Please read

[nicolerocks711]

Ok on Thursday Night/early friday morning 7/15-7/16/10 I was on neopets and accidently clicked a cger link. It took me to an offsite website. I have WOT and of course it was red. It had windows popups where i had to use task manager to get out of it. After that I used ccleaner which seemed to clean a lot of stuff which is making me wonder if anything got downloaded. I ran a Microsoft SE, AVG, and spybot search and destroy scan and they came up fine. I tried to do a full scan of malewarebytes but my comp froze.

I can no longer go on AIM or use windows media player. I thought it was because of AVG because they were working fine before i downloaded it. I got rid of it today and I still can't get windows media player to open and i took AIM off my comp so i can't try that.

Here is my hijackthis log. I'm sure there is something here i should remove, but i never used this before so any help would be great.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:56:47 PM, on 7/24/2010

Platform: Unknown Windows (WinNT 6.01.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

Running processes:

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Users\xxxxxxxxxxxxxxxx\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\xxxxxxxxxxxxxxxx\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\xxxxxxxxxxxxxxxx\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\xxxxxxxxxxxxxxxx\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\xxxxxxxxxxxxxxxx\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&a...84z1l5t4842x244

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&a...84z1l5t4842x244

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&a...84z1l5t4842x244

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&a...84z1l5t4842x244

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)

O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll

O4 - HKCU\..\Run: [Google Update] "C:\Users\xxxxxxxxxxxxxxxx\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O13 - Gopher Prefix:

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\Acer Games\Acer Game Console\GameConsoleService.exe

O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\Acer\Registration\GregHSRW.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: MyWinLocker Service (MWLService) - Egis Technology Inc. - C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe

O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: Updater Service - Acer - C:\Program Files\Acer\Acer Updater\UpdaterService.exe

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--

End of file - 10485 bytes

[screen317]

Hi and welcome to Malwarebytes.

Describe in detail what symptoms you are currently experiencing.

Download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

[nicolerocks711]

Hi and welcome to Malwarebytes.

Describe in detail what symptoms you are currently experiencing.

Download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

Hey I just tried this, a window pops up and disappears really quickly

[screen317]

Hi,

Try this instead:

Download OTL.exe by OldTimer to your Desktop.

• Close all windows and double click OTL.exe.
  
• Click Run Scan and let the program run uninterrupted.
  
• It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  
• You may need to use two posts to get it all.
  

Again, please describe in detail what symptoms you are currently experiencing.

-screen317

[nicolerocks711]

Hi,

Try this instead:

Download OTL.exe by OldTimer to your Desktop.

• Close all windows and double click OTL.exe.
  
• Click Run Scan and let the program run uninterrupted.
  
• It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  
• You may need to use two posts to get it all.
  

Again, please describe in detail what symptoms you are currently experiencing.

-screen317

ok this one seems to be running. Like i said I can't get AIM or windows media player to run. Before I got BSoD but i ran disc checker a few days ago and i think that fixed things. I just found the "event viewer" i think it's called and there are tons of events on there. Besides those problems there really aren't any, like i said when i got redirected i think something could have got downloaded to my comp like a rootkit or something. I am not a comp expert by any means which is why i am here to see if you guys can find anything.

[screen317]

Okay. Well we'll see what the OTL scan turns up.

[nicolerocks711]

Okay. Well we'll see what the OTL scan turns up.

OTL logfile created on: 7/24/2010 4:36:19 PM - Run 1

OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\xxxxxxxxxxxxxxxx\Downloads

64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 54.00% Memory free

5.00 Gb Paging File | 4.00 Gb Available in Paging File | 73.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 136.95 Gb Total Space | 94.91 Gb Free Space | 69.30% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: xxxxxxxxxxxxxxxxx

Current User Name: xxxxxxxxxxxxxxxx

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Include 64bit Scans

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/24 16:36:02 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\xxxxxxxxxxxxxxxx\Downloads\OTL.exe

PRC - [2010/06/28 22:27:23 | 000,945,720 | ---- | M] (Google Inc.) -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Local\Google\Chrome\Application\chrome.exe

PRC - [2009/08/21 22:17:00 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

PRC - [2009/08/06 13:18:54 | 000,311,592 | ---- | M] (Egis Technology Inc.) -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\MWLService.exe

PRC - [2009/07/03 21:47:12 | 000,240,160 | ---- | M] (Acer) -- C:\Program Files\Acer\Acer Updater\UpdaterService.exe

PRC - [2009/06/17 20:31:58 | 000,144,640 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe

PRC - [2009/06/04 09:04:50 | 001,150,496 | ---- | M] (Acer Incorporated) -- C:\Program Files (x86)\Acer\Registration\GregHSRW.exe

PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe

========== Modules (SafeList) ==========

MOD - [2010/07/24 16:36:02 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\xxxxxxxxxxxxxxxx\Downloads\OTL.exe

MOD - [2009/07/13 21:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx

MOD - [2009/07/13 21:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/03/25 23:48:42 | 000,017,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)

SRV:64bit: - [2009/08/18 12:48:02 | 002,291,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)

SRV:64bit: - [2009/08/06 00:30:58 | 000,844,320 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe -- (ePowerSvc)

SRV:64bit: - [2009/07/29 08:03:42 | 000,203,264 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)

SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV:64bit: - [2009/07/03 21:47:12 | 000,240,160 | ---- | M] (Acer) [Auto | Running] -- C:\Program Files\Acer\Acer Updater\UpdaterService.exe -- (Updater Service)

SRV - [2009/08/06 13:18:54 | 000,311,592 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe -- (MWLService)

SRV - [2009/06/17 20:31:58 | 000,144,640 | ---- | M] (NewTech Infosystems, Inc.) [Auto | Running] -- C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe -- (NTISchedulerSvc)

SRV - [2009/06/17 20:31:46 | 000,050,432 | ---- | M] (NewTech InfoSystems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe -- (NTIBackupSvc)

SRV - [2009/06/04 09:04:50 | 001,150,496 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files (x86)\Acer\Registration\GregHSRW.exe -- (Greg_Service)

SRV - [2009/05/22 14:02:20 | 000,250,616 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Acer Games\Acer Game Console\GameConsoleService.exe -- (GameConsoleService)

SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)

========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\RtsUCcid.sys -- (USBCCID)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\Rts516xIR.sys -- (RtsUIR)

DRV:64bit: - [2009/08/09 23:07:14 | 000,222,208 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)

DRV:64bit: - [2009/07/29 18:11:24 | 006,038,016 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)

DRV:64bit: - [2009/07/27 03:04:36 | 000,058,880 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C) NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20)

DRV:64bit: - [2009/07/16 07:33:44 | 001,488,384 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)

DRV:64bit: - [2009/07/13 21:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)

DRV:64bit: - [2009/07/13 21:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)

DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)

DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)

DRV:64bit: - [2009/07/13 21:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)

DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)

DRV:64bit: - [2009/06/18 08:12:32 | 000,272,432 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)

DRV:64bit: - [2009/06/10 16:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)

DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)

DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)

DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)

DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)

DRV:64bit: - [2009/06/02 07:15:30 | 000,060,464 | ---- | M] (Egis Technology Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDVDisk.sys -- (mwlPSDVDisk)

DRV:64bit: - [2009/06/02 07:15:30 | 000,022,576 | ---- | M] (Egis Technology Inc.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDFilter.sys -- (mwlPSDFilter)

DRV:64bit: - [2009/06/02 07:15:30 | 000,020,016 | ---- | M] (Egis Technology Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDNserv.sys -- (mwlPSDNServ)

DRV:64bit: - [2009/05/05 04:46:08 | 000,018,432 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NTIDrvr.sys -- (NTIDrvr)

DRV:64bit: - [2009/05/05 04:46:08 | 000,016,896 | ---- | M] (NewTech Infosystems Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\UBHelper.sys -- (UBHelper)

DRV:64bit: - [2009/05/04 09:30:28 | 000,016,440 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AtiPcie.sys -- (AtiPcie) AMD PCI Express (3GIO)

DRV:64bit: - [2009/04/03 09:39:58 | 000,034,872 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\usbfilter.sys -- (usbfilter)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&a...84z1l5t4842x244

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&a...84z1l5t4842x244

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&a...84z1l5t4842x244

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&a...84z1l5t4842x244

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&a...84z1l5t4842x244

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&a...84z1l5t4842x244

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.neopets.com"

FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7

FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100503

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1

FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.10

FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.7

FF - prefs.js..extensions.enabledItems: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9}:2.6.4

FF - prefs.js..extensions.enabledItems: {cf47767d-5f3a-4e32-9fce-5d79565c9702}:1.1

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.825

FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/01/04 13:35:29 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/07/16 09:58:46 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/07/19 23:47:37 | 000,000,000 | ---D | M]

[2010/07/16 09:59:27 | 000,000,000 | ---D | M] -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Roaming\Mozilla\Extensions

[2010/07/17 15:07:27 | 000,000,000 | ---D | M] -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\ykvef5bn.default\extensions

[2010/07/16 10:22:55 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\ykvef5bn.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

[2010/07/16 10:13:18 | 000,000,000 | ---D | M] (WOT) -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\ykvef5bn.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

[2010/07/16 10:31:10 | 000,000,000 | ---D | M] (LinkExtend) -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\ykvef5bn.default\extensions\{cf47767d-5f3a-4e32-9fce-5d79565c9702}

[2010/07/16 10:22:55 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\ykvef5bn.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

[2010/07/16 10:27:15 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\ykvef5bn.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

[2010/07/16 10:31:11 | 000,000,000 | ---D | M] (Redirect Remover) -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\ykvef5bn.default\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}

[2010/07/16 12:44:53 | 000,000,000 | ---D | M] -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\ykvef5bn.default\extensions\keyscrambler@qfx.software.corporation

[2010/07/16 09:58:42 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions

O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts

O2:64bit: - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll File not found

O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)

O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg64.dll (Google Inc.)

O2:64bit: - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found.

O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll File not found

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found.

O2 - BHO: (WOT Helper) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll ()

O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)

O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll ()

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O3:64bit: - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll ()

O4 - HKLM..\Run: [] File not found

O4 - HKCU..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O8:64bit: - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)

O8 - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)

O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)

O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)

O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)

O13 - gopher Prefix: missing

O13 - gopher Prefix: missing

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.64.150 68.87.75.198

O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - Reg Error: Key error. File not found

O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)

O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)

O18 - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll ()

O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O30:64bit: - LSA: Security Packages - (livessp) - C:\Windows\SysNative\livessp.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (livessp) - C:\Windows\SysWow64\livessp.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/24 15:56:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro

[2010/07/24 15:24:09 | 000,000,000 | ---D | C] -- C:\VundoFix Backups

[2010/07/24 14:16:55 | 000,000,000 | ---D | C] -- C:\ProgramData\SecTaskMan

[2010/07/24 14:16:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Security Task Manager

[2010/07/21 10:21:56 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\drivers\avg

[2010/07/18 11:27:12 | 000,000,000 | ---D | C] -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Roaming\PeerNetworking

[2010/07/17 09:55:22 | 000,000,000 | ---D | C] -- C:\Windows\pss

[2010/07/16 17:55:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG

[2010/07/16 09:59:07 | 000,000,000 | ---D | C] -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Roaming\Mozilla

[2010/07/16 09:59:07 | 000,000,000 | ---D | C] -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Local\Mozilla

[2010/07/16 09:58:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox

[2010/07/16 00:19:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab Setup Files

[2010/07/14 09:38:54 | 000,144,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cdd.dll

[2010/06/28 21:09:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Antimalware

[2010/06/25 02:07:21 | 000,000,000 | ---D | C] -- C:\4bdf0312c04be8eb40f4da32

========== Files - Modified Within 30 Days ==========

[2010/07/24 16:40:54 | 001,835,008 | -HS- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\ntuser.dat

[2010/07/24 16:31:33 | 000,001,502 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Desktop\dds - Shortcut.lnk

[2010/07/24 15:59:00 | 000,000,944 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3648176129-1440165320-851753708-1002UA.job

[2010/07/24 15:56:39 | 000,002,097 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Desktop\HijackThis.lnk

[2010/07/24 14:59:00 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3648176129-1440165320-851753708-1002Core.job

[2010/07/24 14:44:36 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2010/07/24 14:44:36 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2010/07/24 14:37:25 | 000,524,288 | -HS- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\ntuser.dat{63c9a532-9752-11df-b312-002622681d15}.TMContainer00000000000000000002.regtrans-ms

[2010/07/24 14:37:24 | 000,524,288 | -HS- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\ntuser.dat{63c9a532-9752-11df-b312-002622681d15}.TMContainer00000000000000000001.regtrans-ms

[2010/07/24 14:37:24 | 000,065,536 | -HS- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\ntuser.dat{63c9a532-9752-11df-b312-002622681d15}.TM.blf

[2010/07/24 14:37:01 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2010/07/24 14:36:53 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2010/07/24 14:36:49 | 325,524,710 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2010/07/24 14:36:46 | 2211,483,648 | -HS- | M] () -- C:\hiberfil.sys

[2010/07/24 14:01:55 | 006,291,456 | -H-- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Local\IconCache.db

[2010/07/23 23:24:26 | 000,049,664 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/07/20 15:25:50 | 000,005,920 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Roaming\wklnhst.dat

[2010/07/20 01:54:05 | 000,068,510 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Desktop\minidump.zip

[2010/07/19 23:29:57 | 000,001,052 | -H-- | M] () -- C:\IPH.PH

[2010/07/18 11:27:14 | 000,033,134 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Roaming\UserTile.png

[2010/07/17 14:55:14 | 000,002,366 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Desktop\Google Chrome.lnk

[2010/07/16 09:59:13 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat

[2010/07/16 09:58:48 | 000,001,967 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[2010/07/16 09:58:48 | 000,001,943 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk

[2010/07/16 09:43:37 | 000,000,358 | ---- | M] () -- C:\Windows\tasks\McDefragTask.job

[2010/07/16 09:43:37 | 000,000,336 | ---- | M] () -- C:\Windows\tasks\McQcTask.job

[2010/07/16 00:09:51 | 000,001,441 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

[2010/07/14 00:31:25 | 000,940,590 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank71310a.html

[2010/07/13 23:20:53 | 000,376,982 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\gigi71310.html

[2010/07/13 14:17:14 | 000,159,924 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank71310.html

[2010/07/13 01:04:40 | 000,923,703 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank71210.html

[2010/07/11 00:19:58 | 000,627,961 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank71010.html

[2010/07/08 16:45:33 | 000,466,129 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank7810.html

[2010/07/07 23:58:05 | 001,322,038 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank7710.html

[2010/07/07 23:54:34 | 000,537,333 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\wes7710.html

[2010/07/07 18:58:43 | 000,017,408 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\7710song658pm.wps

[2010/07/06 16:13:03 | 000,524,288 | -HS- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\ntuser.dat{8e734156-8927-11df-85f7-002622681d15}.TMContainer00000000000000000002.regtrans-ms

[2010/07/06 16:13:03 | 000,524,288 | -HS- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\ntuser.dat{8e734156-8927-11df-85f7-002622681d15}.TMContainer00000000000000000001.regtrans-ms

[2010/07/06 16:13:03 | 000,065,536 | -HS- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\ntuser.dat{8e734156-8927-11df-85f7-002622681d15}.TM.blf

[2010/07/04 10:45:59 | 000,200,586 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank7410.html

[2010/07/04 00:20:40 | 001,137,236 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank7310.html

[2010/07/03 23:27:01 | 000,023,040 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\7310.wps

[2010/07/02 14:18:14 | 000,002,018 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk

[2010/06/28 21:08:24 | 000,001,035 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk

[2010/06/28 16:10:26 | 000,034,816 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\xxxxxxxxxxxxxxxxxresume2010.doc

[2010/06/28 16:10:05 | 000,017,360 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\xxxxxxxxxxxxxxxxxresume.docx

[2010/06/28 16:09:14 | 000,169,375 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\xxxxxxxxxxxxxxxxxresume.pdf

[2010/06/28 16:03:15 | 000,017,288 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\retailresume.docx

[2010/06/27 09:09:57 | 000,001,011 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Desktop\CCleaner.lnk

[2010/06/27 00:58:52 | 000,870,847 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank62610a.html

[2010/06/26 19:28:40 | 000,303,337 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank62610.html

[2010/06/26 00:26:02 | 000,159,780 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\gigi62510.html

[2010/06/26 00:25:48 | 000,306,034 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\sarah62510a.html

[2010/06/26 00:25:37 | 000,558,815 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank62510a.html

[2010/06/25 14:53:36 | 000,173,127 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\sarah62510.html

[2010/06/25 14:53:26 | 000,221,754 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank62510.html

[2010/06/25 02:10:06 | 000,734,546 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2010/06/25 02:10:06 | 000,619,502 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2010/06/25 02:10:06 | 000,105,646 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2010/06/25 02:04:34 | 002,282,809 | ---- | M] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank62410.html

========== Files Created - No Company Name ==========

[2010/07/24 16:31:33 | 000,001,502 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Desktop\dds - Shortcut.lnk

[2010/07/24 15:56:39 | 000,002,097 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Desktop\HijackThis.lnk

[2010/07/24 14:37:25 | 000,524,288 | -HS- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\ntuser.dat{63c9a532-9752-11df-b312-002622681d15}.TMContainer00000000000000000002.regtrans-ms

[2010/07/24 14:37:24 | 000,524,288 | -HS- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\ntuser.dat{63c9a532-9752-11df-b312-002622681d15}.TMContainer00000000000000000001.regtrans-ms

[2010/07/24 14:37:24 | 000,065,536 | -HS- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\ntuser.dat{63c9a532-9752-11df-b312-002622681d15}.TM.blf

[2010/07/20 01:54:05 | 000,068,510 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Desktop\minidump.zip

[2010/07/18 11:27:14 | 000,033,134 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\AppData\Roaming\UserTile.png

[2010/07/17 14:55:14 | 000,002,366 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Desktop\Google Chrome.lnk

[2010/07/17 14:54:17 | 000,000,944 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3648176129-1440165320-851753708-1002UA.job

[2010/07/17 14:54:16 | 000,000,892 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3648176129-1440165320-851753708-1002Core.job

[2010/07/16 18:06:52 | 325,524,710 | ---- | C] () -- C:\Windows\MEMORY.DMP

[2010/07/16 09:59:13 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat

[2010/07/16 09:58:48 | 000,001,967 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[2010/07/16 09:58:48 | 000,001,943 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk

[2010/07/16 00:49:41 | 000,000,358 | ---- | C] () -- C:\Windows\tasks\McDefragTask.job

[2010/07/16 00:49:38 | 000,000,336 | ---- | C] () -- C:\Windows\tasks\McQcTask.job

[2010/07/14 00:31:24 | 000,940,590 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank71310a.html

[2010/07/13 23:20:52 | 000,376,982 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\gigi71310.html

[2010/07/13 14:17:14 | 000,159,924 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank71310.html

[2010/07/13 01:04:39 | 000,923,703 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank71210.html

[2010/07/11 00:19:57 | 000,627,961 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank71010.html

[2010/07/08 16:45:32 | 000,466,129 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank7810.html

[2010/07/07 23:58:03 | 001,322,038 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank7710.html

[2010/07/07 23:54:33 | 000,537,333 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\wes7710.html

[2010/07/07 18:58:43 | 000,017,408 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\7710song658pm.wps

[2010/07/06 15:06:33 | 000,524,288 | -HS- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\ntuser.dat{8e734156-8927-11df-85f7-002622681d15}.TMContainer00000000000000000002.regtrans-ms

[2010/07/06 15:06:33 | 000,524,288 | -HS- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\ntuser.dat{8e734156-8927-11df-85f7-002622681d15}.TMContainer00000000000000000001.regtrans-ms

[2010/07/06 15:06:33 | 000,065,536 | -HS- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\ntuser.dat{8e734156-8927-11df-85f7-002622681d15}.TM.blf

[2010/07/04 10:45:58 | 000,200,586 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank7410.html

[2010/07/04 00:20:39 | 001,137,236 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank7310.html

[2010/07/03 23:22:54 | 000,023,040 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\7310.wps

[2010/06/28 16:10:24 | 000,034,816 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\xxxxxxxxxxxxxxxxxresume2010.doc

[2010/06/28 16:09:12 | 000,169,375 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\xxxxxxxxxxxxxxxxxresume.pdf

[2010/06/28 16:06:25 | 000,017,360 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\xxxxxxxxxxxxxxxxxresume.docx

[2010/06/27 00:58:51 | 000,870,847 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank62610a.html

[2010/06/26 19:28:40 | 000,303,337 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank62610.html

[2010/06/26 00:26:02 | 000,159,780 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\gigi62510.html

[2010/06/26 00:25:48 | 000,306,034 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\sarah62510a.html

[2010/06/26 00:25:36 | 000,558,815 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank62510a.html

[2010/06/25 14:53:36 | 000,173,127 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\sarah62510.html

[2010/06/25 14:53:25 | 000,221,754 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank62510.html

[2010/06/25 02:04:32 | 002,282,809 | ---- | C] () -- C:\Users\xxxxxxxxxxxxxxxx\Documents\hank62410.html

[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll

[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

< End of report >

[screen317]

Hi,

Uninstall Windows Media Player from Add or Remove Programs, then get the latest version from Microsoft Update (in addition to all other available updates).

Then restart your computer and see if you can access it now.

[nicolerocks711]

Hi,

Uninstall Windows Media Player from Add or Remove Programs, then get the latest version from Microsoft Update (in addition to all other available updates).

Then restart your computer and see if you can access it now.

See that is the problem though, i already tried that (and again just now), it isn't listed there or on revo uninstaller. That is what i did with AIM i uninstalled it and reinstalled it and i still couldn't open it. For AIM, it looked like it tried to open it then closed it right away. That is why I thought it was an Antivirus problem having both AVG and Microsoft SE.

[screen317]

Hmm.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu). Select your usual account and see if they will run from Safe Mode.

[nicolerocks711]

Hmm.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu). Select your usual account and see if they will run from Safe Mode.

just tried it, WMP will not load in safe mode

[screen317]

Hi,

Press CTRL + Alt + Delete to open up Task Manager; click the Processes tab. Is wmplayer.exe running?

[nicolerocks711]

Hi,

Press CTRL + Alt + Delete to open up Task Manager; click the Processes tab. Is wmplayer.exe running?

No it is not there under processes

[screen317]

Click Start --> Run, and in the box that appears, type in wmplayer.exe

Press Enter and see if it starts up.

[nicolerocks711]

Click Start --> Run, and in the box that appears, type in wmplayer.exe

Press Enter and see if it starts up.

it won't open

[screen317]

Can you check if you have a System Restore point from before this issue began?

[nicolerocks711]

Can you check if you have a System Restore point from before this issue began?

where do i find that at? and you don't think it's connected from getting redirected from neopets? after that happened that's when i had these problems.

[screen317]

You can find it here:

Start --> Programs --> Accessories --> System Tools --> System Restore

If it was related to the redirect, I would see other indications of infection; it appears to be unrelated at this point.

[nicolerocks711]

You can find it here:

Start --> Programs --> Accessories --> System Tools --> System Restore

If it was related to the redirect, I would see other indications of infection; it appears to be unrelated at this point.

It will only have me restore it to the earliest 7/19 and i think i need to go before that

[nicolerocks711]

It will only have me restore it to the earliest 7/19 and i think i need to go before that

I just ran adspy that comes with hijackthis, i saw someone talking about it on another online board. Anyways when i hit scan it saids it's complete in like 0 secs, does that mean it doesn't detect anything?

[nicolerocks711]

I just ran adspy that comes with hijackthis, i saw someone talking about it on another online board. Anyways when i hit scan it saids it's complete in like 0 secs, does that mean it doesn't detect anything?

I found this in my event viewer at i think the time i accidently clicked on that link:

Log Name: Application

Source: Microsoft-Windows-EventSystem

Date: 7/15/2010 11:33:54 PM

Event ID: 4625

Task Category: None

Level: Information

Keywords: Classic

User: N/A

Description:

The EventSystem sub system is suppressing duplicate event log entries for a duration of 86400 seconds. The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\EventSystem\EventLog.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-EventSystem" Guid="{899daace-4868-4295-afcd-9eb8fb497561}" EventSourceName="EventSystem" />

<EventID Qualifiers="16384">4625</EventID>

<Version>0</Version>

<Level>4</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2010-07-16T03:33:54.000000000Z" />

<EventRecordID>18772</EventRecordID>

<Correlation />

<Execution ProcessID="0" ThreadID="0" />

<Channel>Application</Channel>

<Security />

</System>

<EventData>

<Data Name="param1">86400</Data>

<Data Name="param2">SuppressDuplicateDuration</Data>

<Data Name="param3">Software\Microsoft\EventSystem\EventLog</Data>

</EventData>

</Event>

[nicolerocks711]

Found this too:

Log Name: Application

Source: ESENT

Date: 7/15/2010 11:36:29 PM

Event ID: 301

Task Category: Logging/Recovery

Level: Information

Keywords: Classic

User: N/A

Description:

Windows (2776) Windows: The database engine has begun replaying logfile C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="ESENT" />

<EventID Qualifiers="0">301</EventID>

<Level>4</Level>

<Task>3</Task>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2010-07-16T03:36:29.000000000Z" />

<EventRecordID>18786</EventRecordID>

<Channel>Application</Channel>

<Security />

</System>

<EventData>

<Data>Windows</Data>

<Data>2776</Data>

<Data>Windows: </Data>

<Data>C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log</Data>

</EventData>

</Event>

[nicolerocks711]

This doesn't look right to me either:

Log Name: Application

Source: Microsoft-Windows-Security-SPP

Date: 7/15/2010 11:39:52 PM

Event ID: 1066

Task Category: None

Level: Information

Keywords: Classic

User: N/A

Description:

Initialization status for service objects.

C:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000

C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000

C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/2005, 0x00000000, 0x00000000

C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000

C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000

C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/licenserenewal/1.0, 0x00000000, 0x00000000

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />

<EventID Qualifiers="16384">1066</EventID>

<Version>0</Version>

<Level>4</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2010-07-16T03:39:52.000000000Z" />

<EventRecordID>18791</EventRecordID>

<Correlation />

<Execution ProcessID="0" ThreadID="0" />

<Channel>Application</Channel>

<Security />

</System>

<EventData>

<Data>C:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000

C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000

C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/2005, 0x00000000, 0x00000000

C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000

C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000

C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/licenserenewal/1.0, 0x00000000, 0x00000000

</Data>

</EventData>

</Event>

[nicolerocks711]

This doesn't look good at all:

Log Name: Application

Source: Microsoft-Windows-User Profiles Service

Date: 7/16/2010 12:41:12 AM

Event ID: 1530

Task Category: None

Level: Warning

Keywords:

User: SYSTEM

Description:

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -

15 user registry handles leaked from \Registry\User\S-1-5-21-3648176129-1440165320-851753708-1002:

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Microsoft\SystemCertificates\TrustedPeople

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Microsoft\SystemCertificates\trust

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Microsoft\SystemCertificates\Root

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Policies\Microsoft\SystemCertificates

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Policies\Microsoft\SystemCertificates

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Policies\Microsoft\SystemCertificates

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Policies\Microsoft\SystemCertificates

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Microsoft\SystemCertificates\My

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Microsoft\SystemCertificates\CA

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Microsoft\SystemCertificates\SmartCardRoot

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Microsoft\SystemCertificates\Disallowed

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />

<EventID>1530</EventID>

<Version>0</Version>

<Level>3</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x8000000000000000</Keywords>

<TimeCreated SystemTime="2010-07-16T04:41:12.448706500Z" />

<EventRecordID>18805</EventRecordID>

<Correlation />

<Execution ProcessID="392" ThreadID="3012" />

<Channel>Application</Channel>

<Security UserID="S-1-5-18" />

</System>

<EventData Name="EVENT_HIVE_LEAK">

<Data Name="Detail">15 user registry handles leaked from \Registry\User\S-1-5-21-3648176129-1440165320-851753708-1002:

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Microsoft\SystemCertificates\TrustedPeople

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Microsoft\SystemCertificates\trust

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Microsoft\SystemCertificates\Root

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Policies\Microsoft\SystemCertificates

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Policies\Microsoft\SystemCertificates

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Policies\Microsoft\SystemCertificates

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Policies\Microsoft\SystemCertificates

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Microsoft\SystemCertificates\My

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Microsoft\SystemCertificates\CA

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Microsoft\SystemCertificates\SmartCardRoot

Process 2596 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3648176129-1440165320-851753708-1002\Software\Microsoft\SystemCertificates\Disallowed

</Data>

</EventData>

</Event>

[nicolerocks711]

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 7/15/2010 11:37:27 PM

Event ID: 5058

Task Category: Other System Events

Level: Information

Keywords: Audit Success

User: N/A

Description:

Key file operation.

Subject:

Security ID: LOCAL SERVICE

Account Name: LOCAL SERVICE

Account Domain: NT AUTHORITY

Logon ID: 0x3e5

Cryptographic Parameters:

Provider Name: Microsoft Software Key Storage Provider

Algorithm Name: Not Available.

Key Name: 9313e99a-221f-4784-8d04-4e3417d1a33d

Key Type: Machine key.

Key File Operation Information:

File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\593d704bafc289dd7f3b6a129d69a018_d6ab8cf2-a629-4af0-b08f-d7c2b5e66fa1

Operation: Read persisted key from file.

Return Code: 0x0

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

<EventID>5058</EventID>

<Version>0</Version>

<Level>0</Level>

<Task>12292</Task>

<Opcode>0</Opcode>

<Keywords>0x8020000000000000</Keywords>

<TimeCreated SystemTime="2010-07-16T03:37:27.158350600Z" />

<EventRecordID>34887</EventRecordID>

<Correlation />

<Execution ProcessID="536" ThreadID="3068" />

<Channel>Security</Channel>

<Security />

</System>

<EventData>

<Data Name="SubjectUserSid">S-1-5-19</Data>

<Data Name="SubjectUserName">LOCAL SERVICE</Data>

<Data Name="SubjectDomainName">NT AUTHORITY</Data>

<Data Name="SubjectLogonId">0x3e5</Data>

<Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>

<Data Name="AlgorithmName">%%2432</Data>

<Data Name="KeyName">9313e99a-221f-4784-8d04-4e3417d1a33d</Data>

<Data Name="KeyType">%%2499</Data>

<Data Name="KeyFilePath">C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\593d704bafc289dd7f3b6a129d69a018_d6ab8cf2-a629-4af0-b08f-d7c2b5e66fa1</Data>

<Data Name="Operation">%%2458</Data>

<Data Name="ReturnCode">0x0</Data>

</EventData>

</Event>

is this a key logger?