10 23:52:34 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll

[2007/10/06 11:22:06 | 00,140,624 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nppl3260.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll

[2009/07/14 15:32:40 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll

[2007/10/06 11:22:18 | 00,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprjplug.dll

[2007/10/06 11:21:56 | 00,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprpjplug.dll

[2005/08/09 20:42:53 | 00,057,344 | ---- | M] (America Online, Inc.) -- C:\Program Files\mozilla firefox\plugins\npunagi2.dll

[2007/10/06 11:20:52 | 00,000,680 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.png

[2007/10/06 11:20:52 | 00,000,741 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.src

[2007/10/06 11:20:52 | 00,001,150 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.png

[2007/10/06 11:20:52 | 00,000,539 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.src

[2007/10/06 11:20:52 | 00,000,356 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.png

[2007/10/06 11:20:52 | 00,001,007 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.src

[2007/10/06 11:20:52 | 00,000,210 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.gif

[2007/10/06 11:20:52 | 00,001,056 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.src

[2007/10/06 11:20:52 | 00,001,076 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.gif

[2007/10/06 11:20:52 | 00,000,718 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.src

[2007/10/06 11:20:52 | 00,000,088 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.gif

[2007/10/06 11:20:52 | 00,001,122 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.src

O1 HOSTS File: (27 bytes) - C:\Windows\System32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (PE_IE_Helper Class) - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll (IBM Corporation)

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O2 - BHO: (AOL Toolbar Launcher) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)

O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

O3 - HKLM\..\Toolbar: (AIM Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O3 - HKCU\..\Toolbar\WebBrowser: (AIM Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O4 - HKLM..\Run: [accrdsub] C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity)

O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\system32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\system32\NvMcTray.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)

O4 - HKCU..\Run: [Replay AV] C:\Program Files\Replay AV 8\ReplayAV.exe (Applian Technologies Inc.)

O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)

O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...678/mcfscan.cab (McFreeScan Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 83.169.185.33 83.169.185.97

O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)

O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)

O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\Explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 23:43:36 | 00,000,024 | ---- | M] () - F:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck) - File not found

O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)

O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/08/02 09:59:35 | 00,000,000 | ---D | C] -- C:\Avenger

[2009/08/02 09:58:25 | 00,008,212 | ---- | C] () -- C:\Windows\mfebcdata

[2009/08/02 09:58:23 | 02,779,889 | -H-- | C] () -- C:\Users\Don\AppData\Local\IconCache.db

[2009/08/01 23:36:35 | 00,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2009/08/01 21:54:44 | 00,000,000 | ---D | C] -- C:\Users\Don\Desktop\Fix1Aug09

[2009/08/01 21:52:35 | 03,152,071 | R--- | C] () -- C:\Users\Don\Desktop\Combo-Fix.exe

[2009/07/31 21:49:53 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe

[2009/07/31 16:47:15 | 00,000,706 | ---- | C] () -- C:\Users\Don\Desktop\opera.exe - Shortcut.lnk

[2009/07/30 21:37:04 | 00,000,000 | ---D | C] -- C:\DCE

[2009/07/30 21:05:36 | 00,035,127 | ---- | C] () -- C:\Users\Public\Documents\Malwarebytes Forum 30 July 09.docx

[2009/07/30 17:19:50 | 00,000,000 | ---D | C] -- C:\Program Files\Java

[2009/07/30 16:52:09 | 00,000,000 | ---D | C] -- C:\_OTL

[2009/07/25 19:42:17 | 00,562,539 | ---- | C] () -- C:\Users\Don\Desktop\SecurityCheck.exe

[2009/07/24 15:53:43 | 00,000,733 | ---- | C] () -- C:\Users\Don\Desktop\NTREGOPT.lnk

[2009/07/24 15:53:43 | 00,000,714 | ---- | C] () -- C:\Users\Don\Desktop\ERUNT.lnk

[2009/07/24 15:53:42 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT

[2009/07/21 18:33:31 | 00,001,874 | ---- | C] () -- C:\Users\Don\Desktop\HijackThis.lnk

[2009/07/21 18:33:31 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2009/07/21 18:27:52 | 00,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/07/21 18:27:50 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2009/07/21 18:27:49 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2009/07/20 17:53:40 | 00,009,829 | ---- | C] () -- C:\Users\Public\Documents\PCS Sales.xlsx

[2009/07/19 14:09:16 | 01,818,097 | ---- | C] () -- C:\Users\Public\Documents\Sale-items-Germany.docx

========== Files - Modified Within 14 Days ==========

[2009/08/02 10:04:17 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2009/08/02 10:03:03 | 00,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2009/08/02 10:03:03 | 00,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2009/08/02 10:03:01 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2009/08/02 10:02:42 | 00,000,000 | ---- | M] () -- C:\Windows\System32\drivers\lvuvc.hs

[2009/08/02 10:01:17 | 24,273,4172 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2009/08/02 09:58:25 | 00,008,212 | ---- | M] () -- C:\Windows\mfebcdata

[2009/08/02 09:58:25 | 00,004,105 | ---- | M] () -- C:\Windows\System32\Config.MPF

[2009/08/02 09:58:23 | 02,779,889 | -H-- | M] () -- C:\Users\Don\AppData\Local\IconCache.db

[2009/08/02 09:53:16 | 02,248,248 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2009/08/02 09:53:16 | 00,666,852 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2009/08/02 09:53:16 | 00,005,064 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI

[2009/08/02 09:48:44 | 00,474,304 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2009/08/02 00:19:48 | 00,002,032 | ---- | M] () -- C:\Users\Don\AppData\Local\d3d9caps.dat

[2009/08/01 23:31:02 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini

[2009/08/01 23:30:38 | 00,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2009/08/01 21:52:38 | 03,152,071 | R--- | M] () -- C:\Users\Don\Desktop\Combo-Fix.exe

[2009/08/01 19:32:10 | 00,002,231 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk

[2009/08/01 19:32:03 | 00,000,414 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{09FC0A04-5003-4B4F-9F6B-0F4197BFE6BC}.job

[2009/07/31 21:49:55 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe

[2009/07/31 16:47:15 | 00,000,706 | ---- | M] () -- C:\Users\Don\Desktop\opera.exe - Shortcut.lnk

[2009/07/30 21:05:37 | 00,035,127 | ---- | M] () -- C:\Users\Public\Documents\Malwarebytes Forum 30 July 09.docx

[2009/07/25 19:42:19 | 00,562,539 | ---- | M] () -- C:\Users\Don\Desktop\SecurityCheck.exe

[2009/07/24 15:53:43 | 00,000,733 | ---- | M] () -- C:\Users\Don\Desktop\NTREGOPT.lnk

[2009/07/24 15:53:43 | 00,000,714 | ---- | M] () -- C:\Users\Don\Desktop\ERUNT.lnk

[2009/07/21 18:33:31 | 00,001,874 | ---- | M] () -- C:\Users\Don\Desktop\HijackThis.lnk

[2009/07/21 18:27:52 | 00,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/07/20 17:53:40 | 00,009,829 | ---- | M] () -- C:\Users\Public\Documents\PCS Sales.xlsx

[2009/07/20 10:18:00 | 00,000,472 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job

[2009/07/19 17:00:16 | 00,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini

[2009/07/19 15:49:00 | 00,002,585 | ---- | M] () -- C:\Users\Don\Desktop\Microsoft Office Excel 2007.lnk

[2009/07/19 15:11:25 | 01,818,097 | ---- | M] () -- C:\Users\Public\Documents\Sale-items-Germany.docx

========== LOP Check ==========

[2009/07/14 17:20:39 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming

[2008/09/02 21:18:52 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\acccore

[2008/07/13 12:53:47 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Ahead

[2008/09/02 21:18:23 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\AIM

[2008/11/12 19:38:04 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Autodesk

[2009/06/07 18:28:28 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Canon

[2007/08/20 18:47:38 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Centra

[2008/04/13 12:34:35 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Intuit

[2008/09/02 19:07:40 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Leadertech

[2006/11/02 14:37:34 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Media Center Programs

[2009/03/27 00:41:46 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Nokia

[2008/10/13 16:41:07 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\NSeries

[2007/05/11 16:28:15 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Opera

[2008/10/13 16:41:20 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\PC Suite

[2009/06/12 17:43:15 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\PureEdge

[2008/04/11 13:13:00 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\ScanSoft

[2007/07/03 22:59:14 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Share-to-Web Upload Folder

[2007/05/10 18:21:16 | 00,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Template

[2009/07/20 10:18:00 | 00,000,472 | ---- | M] () -- C:\Windows\Tasks\Ad-Aware Update (Weekly).job

[2009/07/15 01:00:00 | 00,000,336 | ---- | M] () -- C:\Windows\Tasks\McDefragTask.job

[2009/06/01 01:00:10 | 00,000,328 | ---- | M] () -- C:\Windows\Tasks\McQcTask.job

[2009/08/02 10:03:01 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT

[2009/08/02 09:58:25 | 00,032,588 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

[2009/08/01 19:32:03 | 00,000,414 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{09FC0A04-5003-4B4F-9F6B-0F4197BFE6BC}.job

========== Purity Check ==========

< End of report >

OK, what is next? I am running virus scans on the other two laptops that are normally connected tio the home network. I have wireless router turned off, and my pc (this infected one) connected to the cable modem. Hope this is safe.

Don

Share this post


Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

Close any of your open programs while you run these tools.

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

As long as normal Vista mode is not useable, keep running in Safe Mode with Networking. As we progress here, and a reboot/restart is done, continue to use F8 (at reboot) to restart system into Safe Mode with Networking.

I'm going to have you try running OTL to look for & squash any rootkit traces. But also it has to be followed up to find the re-infector that causes the roootkit to re-appear. Be aware this OTL process will force a reboot.

  • Please Right-click OTL.exe otlDesktopIcon.png and choose Run As Administrator to run it.
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :filesC:\$RECYCLE.BINc:\windows\system32\geyekrnntptbvt.dllc:\windows\system32\drivers\geyekr*.*c:\windows\system32\geyekr*.dllc:\windows\system32\TDSS*.dllc:\windows\system32\Seneka*.dllc:\windows\system32\GAOPDX*.dllc:\windows\system32\UAC*.dllc:\windows\system32\ovsft*.dllc:\windows\system32\kungsf*.dllc:\windows\system32\Skynet*.dllc:\windows\system32\MSIVX*.dllc:\windows\system32\hjgrui*.dllc:\windows\system32\wzszx*.dllc:\windows\system32\ESQUL*.dllc:\windows\system32\drivers\TDSS*.*c:\windows\system32\drivers\Seneka*.*c:\windows\system32\drivers\GAOPDX*.*c:\windows\system32\drivers\UAC*.*c:\windows\system32\drivers\ovsft*.*c:\windows\system32\drivers\kungsf*.*c:\windows\system32\drivers\Skynet*.*c:\windows\system32\drivers\MSIVX*.*c:\windows\system32\drivers\hjgrui*.*c:\windows\system32\drivers\wzszx*.*c:\windows\system32\drivers\ESQUL*.*C:\recyclerD:\recyclere:\recyclerf:\recyclerg:\recyclerh:\recycleri:\recyclerC:\resycledd:\resyclede:\resycledf:\resycledg:\resycledh:\resycledi:\resycled
    :Commands[purity][emptytemp][reboot]


  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

=

Next, new run of Combofix (on your Desktop with red lion icon)

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

RIGHT-click Combo-Fix.exe on your Desktop and select Run as Administrator to start it.

  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt.

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

=

Please download and scan with SUPERAntiSpyware

  • RIGHT-click SUPERAntiSpyware.exe and select Run as Administrator to start it, and use the default settings for installation.
  • An icon will be created on your desktop.
    RIGHT-click that icon and select Run as Administrator to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.

    [*]Click the "Close" button to leave the control center screen.

    [*]Back on the main screen, under "Scan for Harmful Software" click Scan your computer.

    [*]On the left, make sure you check C:\Fixed Drive.

    [*]On the right, under "Complete Scan", choose Perform Complete Scan.

    [*]Click "Next" to start the scan. Please be patient while it scans your computer.

    [*]After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".

    [*]Make sure everything has a checkmark next to it and click "Next".

    [*]A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.

    [*]If asked if you want to reboot, click "Yes".

    [*]To retrieve the removal information after reboot, launch SUPERAntispyware again.

    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.

    [*]Click Close to exit the program.

=

Reply with copy of the OTL MovedFiles log

the C:\Combofix.txt log

the SAS log

and advise, How is your system now ?

Share this post


Link to post
Share on other sites

Not too successful following instructions this time; Combofix did not run correctly. Got a pop-up that indicated a new version was available, so I clicked "No" to upgrade to the newer version. About five seconds later, got two "beeps" (kinda high pitch) then the pc rebooted. I used "F8" and logged in and waited, but no log file opened. I checked Task Manager and nothing was running. So, I now post results without proceeding further with your instructions.

Also, my Mcafee is still in the systray, and I can not make it go away. I did turn everything in Mcafee off, so it does not pop=up. Is this the correct response??

Here's the OTL log: Nope it is not there!! It was, but something ahs deleted it!!

Now what?

Don

Share this post


Link to post
Share on other sites

Pls go slow as you go along.

To turn off McAfee, see this --> How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Did you actually start and see that OTL ran?

delete the prior copy of Combofix now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

Share this post


Link to post
Share on other sites

Yes, OTL started to load like normal, and then the pop-up asking to update to newer version; which I clicked "NO". I guess downloading a new version will update right?

Also, I disabled Mcafee Security Center as indicated prior to the last scan.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.