Google redirect and friends, + Black Screen of Death [Closed]

hi

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Drivers to delete:
H8SRTrmbtkpsctm

Files to delete:
C:\Windows\system32\drivers\H8SRTrmbtkpsctm.sys
C:\gelcdomj.exe
C:\Windows\system32\config\systemprofile\Desktop\aljfhalfda.exe
C:\Windows\System32\vuroguvi
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.lnk
C:\gelcdomj.exe
C:\enhs.exe
C:\enhs.exe
C:\dens.exe
C:\enhs.exe
C:\gelcdomj.exe

Folders to delete:
C:\ProgramData\pokumala
C:\ProgramData\rawituzo
C:\ProgramData\galifure
C:\ProgramData\ba5a7a7

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

My system got a Blue Screen of Death after the first reboot, but before I could take down any information it rebooted again right after that and got back into Windows (I'm still in Safe Mode though).


avenger.txt:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "H8SRTd.sys" found!
ImagePath: \systemroot\system32\drivers\H8SRTrmbtkpsctm.sys
Start Type: 1 (System)

Rootkit scan completed.


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\H8SRTrmbtkpsctm" not found!
Deletion of driver "H8SRTrmbtkpsctm" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Windows\system32\drivers\H8SRTrmbtkpsctm.sys" deleted successfully.
File "C:\gelcdomj.exe" deleted successfully.
File "C:\Windows\system32\config\systemprofile\Desktop\aljfhalfda.exe" deleted successfully.
File "C:\Windows\System32\vuroguvi" deleted successfully.
File "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.lnk" deleted successfully.

Error: file "C:\gelcdomj.exe" not found!
Deletion of file "C:\gelcdomj.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\enhs.exe" deleted successfully.

Error: file "C:\enhs.exe" not found!
Deletion of file "C:\enhs.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\dens.exe" deleted successfully.

Error: file "C:\enhs.exe" not found!
Deletion of file "C:\enhs.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\gelcdomj.exe" not found!
Deletion of file "C:\gelcdomj.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\ProgramData\pokumala" deleted successfully.
Folder "C:\ProgramData\rawituzo" deleted successfully.
Folder "C:\ProgramData\galifure" deleted successfully.
Folder "C:\ProgramData\ba5a7a7" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

hi

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Here is the Combofix log:

ComboFix 09-12-04.02 - SYSTEM 12/04/2009 22:15.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.2667 [GMT -8:00]
Running from: c:\windows\system32\config\systemprofile\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe
c:\windows\Install.txt
c:\windows\system32\curslib.dll
c:\windows\system32\H8SRTbncmqhotor.dll
c:\windows\system32\h8srtcfg.dat
c:\windows\system32\H8SRTdxqxqpnisp.dll
c:\windows\system32\H8SRTofrxxpsxir.dat
c:\windows\system32\H8SRTupbprbbmuj.dll
c:\windows\system32\Install.txt
c:\windows\system32\wincert.dll
c:\windows\system32\winmes.sys
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_H8SRTd.sys
-------\Service_H8SRTd.sys
-------\Legacy_winmes
-------\Service_winmes


((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.

2009-12-05 06:24 . 2009-12-05 06:29 -------- d-----w- c:\users\carlo\AppData\Local\temp
2009-12-05 06:24 . 2009-12-05 06:24 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2009-12-05 06:24 . 2009-12-05 06:24 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-05 06:24 . 2009-12-05 06:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-05 06:24 . 2009-12-05 06:24 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2009-12-05 06:03 . 2009-12-05 06:09 -------- d-----w- C:\32788R22FWJFW
2009-12-04 17:49 . 2009-12-04 17:49 0 ----a-w- C:\backup.reg
2009-12-04 17:49 . 2009-12-04 17:49 574 ----a-w- C:\cleanup.bat
2009-12-04 17:49 . 2009-12-04 17:49 135168 ----a-w- C:\zip.exe
2009-12-04 08:10 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 08:10 . 2009-12-04 08:12 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 08:10 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-04 07:14 . 2009-12-04 07:14 14122 ----a-w- C:\MGlogs.zip
2009-12-04 07:14 . 2009-12-04 07:14 -------- d-----w- C:\MGtools
2009-12-04 05:59 . 2009-12-04 05:59 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Malwarebytes
2009-12-03 18:44 . 2009-12-03 18:44 117760 ----a-w- c:\windows\System32\config\systemprofile\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-03 18:44 . 2009-12-03 18:44 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\SUPERAntiSpyware.com
2009-12-01 18:54 . 2009-12-01 18:54 2385076 ----a-w- C:\MGtools.exe
2009-12-01 10:07 . 2009-12-01 10:07 117760 ----a-w- c:\users\carlo\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-01 10:07 . 2009-12-01 10:07 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-01 10:07 . 2009-12-05 06:07 4096 d-----w- c:\program files\SUPERAntiSpyware
2009-12-01 10:07 . 2009-12-01 10:07 -------- d-----w- c:\users\carlo\AppData\Roaming\SUPERAntiSpyware.com
2009-12-01 10:06 . 2009-12-01 10:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-01 03:07 . 2009-12-01 03:07 70 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\PE.sys
2009-12-01 03:07 . 2009-12-01 03:07 11 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\CLSV.drv
2009-12-01 03:07 . 2009-12-01 03:07 75 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\pal.exe
2009-12-01 03:07 . 2009-12-01 03:07 59 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\CLSV.dll
2009-12-01 03:07 . 2009-12-01 03:07 67 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\PE.exe
2009-12-01 03:07 . 2009-12-01 03:07 77 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\sld.sys
2009-12-01 03:07 . 2009-12-01 03:07 51 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\ppal.dll
2009-12-01 03:07 . 2009-12-01 03:07 70 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\std.drv
2009-12-01 03:07 . 2009-12-01 03:07 3 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\grid.exe
2009-12-01 03:07 . 2009-12-01 03:07 2 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv
2009-12-01 03:07 . 2009-12-01 03:07 74 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\exec.sys
2009-12-01 03:07 . 2009-12-01 03:07 67 ----a-w- c:\users\carlo\AppData\Roaming\Microsoft\Windows\Recent\energy.sys
2009-12-01 03:06 . 2009-12-01 03:06 -------- d-sh--w- c:\programdata\WSGSHUD_APDM
2009-12-01 03:01 . 2009-12-01 03:21 -------- d-sh--w- c:\users\carlo\AppData\Roaming\System
2009-12-01 03:01 . 2009-12-01 03:01 -------- d-----w- c:\users\carlo\AppData\Roaming\Mozilla Firefox
2009-12-01 02:44 . 2009-09-30 18:41 361472 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\FgPhotofitDll.dll
2009-12-01 02:44 . 2009-09-21 19:14 8192 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\OpenGLCheck.dll
2009-12-01 02:44 . 2009-08-19 19:40 655872 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\msvcr90.dll
2009-12-01 02:44 . 2009-08-19 19:40 572928 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\msvcp90.dll
2009-12-01 02:44 . 2009-10-08 18:30 13312 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\PhotoFaceConsole.exe
2009-12-01 02:44 . 2009-09-30 04:29 6144 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\DetectOpenGLConsole.exe
2009-12-01 02:44 . 2009-09-30 04:29 5120 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\DownloadSourcePhotoConsole.exe
2009-12-01 02:44 . 2009-09-30 04:29 9216 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\UploadPhotofitConsole.exe
2009-12-01 02:44 . 2009-08-19 19:40 4178264 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\D3DX9_41.dll
2009-12-01 02:44 . 2009-10-01 03:14 15872 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\PhotoFaceConsole.XmlSerializers.dll
2009-12-01 02:43 . 2009-12-01 02:43 175616 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\unrar64_nocrypt.dll
2009-12-01 02:43 . 2009-12-01 02:43 150528 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\unrar_nocrypt.dll
2009-12-01 02:43 . 2009-12-01 02:43 30208 ----a-w- c:\users\carlo\AppData\Roaming\EA\EASW\GameFace\FileDownloadConsole.exe
2009-12-01 02:43 . 2009-12-01 02:43 -------- d-----w- c:\users\carlo\AppData\Roaming\EA
2009-12-01 02:43 . 2009-12-01 02:43 -------- d-----w- c:\users\carlo\AppData\Local\Deployment
2009-12-01 02:43 . 2009-12-01 02:43 -------- d-----w- c:\users\carlo\AppData\Local\Apps
2009-11-28 07:55 . 2009-11-28 07:55 -------- d-----w- c:\users\carlo\AppData\Local\Unity
2009-11-27 23:05 . 2008-03-05 23:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2009-11-27 23:05 . 2007-07-20 02:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-11-27 23:05 . 2007-05-17 00:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2009-11-27 23:05 . 2007-04-05 02:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2009-11-27 23:05 . 2007-03-13 00:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2009-11-27 23:05 . 2006-11-29 21:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-11-27 23:05 . 2006-09-29 00:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-11-27 23:04 . 2005-05-26 23:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-11-25 10:29 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 07:24 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 07:24 . 2009-08-11 16:44 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-24 07:41 . 2009-11-24 07:41 -------- d-----w- C:\AeriaGames
2009-11-24 07:20 . 2009-12-05 06:26 4096 d-----w- c:\program files\Common Files\Akamai
2009-11-16 07:03 . 2009-11-16 07:03 4096 d-----w- c:\program files\DivX
2009-11-16 07:03 . 2009-11-16 07:03 4096 d-----w- c:\program files\Common Files\DivX Shared
2009-11-11 17:03 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 17:03 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-05 06:08 . 2006-11-02 13:02 1356 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\d3d9caps.dat
2009-12-04 17:53 . 2008-04-18 18:31 12 ----a-w- c:\windows\bthservsdp.dat
2009-12-04 08:02 . 2009-08-13 23:39 4096 d-----w- c:\program files\ERUNT
2009-12-03 18:35 . 2008-07-25 05:44 49152 d-----w- c:\users\carlo\AppData\Roaming\uTorrent
2009-12-03 16:30 . 2008-07-30 04:54 1 ----a-w- c:\users\carlo\AppData\Roaming\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-12-03 16:26 . 2008-07-30 04:54 -------- d-----w- c:\users\carlo\AppData\Roaming\OpenOffice.org2
2009-12-01 04:17 . 2008-08-02 05:34 -------- d-----w- c:\users\carlo\AppData\Roaming\gtk-2.0
2009-11-25 17:41 . 2009-08-15 17:21 -------- d-----w- c:\program files\McAfee
2009-11-03 04:42 . 2009-10-03 13:47 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-28 04:51 . 2009-10-28 04:51 -------- d-----w- c:\program files\Veetle
2009-10-27 09:43 . 2008-08-02 05:33 4096 d-----w- c:\users\carlo\AppData\Roaming\.purple
2009-10-22 17:36 . 2009-08-10 04:42 -------- d-----w- c:\programdata\Roxio
2009-10-14 06:54 . 2009-10-14 06:16 4096 d-----w- c:\program files\Pazera MP4 to AVI converter
2009-10-09 02:27 . 2009-10-14 06:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-09-14 09:29 . 2009-10-14 21:14 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 16:48 . 2009-10-14 21:14 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-03-28 01:42 . 2009-08-11 06:04 889856 ----a-w- c:\program files\mozilla firefox\components\pbgk1_9.dll
2008-09-24 06:30 . 2008-08-04 06:15 88 --sh--r- c:\windows\System32\8DDB2614FF.sys
2008-09-24 06:31 . 2008-08-04 06:15 2828 --sha-w- c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-06-06 06:16 2955264 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-06-06 06:16 2955264 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-05 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-05 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-10 835584]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-11-21 311296]
"SmartWiHelper"="c:\program files\Sony Corporation\SmartWi Connection Utility\SmartWiHelper.exe" [2008-04-17 73728]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-06 49168]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-02-28 4915200]
"atwtusb"="atwtusb.exe" - c:\windows\System32\ATWTUSB.EXE [2007-03-21 315392]

c:\users\carlo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoHotkey.ahk - Shortcut.lnk - c:\users\carlo\Documents\AutoHotkey.ahk [2008-7-30 1656]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-10-30 748072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-06-06 06:03 90112 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2008-02-21 17:26 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_SZ c:\windows\system32\wincert.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):b0,0d,e9,6e,f9,1d,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-18]
"EnableNotifications\\Ref"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-82084531-1568399576-1305024956-1000]
"EnableNotificationsRef"=dword:00000001

R1 Ext2fs;Ext2fs;c:\windows\System32\drivers\ext2fs.sys [7/29/2008 7:23 PM 187840]
R1 IfsMount;IfsMount;c:\windows\System32\drivers\ifsmount.sys [7/29/2008 7:23 PM 58816]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [1/20/2008 6:23 PM 21504]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/15/2009 9:22 AM 93320]
R2 regi;regi;c:\windows\System32\drivers\regi.sys [4/17/2007 7:09 PM 11032]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [4/18/2008 12:18 PM 28464]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\System32\drivers\R5U870FLx86.sys [4/18/2008 10:33 AM 73472]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\System32\drivers\R5U870FUx86.sys [4/18/2008 10:33 AM 43904]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\System32\drivers\SFEP.sys [4/18/2008 10:34 AM 9344]
R3 ti21sony;ti21sony;c:\windows\System32\drivers\ti21sony.sys [4/18/2008 10:34 AM 818688]
S1 aiptektp;Pen Pad;c:\windows\System32\drivers\aiptektp.sys [8/29/2008 3:13 PM 22528]
S2 gupdate1c9adaa9861fac1;Google Update Service (gupdate1c9adaa9861fac1);c:\program files\Google\Update\GoogleUpdate.exe [3/25/2009 4:34 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2009-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 00:34]

2009-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 00:34]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\carlo\AppData\Roaming\Mozilla\Firefox\Profiles\1fgxlujm.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\pbgk1_9.dll
FF - component: c:\users\carlo\AppData\Roaming\Mozilla\Firefox\Profiles\1fgxlujm.default\extensions\[email protected]\components\nsTwitterFoxSign.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\users\carlo\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-asg984jgkfmgasi8ug98jgkfgfb - c:\users\carlo\AppData\Local\Temp\login.exe
HKCU-Run-dafebukiz - c:\progra~2\galifure\galifure.dll
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
AddRemove-HijackThis - c:\hijackthis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-04 22:29
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85940618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82fabd24
\Driver\ACPI -> acpi.sys @ 0x8069ad68
\Driver\atapi -> ataport.SYS @ 0x807e3a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3612.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3612.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-82084531-1568399576-1305024956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* a*s*s*\OpenWithList]
@Class="Shell"
"a"="NOTEPAD.EXE"
"MRUList"="bac"
"b"="mplayerc.exe"
"c"="zplayer.exe"

[HKEY_USERS\S-1-5-21-82084531-1568399576-1305024956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* a*s*s*\OpenWithProgids]
"?ass_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-82084531-1568399576-1305024956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* m*k*v*\OpenWithList]
@Class="Shell"
"a"="zplayer.exe"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-82084531-1568399576-1305024956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* m*k*v*\OpenWithProgids]
"?mkv_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-82084531-1568399576-1305024956-1000\Software\SecuROM\License information*]
"datasecu"=hex:2f,a2,90,49,55,65,b0,44,ed,2a,39,75,23,1e,a0,ba,49,82,20,c9,73,
37,87,b4,05,c7,11,d3,2e,79,87,ed,e3,f9,ee,a4,68,91,5d,fe,cf,22,d9,7e,a9,7a,\
"rkeysecu"=hex:70,be,65,f0,40,2e,b6,52,50,90,14,ed,a3,71,27,d7

[HKEY_USERS\S-1-5-21-82084531-1568399576-1305024956-1000_Classes\ a*s*s*_*a*u*t*o*_*f*i*l*e*\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_USERS\S-1-5-21-82084531-1568399576-1305024956-1000_Classes\ a*s*s*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_USERS\S-1-5-21-82084531-1568399576-1305024956-1000_Classes\ m*k*v*_*a*u*t*o*_*f*i*l*e*\shell]
@="open"

[HKEY_USERS\S-1-5-21-82084531-1568399576-1305024956-1000_Classes\ m*k*v*_*a*u*t*o*_*f*i*l*e*\shell\open]
@="&Open"
"FriendlyAppName"="Zoom Player"

[HKEY_USERS\S-1-5-21-82084531-1568399576-1305024956-1000_Classes\ m*k*v*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@="\"c:\\Program Files\\Combined Community Codec Pack\\Zoom Player\\zplayer.exe\" \"%L\""
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(656)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll

- - - - - - - > 'Explorer.exe'(3000)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Protector Suite QL\upeksvr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\PSIService.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Sony\VAIO Event Service\VESMgrSub.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Sony\VAIO Power Management\SPMgr.exe
c:\program files\AutoHotkey\AutoHotkey.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\windows\system32\vssvc.exe
.
**************************************************************************
.
Completion time: 2009-12-04 22:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-05 06:46

Pre-Run: 108,645,711,872 bytes free
Post-Run: 105,438,203,904 bytes free

- - End Of File - - BAAABE170EE2DA38F93B6E0596E8CAA2

hi

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Here's what I got:

MBAM log:

Malwarebytes' Anti-Malware 1.42
Database version: 3299
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

12/5/2009 3:40:07 AM
mbam-log-2009-12-05 (03-40-07).txt

Scan type: Quick Scan
Objects scanned: 96844
Time elapsed: 5 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b45a4b16-23f2-41ad-f4e4-00aac39c0004} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, December 5, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, December 05, 2009 08:34:18
Records in database: 3332067
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
H:\

Scan statistics:
Objects scanned: 154289
Threats found: 5
Infected objects found: 9
Suspicious objects found: 0
Scan duration: 02:11:09


File name / Threat / Threats count
C:\Avenger\galifure\galifure.dll Infected: Packed.Win32.TDSS.aa 1
C:\Avenger\pokumala\pokumala.dll Infected: Packed.Win32.TDSS.aa 1
C:\MGtools.exe Infected: Trojan-Dropper.Win32.Agent.bikj 1
C:\Qoobox\Quarantine\C\Windows\System32\curslib.dll.vir Infected: Trojan.Win32.Genome.ecqe 1
C:\Qoobox\Quarantine\C\Windows\System32\H8SRTbncmqhotor.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\Windows\System32\H8SRTdxqxqpnisp.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\Windows\System32\H8SRTupbprbbmuj.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\Windows\System32\wincert.dll.vir Infected: Trojan-Dropper.Win32.Agent.bixa 1
C:\Users\carlo\Pictures\Idol Assortment\Yu Takahashi - Be My Baby\photo42.jpg Infected: Trojan-Downloader.Win32.Tibs.kuo 1

Selected area has been scanned.

hi

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Services
  
  :Reg
  
  :Files
  C:\MGtools.exe
  C:\Users\carlo\Pictures\Idol Assortment\Yu Takahashi - Be My Baby\photo42.jpg
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Run Scan button. Post the log it produces in your next reply.

New OTL log:

OTL logfile created on: 12/5/2009 9:48:32 AM - Run 3
OTL by OldTimer - Version 3.1.11.7 Folder = C:\Users\carlo\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 225.10 Gb Total Space | 99.19 Gb Free Space | 44.06% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CATERPILLAR
Current User Name: carlo
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/05 09:33:38 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Users\carlo\Desktop\OTL.exe
PRC - [2009/11/12 17:06:04 | 00,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/04/10 22:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/04/10 09:29:08 | 00,037,888 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2008/10/15 01:04:34 | 00,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
PRC - [2008/05/29 21:43:38 | 02,580,480 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
PRC - [2008/05/29 21:43:36 | 02,363,392 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
PRC - [2008/03/09 07:12:24 | 00,240,640 | ---- | M] () -- C:\Program Files\AutoHotkey\AutoHotkey.exe
PRC - [2008/03/07 10:48:38 | 00,921,600 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
PRC - [2008/02/21 09:26:20 | 00,182,392 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
PRC - [2008/02/21 09:26:20 | 00,100,472 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
PRC - [2008/02/04 16:09:00 | 00,252,440 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxsrvc.exe
PRC - [2008/02/04 16:08:48 | 00,166,424 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxext.exe
PRC - [2008/02/04 16:08:48 | 00,137,752 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxpers.exe
PRC - [2008/02/04 16:08:30 | 00,154,136 | ---- | M] (Intel Corporation) -- C:\Windows\System32\hkcmd.exe
PRC - [2008/01/20 18:24:59 | 00,142,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\WUDFHost.exe
PRC - [2007/11/21 11:38:28 | 00,311,296 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\ISB Utility\ISBMgr.exe
PRC - [2007/10/30 10:04:08 | 01,804,840 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2007/10/30 10:04:08 | 00,748,072 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2007/06/05 22:04:42 | 00,021,504 | ---- | M] (UPEK Inc.) -- C:\Program Files\Protector Suite QL\upeksvr.exe
PRC - [2007/06/05 21:46:52 | 00,053,776 | ---- | M] (UPEK Inc.) -- C:\Program Files\Protector Suite QL\psqltray.exe
PRC - [2007/06/05 12:20:32 | 00,177,704 | ---- | M] () -- C:\Windows\System32\PSIService.exe
PRC - [2007/03/20 16:43:50 | 00,315,392 | ---- | M] () -- C:\Windows\System32\ATWTUSB.EXE
PRC - [2007/03/09 17:58:22 | 00,835,584 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


========== Modules (SafeList) ==========

MOD - [2009/12/05 09:33:38 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Users\carlo\Desktop\OTL.exe
MOD - [2009/11/23 10:38:10 | 00,014,544 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2009/04/10 22:21:38 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2007/10/30 10:03:22 | 00,208,896 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\BtMmHook.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/23 23:20:48 | 02,309,520 | ---- | M] () -- C:/Program Files/Common Files/Akamai/rswin_3612.dll -- (Akamai)
SRV - [2009/11/12 17:06:04 | 00,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/03/25 16:34:08 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9adaa9861fac1) Google Update Service (gupdate1c9adaa9861fac1)
SRV - [2008/11/20 11:18:52 | 00,136,120 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/07/22 08:59:42 | 00,794,624 | ---- | M] () -- C:\Program Files\TVersity\Media Server\MediaServer.exe -- (TVersityMediaServer)
SRV - [2008/02/21 09:26:20 | 00,182,392 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)
SRV - [2008/01/20 18:23:32 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/11/28 01:08:02 | 00,077,824 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2007/11/28 01:02:20 | 00,053,248 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2007/11/28 00:43:44 | 00,053,248 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2007/06/05 12:20:32 | 00,177,704 | ---- | M] () -- C:\Windows\System32\PSIService.exe -- (ProtexisLicensing)
SRV - [2007/01/04 18:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/11/02 04:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart)


========== Driver Services (SafeList) ==========

DRV - [2009/04/10 20:42:54 | 00,073,216 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/06/10 09:54:36 | 00,123,904 | ---- | M] (Realtek Corporation ) -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/02/27 16:32:02 | 02,059,416 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/02/12 16:01:28 | 00,073,472 | ---- | M] (Ricoh) -- C:\Windows\System32\drivers\R5U870FLx86.sys -- (R5U870FLx86)
DRV - [2008/02/12 16:01:28 | 00,043,904 | ---- | M] (Ricoh) -- C:\Windows\System32\drivers\R5U870FUx86.sys -- (R5U870FUx86)
DRV - [2008/02/05 16:48:53 | 00,017,448 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\drivers\btwrchid.sys -- (btwrchid)
DRV - [2008/02/05 16:48:52 | 00,099,880 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\drivers\btwavdt.sys -- (btwavdt)
DRV - [2008/02/05 16:48:52 | 00,081,448 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\drivers\btwaudio.sys -- (btwaudio)
DRV - [2008/02/05 16:48:33 | 00,028,464 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\drivers\btwl2cap.sys -- (btwl2cap)
DRV - [2008/02/04 16:08:42 | 01,776,128 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2008/01/20 18:23:27 | 00,386,616 | ---- | M] (LSI Corporation, Inc.) -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 18:23:27 | 00,149,560 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 18:23:27 | 00,031,288 | ---- | M] (LSI Corporation) -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 18:23:26 | 00,101,432 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 18:23:26 | 00,074,808 | ---- | M] (Silicon Integrated Systems) -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 18:23:26 | 00,040,504 | ---- | M] (Hewlett-Packard Company) -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 18:23:25 | 00,300,600 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 18:23:25 | 00,089,656 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 18:23:24 | 01,122,360 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 18:23:24 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2008/01/20 18:23:24 | 00,079,928 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 18:23:23 | 00,654,336 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\VSTCNXT3.SYS -- (winachsf)
DRV - [2008/01/20 18:23:23 | 00,235,064 | ---- | M] (Intel Corporation) -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 18:23:23 | 00,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 18:23:23 | 00,115,816 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 18:23:23 | 00,096,312 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 18:23:23 | 00,096,312 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 18:23:23 | 00,079,416 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 18:23:22 | 00,987,648 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\VSTDPV3.SYS -- (HSF_DPV)
DRV - [2008/01/20 18:23:22 | 00,342,584 | ---- | M] (Emulex) -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 18:23:22 | 00,200,704 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)
DRV - [2008/01/20 18:23:21 | 00,422,968 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 18:23:21 | 00,102,968 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 18:23:21 | 00,045,112 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 18:23:20 | 00,238,648 | ---- | M] (ULi Electronics Inc.) -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 18:23:00 | 00,020,024 | ---- | M] (VIA Technologies, Inc.) -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 18:23:00 | 00,019,000 | ---- | M] (CMD Technology, Inc.) -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 18:23:00 | 00,017,464 | ---- | M] (Acer Laboratories Inc.) -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008/01/20 16:56:12 | 00,187,840 | ---- | M] (Stephan Schreiber) -- C:\Windows\System32\drivers\ext2fs.sys -- (Ext2fs)
DRV - [2007/12/29 18:50:42 | 00,058,816 | ---- | M] (Stephan Schreiber) -- C:\Windows\System32\drivers\ifsmount.sys -- (IfsMount)
DRV - [2007/12/20 02:00:00 | 00,044,608 | ---- | M] (Sonic Solutions) -- C:\Windows\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007/12/16 17:57:23 | 00,009,344 | ---- | M] (Sony Corporation) -- C:\Windows\System32\drivers\SFEP.sys -- (SFEP)
DRV - [2007/12/13 16:40:06 | 00,010,216 | ---- | M] (Sony Corporation) -- C:\Windows\System32\drivers\DMICall.sys -- (DMICall)
DRV - [2007/11/15 16:29:22 | 00,818,688 | ---- | M] (Texas Instruments) -- C:\Windows\System32\drivers\ti21sony.sys -- (ti21sony)
DRV - [2007/10/02 16:04:29 | 00,047,376 | ---- | M] (UPEK Inc.) -- C:\Windows\System32\drivers\tcusb.sys -- (TcUsb)
DRV - [2007/09/26 12:12:22 | 02,251,776 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel®
DRV - [2007/05/26 00:03:06 | 00,128,104 | R--- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\WimFltr.sys -- (WimFltr)
DRV - [2007/04/17 19:09:28 | 00,011,032 | ---- | M] (InterVideo) -- C:\Windows\System32\drivers\regi.sys -- (regi)
DRV - [2007/03/09 17:58:05 | 00,181,560 | ---- | M] (Synaptics, Inc.) -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/11/02 01:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 01:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 01:50:19 | 00,045,160 | ---- | M] (IBM Corporation) -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 01:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 01:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 01:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 01:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 01:50:05 | 00,035,944 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 01:50:03 | 00,034,920 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 01:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 01:49:56 | 00,031,848 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 00:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 00:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 00:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 00:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 00:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 00:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/01 23:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/01 22:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv)
DRV - [2006/06/06 08:51:06 | 00,022,528 | ---- | M] (WALTOP International Corp.) -- C:\Windows\System32\drivers\aiptektp.sys -- (aiptektp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://my.yahoo.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.9.3
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: {1a0c9ebe-ddf9-4b76-b8a3-675c77874d37}:2.7

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/11/25 09:40:15 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/20 18:56:03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/20 18:54:53 | 00,000,000 | ---D | M]

[2008/07/24 20:02:38 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\Mozilla\Extensions
[2009/12/05 04:19:43 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\Mozilla\Firefox\Profiles\1fgxlujm.default\extensions
[2009/11/27 10:02:14 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\Mozilla\Firefox\Profiles\1fgxlujm.default\extensions\{1a0c9ebe-ddf9-4b76-b8a3-675c77874d37}
[2009/10/10 09:51:05 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\Mozilla\Firefox\Profiles\1fgxlujm.default\extensions\[email protected]
[2009/04/10 20:56:00 | 00,000,945 | ---- | M] () -- C:\Users\carlo\AppData\Roaming\Mozilla\Firefox\Profiles\1fgxlujm.default\searchplugins\youtube-video-search.xml
[2009/12/05 04:19:43 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/03/27 17:42:45 | 00,889,856 | ---- | M] (UPEK Inc.) -- C:\Program Files\Mozilla Firefox\components\pbgk1_9.dll

O1 HOSTS File: (27 bytes) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [atwtusb] C:\Windows\System32\ATWTUSB.EXE ()
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe (Sony Corporation)
O4 - HKLM..\Run: [Persistence] C:\Windows\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [PSQLLauncher] C:\Program Files\Protector Suite QL\launcher.exe (UPEK Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SmartWiHelper] C:\Program Files\Sony Corporation\SmartWi Connection Utility\SmartWiHelper.exe (Sony Electronics Corporation)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - Startup: C:\Users\carlo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (Sun Microsystems, Inc.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_04)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (vrlogon.dll) - C:\Windows\System32\vrlogon.dll (UPEK Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\psfus: DllName - C:\Windows\system32\psqlpwd.dll - C:\Windows\System32\psqlpwd.dll (UPEK Inc.)
O20 - Winlogon\Notify\VESWinlogon: DllName - VESWinlogon.dll - C:\Windows\System32\VESWinlogon.dll (Sony Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 13:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/05 09:34:29 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/12/05 09:33:38 | 00,536,576 | ---- | C] (OldTimer Tools) -- C:\Users\carlo\Desktop\OTL.exe
[2009/12/05 03:30:28 | 04,844,296 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\carlo\Desktop\mbam-setup.exe
[2009/12/05 03:25:41 | 00,343,040 | ---- | C] (OldTimer Tools) -- C:\Users\carlo\Desktop\TFC.exe
[2009/12/04 22:47:07 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Local\temp
[2009/12/04 22:43:43 | 00,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2009/12/04 22:24:21 | 00,000,000 | ---D | C] -- C:\Windows\temp
[2009/12/04 22:10:01 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2009/12/04 22:10:01 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2009/12/04 22:10:01 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2009/12/04 22:10:01 | 00,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2009/12/04 22:03:18 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/12/04 22:03:03 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2009/12/04 00:10:23 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/04 00:10:21 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/04 00:10:21 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/03 23:14:33 | 00,000,000 | ---D | C] -- C:\MGtools
[2009/12/03 22:54:05 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/12/01 02:07:11 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2009/12/01 02:07:04 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Roaming\SUPERAntiSpyware.com
[2009/12/01 02:07:04 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/11/30 19:06:51 | 00,000,000 | -HSD | C] -- C:\ProgramData\WSGSHUD_APDM
[2009/11/30 19:01:36 | 00,000,000 | -HSD | C] -- C:\Users\carlo\AppData\Roaming\System
[2009/11/30 19:01:35 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Roaming\Mozilla Firefox
[2009/11/30 18:43:42 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Roaming\EA
[2009/11/30 18:43:28 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Local\Deployment
[2009/11/30 18:43:25 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Local\Apps
[2009/11/27 23:55:31 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Local\Unity
[2009/11/27 15:13:48 | 00,000,000 | ---D | C] -- C:\Users\carlo\Documents\FIFA 10 - Demo
[2009/11/27 15:05:07 | 03,786,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_37.dll
[2009/11/27 15:05:07 | 03,727,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_35.dll
[2009/11/27 15:05:06 | 03,497,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_34.dll
[2009/11/27 15:05:05 | 03,495,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_33.dll
[2009/11/27 15:05:05 | 00,081,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_3.dll
[2009/11/27 15:05:04 | 03,426,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_32.dll
[2009/11/27 15:05:02 | 02,414,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_31.dll
[2009/11/27 15:04:42 | 02,388,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_30.dll
[2009/11/27 15:04:41 | 02,332,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_29.dll
[2009/11/27 15:04:40 | 02,323,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_28.dll
[2009/11/27 15:04:39 | 02,319,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_27.dll
[2009/11/27 15:04:38 | 02,297,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_26.dll
[2009/11/27 15:04:36 | 02,337,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_25.dll
[2009/11/27 15:04:34 | 02,222,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_24.dll
[2009/11/25 02:29:11 | 00,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2009/11/23 23:41:32 | 00,000,000 | ---D | C] -- C:\AeriaGames
[2009/11/23 23:20:40 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Akamai
[2009/11/15 23:03:25 | 00,000,000 | ---D | C] -- C:\Program Files\DivX
[2009/11/15 23:03:03 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared
[2009/11/11 09:03:37 | 02,036,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2009/11/11 09:03:34 | 00,355,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WSDApi.dll

========== Files - Modified Within 30 Days ==========

[2009/12/05 09:51:33 | 03,145,728 | -HS- | M] () -- C:\Users\carlo\NTUSER.DAT
[2009/12/05 09:48:18 | 00,000,202 | ---- | M] () -- C:\Windows\win.ini
[2009/12/05 09:47:57 | 00,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2009/12/05 09:47:39 | 00,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/12/05 09:47:39 | 00,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/12/05 09:47:34 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/12/05 09:47:17 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/12/05 09:47:04 | 32,111,90272 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/05 09:46:27 | 00,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/12/05 09:46:27 | 00,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/12/05 09:46:27 | 00,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/12/05 09:46:20 | 00,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2009/12/05 09:46:19 | 00,524,288 | -HS- | M] () -- C:\Users\carlo\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2009/12/05 09:46:19 | 00,065,536 | -HS- | M] () -- C:\Users\carlo\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2009/12/05 09:46:08 | 04,004,308 | -H-- | M] () -- C:\Users\carlo\AppData\Local\IconCache.db
[2009/12/05 09:33:38 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Users\carlo\Desktop\OTL.exe
[2009/12/05 09:22:48 | 00,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2009/12/05 03:32:42 | 04,844,296 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\carlo\Desktop\mbam-setup.exe
[2009/12/05 03:25:42 | 00,343,040 | ---- | M] (OldTimer Tools) -- C:\Users\carlo\Desktop\TFC.exe
[2009/12/05 00:30:49 | 00,002,176 | ---- | M] () -- C:\Users\carlo\Documents\pop58.ROXIO
[2009/12/04 23:08:44 | 00,002,078 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2009/12/04 22:29:59 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini
[2009/12/04 22:28:11 | 00,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2009/12/04 09:51:16 | 13,022,3166 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/12/04 09:49:03 | 00,000,000 | ---- | M] () -- C:\backup.reg
[2009/12/04 09:49:02 | 00,135,168 | ---- | M] () -- C:\zip.exe
[2009/12/04 09:49:02 | 00,000,574 | ---- | M] () -- C:\cleanup.bat
[2009/12/03 23:14:35 | 00,014,122 | ---- | M] () -- C:\MGlogs.zip
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/03 09:15:58 | 00,100,864 | ---- | M] () -- C:\Users\carlo\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/03 09:15:53 | 96,228,4122 | ---- | M] () -- C:\Users\carlo\Desktop\091202 AKBINGO!.avi
[2009/11/30 21:15:31 | 54,241,790 | ---- | M] () -- C:\Users\carlo\Desktop\[ems]Noel_no_Kimochi_V01.zip
[2009/11/30 20:17:54 | 00,005,256 | ---- | M] () -- C:\Users\carlo\.recently-used.xbel
[2009/11/23 23:42:20 | 00,001,635 | ---- | M] () -- C:\Users\carlo\Desktop\Grand Fantasia.lnk
[2009/11/17 02:17:27 | 00,193,024 | ---- | M] () -- C:\Users\carlo\Documents\proof.mswmm
[2009/11/14 01:47:57 | 00,260,608 | ---- | M] () -- C:\Windows\PEV.exe
[2009/11/12 03:19:28 | 00,340,240 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2009/12/05 00:28:29 | 00,002,176 | ---- | C] () -- C:\Users\carlo\Documents\pop58.ROXIO
[2009/12/04 23:08:44 | 00,002,078 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2009/12/04 22:25:43 | 32,111,90272 | -HS- | C] () -- C:\hiberfil.sys
[2009/12/04 22:10:01 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2009/12/04 22:10:01 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2009/12/04 22:10:01 | 00,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2009/12/04 22:10:01 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2009/12/04 09:49:03 | 00,000,000 | ---- | C] () -- C:\backup.reg
[2009/12/04 09:49:02 | 00,135,168 | ---- | C] () -- C:\zip.exe
[2009/12/04 09:49:02 | 00,000,574 | ---- | C] () -- C:\cleanup.bat
[2009/12/03 23:14:35 | 00,014,122 | ---- | C] () -- C:\MGlogs.zip
[2009/12/03 08:58:15 | 96,228,4122 | ---- | C] () -- C:\Users\carlo\Desktop\091202 AKBINGO!.avi
[2009/11/30 21:08:16 | 54,241,790 | ---- | C] () -- C:\Users\carlo\Desktop\[ems]Noel_no_Kimochi_V01.zip
[2009/11/30 20:17:54 | 00,005,256 | ---- | C] () -- C:\Users\carlo\.recently-used.xbel
[2009/11/23 23:42:20 | 00,001,635 | ---- | C] () -- C:\Users\carlo\Desktop\Grand Fantasia.lnk
[2009/11/17 02:10:55 | 00,193,024 | ---- | C] () -- C:\Users\carlo\Documents\proof.mswmm
[2009/10/15 01:01:35 | 00,000,118 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2009/10/13 22:11:06 | 00,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/08/15 09:35:43 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/15 09:10:42 | 00,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/06/16 22:17:04 | 00,006,404 | ---- | C] () -- C:\Users\carlo\AppData\Roaming\PrimoPDFSet.xml
[2009/06/16 22:14:34 | 00,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2009/04/26 20:13:36 | 00,000,314 | ---- | C] () -- C:\Windows\primopdf.ini
[2008/12/31 13:57:40 | 00,000,022 | -H-- | C] () -- C:\Users\carlo\AppData\Local\xftredahs.dat
[2008/08/29 15:13:54 | 00,005,511 | ---- | C] () -- C:\Windows\aiptbl.ini
[2008/08/03 22:15:21 | 00,002,828 | -HS- | C] () -- C:\Windows\System32\KGyGaAvL.sys
[2008/08/03 22:15:21 | 00,000,088 | RHS- | C] () -- C:\Windows\System32\8DDB2614FF.sys
[2008/07/29 20:04:23 | 00,000,680 | ---- | C] () -- C:\Users\carlo\AppData\Local\d3d9caps.dat
[2008/07/24 21:52:48 | 00,100,864 | ---- | C] () -- C:\Users\carlo\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/24 20:01:13 | 00,000,394 | ---- | C] () -- C:\Users\carlo\AppData\Roaming\wklnhst.dat
[2008/04/18 12:52:44 | 00,000,000 | ---- | C] () -- C:\Windows\VAIOUpdt.INI
[2008/04/18 11:25:16 | 01,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2008/04/18 10:34:04 | 00,910,464 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2008/04/18 10:34:04 | 00,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2008/04/18 10:34:04 | 00,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1295.dll
[2007/10/30 09:44:52 | 00,393,216 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 04:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/01 23:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2001/11/14 12:56:00 | 01,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 64 bytes -> C:\Users\carlo\Desktop\AKB48 - River (1280x720).avi:TOC.WMV
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:8CE646EE
< End of report >

hi


Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done

Your logs are clean


Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  
• Please follow the prompts to uninstall Combofix.
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

• Download OTC to your desktop and run it
• Click Yes to beginning the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html



Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Below I have included a number of recommendations for how to protect your computer against malware infections.

• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
  
• SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  
  
• SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  
  
• Make Internet Explorer more secure
  
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
• TFC - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  
  
• Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
  secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
  blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
  Here
  
  
  If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
  
  • NoScript - for blocking ads and other potential website attacks
  • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
  
  
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
  
• FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
  
  
• Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  
  
• Please read my guide on how to prevent malware and about safe computing here

Thank you for your patience, and performing all of the procedures requested.

Hi, I was in Firefox just now and it seems I am still getting redirects and pop-ups .... please advise.

I did another Quick Scan with OTL.


OTL.txt:

OTL logfile created on: 12/6/2009 10:09:56 AM - Run 1
OTL by OldTimer - Version 3.1.11.7 Folder = C:\Users\carlo\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.85 Gb Available Physical Memory | 92.65% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 225.10 Gb Total Space | 99.33 Gb Free Space | 44.13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CATERPILLAR
Current User Name: carlo
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/06 10:09:16 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Users\carlo\Desktop\OTL.exe
PRC - [2009/11/12 17:06:04 | 00,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/09/20 18:54:41 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/04/10 22:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/04/10 09:29:08 | 00,037,888 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2008/05/29 21:43:38 | 02,580,480 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
PRC - [2008/05/29 21:43:36 | 02,363,392 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
PRC - [2008/03/09 07:12:24 | 00,240,640 | ---- | M] () -- C:\Program Files\AutoHotkey\AutoHotkey.exe
PRC - [2008/03/07 10:48:38 | 00,921,600 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
PRC - [2008/02/21 09:26:20 | 00,182,392 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
PRC - [2008/02/21 09:26:20 | 00,100,472 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
PRC - [2008/02/04 16:09:00 | 00,252,440 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxsrvc.exe
PRC - [2008/02/04 16:08:48 | 00,166,424 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxext.exe
PRC - [2008/02/04 16:08:48 | 00,137,752 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxpers.exe
PRC - [2008/02/04 16:08:30 | 00,154,136 | ---- | M] (Intel Corporation) -- C:\Windows\System32\hkcmd.exe
PRC - [2008/01/20 18:25:32 | 00,198,656 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
PRC - [2008/01/20 18:24:59 | 00,142,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\WUDFHost.exe
PRC - [2008/01/20 18:23:32 | 01,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2008/01/20 18:23:32 | 00,095,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mobsync.exe
PRC - [2007/11/21 11:38:28 | 00,311,296 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\ISB Utility\ISBMgr.exe
PRC - [2007/10/30 10:04:08 | 01,804,840 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2007/10/30 10:04:08 | 00,748,072 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2007/06/05 22:04:42 | 00,021,504 | ---- | M] (UPEK Inc.) -- C:\Program Files\Protector Suite QL\upeksvr.exe
PRC - [2007/06/05 21:46:52 | 00,053,776 | ---- | M] (UPEK Inc.) -- C:\Program Files\Protector Suite QL\psqltray.exe
PRC - [2007/06/05 12:20:32 | 00,177,704 | ---- | M] () -- C:\Windows\System32\PSIService.exe
PRC - [2007/03/20 16:43:50 | 00,315,392 | ---- | M] () -- C:\Windows\System32\ATWTUSB.EXE
PRC - [2007/03/09 17:58:22 | 00,835,584 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


========== Modules (SafeList) ==========

MOD - [2009/12/06 10:09:16 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Users\carlo\Desktop\OTL.exe
MOD - [2009/11/23 10:38:10 | 00,014,544 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2009/04/10 22:21:38 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2007/10/30 10:03:22 | 00,208,896 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\BtMmHook.dll
MOD - [2007/10/30 09:57:58 | 00,126,976 | ---- | M] () -- C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/23 23:20:48 | 02,309,520 | ---- | M] () -- C:/Program Files/Common Files/Akamai/rswin_3612.dll -- (Akamai)
SRV - [2009/11/12 17:06:04 | 00,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/03/25 16:34:08 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9adaa9861fac1) Google Update Service (gupdate1c9adaa9861fac1)
SRV - [2008/11/20 11:18:52 | 00,136,120 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/07/22 08:59:42 | 00,794,624 | ---- | M] () -- C:\Program Files\TVersity\Media Server\MediaServer.exe -- (TVersityMediaServer)
SRV - [2008/02/21 09:26:20 | 00,182,392 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)
SRV - [2008/01/20 18:23:32 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/11/28 01:08:02 | 00,077,824 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2007/11/28 01:02:20 | 00,053,248 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2007/11/28 00:43:44 | 00,053,248 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2007/06/05 12:20:32 | 00,177,704 | ---- | M] () -- C:\Windows\System32\PSIService.exe -- (ProtexisLicensing)
SRV - [2007/01/04 18:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/11/02 04:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://my.yahoo.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.9.3
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: {1a0c9ebe-ddf9-4b76-b8a3-675c77874d37}:2.7

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/11/25 09:40:15 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/20 18:56:03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/20 18:54:53 | 00,000,000 | ---D | M]

[2008/07/24 20:02:38 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\Mozilla\Extensions
[2009/12/05 10:02:51 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\Mozilla\Firefox\Profiles\1fgxlujm.default\extensions
[2009/11/27 10:02:14 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\Mozilla\Firefox\Profiles\1fgxlujm.default\extensions\{1a0c9ebe-ddf9-4b76-b8a3-675c77874d37}
[2009/10/10 09:51:05 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\Mozilla\Firefox\Profiles\1fgxlujm.default\extensions\[email protected]
[2009/04/10 20:56:00 | 00,000,945 | ---- | M] () -- C:\Users\carlo\AppData\Roaming\Mozilla\Firefox\Profiles\1fgxlujm.default\searchplugins\youtube-video-search.xml
[2009/12/05 10:02:51 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/03/27 17:42:45 | 00,889,856 | ---- | M] (UPEK Inc.) -- C:\Program Files\Mozilla Firefox\components\pbgk1_9.dll

O1 HOSTS File: (27 bytes) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [atwtusb] C:\Windows\System32\ATWTUSB.EXE ()
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe (Sony Corporation)
O4 - HKLM..\Run: [Persistence] C:\Windows\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [PSQLLauncher] C:\Program Files\Protector Suite QL\launcher.exe (UPEK Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - Startup: C:\Users\carlo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (Sun Microsystems, Inc.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_04)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (vrlogon.dll) - C:\Windows\System32\vrlogon.dll (UPEK Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\psfus: DllName - C:\Windows\system32\psqlpwd.dll - C:\Windows\System32\psqlpwd.dll (UPEK Inc.)
O20 - Winlogon\Notify\VESWinlogon: DllName - VESWinlogon.dll - C:\Windows\System32\VESWinlogon.dll (Sony Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 13:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/01/20 18:34:27 | 00,000,000 | ---D | M]
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 14 Days ==========

[2009/12/06 10:09:14 | 00,536,576 | ---- | C] (OldTimer Tools) -- C:\Users\carlo\Desktop\OTL.exe
[2009/12/05 03:30:28 | 04,844,296 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\carlo\Desktop\mbam-setup.exe
[2009/12/05 03:25:41 | 00,343,040 | ---- | C] (OldTimer Tools) -- C:\Users\carlo\Desktop\TFC.exe
[2009/12/04 22:47:07 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Local\temp
[2009/12/04 22:43:43 | 00,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2009/12/04 22:24:21 | 00,000,000 | ---D | C] -- C:\Windows\temp
[2009/12/04 00:10:23 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/04 00:10:21 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/04 00:10:21 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/03 23:14:33 | 00,000,000 | ---D | C] -- C:\MGtools
[2009/12/01 02:07:11 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2009/12/01 02:07:04 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Roaming\SUPERAntiSpyware.com
[2009/12/01 02:07:04 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/11/30 19:06:51 | 00,000,000 | -HSD | C] -- C:\ProgramData\WSGSHUD_APDM
[2009/11/30 19:01:36 | 00,000,000 | -HSD | C] -- C:\Users\carlo\AppData\Roaming\System
[2009/11/30 19:01:35 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Roaming\Mozilla Firefox
[2009/11/30 18:43:42 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Roaming\EA
[2009/11/30 18:43:28 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Local\Deployment
[2009/11/30 18:43:25 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Local\Apps
[2009/11/27 23:55:31 | 00,000,000 | ---D | C] -- C:\Users\carlo\AppData\Local\Unity
[2009/11/27 15:13:48 | 00,000,000 | ---D | C] -- C:\Users\carlo\Documents\FIFA 10 - Demo
[2009/11/23 23:41:32 | 00,000,000 | ---D | C] -- C:\AeriaGames
[2009/11/23 23:20:40 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Akamai

========== Files - Modified Within 14 Days ==========

[2009/12/06 10:10:01 | 03,145,728 | -HS- | M] () -- C:\Users\carlo\NTUSER.DAT
[2009/12/06 10:09:16 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Users\carlo\Desktop\OTL.exe
[2009/12/06 10:07:01 | 00,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2009/12/06 10:04:41 | 00,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/12/06 10:04:41 | 00,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/12/06 10:04:41 | 00,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/12/06 09:57:55 | 00,000,202 | ---- | M] () -- C:\Windows\win.ini
[2009/12/06 09:57:53 | 00,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/12/06 09:57:52 | 00,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/12/06 09:57:44 | 00,083,616 | ---- | M] () -- C:\Users\carlo\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/12/06 09:57:18 | 00,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2009/12/06 09:57:03 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/12/06 09:56:54 | 00,340,240 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/12/06 09:56:40 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/12/06 09:56:24 | 32,111,90272 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/06 09:55:42 | 00,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2009/12/06 09:55:40 | 00,524,288 | -HS- | M] () -- C:\Users\carlo\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2009/12/06 09:55:40 | 00,065,536 | -HS- | M] () -- C:\Users\carlo\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2009/12/06 09:55:38 | 04,006,690 | -H-- | M] () -- C:\Users\carlo\AppData\Local\IconCache.db
[2009/12/05 03:32:42 | 04,844,296 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\carlo\Desktop\mbam-setup.exe
[2009/12/05 03:25:42 | 00,343,040 | ---- | M] (OldTimer Tools) -- C:\Users\carlo\Desktop\TFC.exe
[2009/12/05 00:30:49 | 00,002,176 | ---- | M] () -- C:\Users\carlo\Documents\pop58.ROXIO
[2009/12/04 23:08:44 | 00,002,078 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2009/12/04 22:29:59 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini
[2009/12/04 22:28:11 | 00,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2009/12/04 09:51:16 | 13,022,3166 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/12/04 09:49:03 | 00,000,000 | ---- | M] () -- C:\backup.reg
[2009/12/04 09:49:02 | 00,000,574 | ---- | M] () -- C:\cleanup.bat
[2009/12/03 23:14:35 | 00,014,122 | ---- | M] () -- C:\MGlogs.zip
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/03 09:15:58 | 00,100,864 | ---- | M] () -- C:\Users\carlo\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/03 09:15:53 | 96,228,4122 | ---- | M] () -- C:\Users\carlo\Desktop\091202 AKBINGO!.avi
[2009/11/30 21:15:31 | 54,241,790 | ---- | M] () -- C:\Users\carlo\Desktop\[ems]Noel_no_Kimochi_V01.zip
[2009/11/30 20:17:54 | 00,005,256 | ---- | M] () -- C:\Users\carlo\.recently-used.xbel
[2009/11/23 23:42:20 | 00,001,635 | ---- | M] () -- C:\Users\carlo\Desktop\Grand Fantasia.lnk

========== Files Created - No Company Name ==========

[2009/12/05 00:28:29 | 00,002,176 | ---- | C] () -- C:\Users\carlo\Documents\pop58.ROXIO
[2009/12/04 23:08:44 | 00,002,078 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2009/12/04 22:25:43 | 32,111,90272 | -HS- | C] () -- C:\hiberfil.sys
[2009/12/04 09:49:03 | 00,000,000 | ---- | C] () -- C:\backup.reg
[2009/12/04 09:49:02 | 00,000,574 | ---- | C] () -- C:\cleanup.bat
[2009/12/03 23:14:35 | 00,014,122 | ---- | C] () -- C:\MGlogs.zip
[2009/12/03 08:58:15 | 96,228,4122 | ---- | C] () -- C:\Users\carlo\Desktop\091202 AKBINGO!.avi
[2009/11/30 21:08:16 | 54,241,790 | ---- | C] () -- C:\Users\carlo\Desktop\[ems]Noel_no_Kimochi_V01.zip
[2009/11/30 20:17:54 | 00,005,256 | ---- | C] () -- C:\Users\carlo\.recently-used.xbel
[2009/11/23 23:42:20 | 00,001,635 | ---- | C] () -- C:\Users\carlo\Desktop\Grand Fantasia.lnk
[2009/10/15 01:01:35 | 00,000,118 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2009/10/13 22:11:06 | 00,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/08/15 09:35:43 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/15 09:10:42 | 00,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/06/16 22:17:04 | 00,006,404 | ---- | C] () -- C:\Users\carlo\AppData\Roaming\PrimoPDFSet.xml
[2009/06/16 22:14:34 | 00,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2009/04/26 20:13:36 | 00,000,314 | ---- | C] () -- C:\Windows\primopdf.ini
[2008/12/31 13:57:40 | 00,000,022 | -H-- | C] () -- C:\Users\carlo\AppData\Local\xftredahs.dat
[2008/08/29 15:13:54 | 00,005,511 | ---- | C] () -- C:\Windows\aiptbl.ini
[2008/08/03 22:15:21 | 00,002,828 | -HS- | C] () -- C:\Windows\System32\KGyGaAvL.sys
[2008/08/03 22:15:21 | 00,000,088 | RHS- | C] () -- C:\Windows\System32\8DDB2614FF.sys
[2008/07/29 20:04:23 | 00,000,680 | ---- | C] () -- C:\Users\carlo\AppData\Local\d3d9caps.dat
[2008/07/24 21:52:48 | 00,100,864 | ---- | C] () -- C:\Users\carlo\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/24 20:01:13 | 00,000,394 | ---- | C] () -- C:\Users\carlo\AppData\Roaming\wklnhst.dat
[2008/04/18 12:52:44 | 00,000,000 | ---- | C] () -- C:\Windows\VAIOUpdt.INI
[2008/04/18 11:25:16 | 01,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2008/04/18 10:34:04 | 00,910,464 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2008/04/18 10:34:04 | 00,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2008/04/18 10:34:04 | 00,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1295.dll
[2007/10/30 09:44:52 | 00,393,216 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 04:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/01 23:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2001/11/14 12:56:00 | 01,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll

========== LOP Check ==========

[2009/10/27 01:43:35 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\.purple
[2008/09/18 18:36:23 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\Canon
[2009/11/30 18:43:42 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\EA
[2009/11/30 20:17:54 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\gtk-2.0
[2009/09/17 19:36:57 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\InterVideo
[2008/08/04 17:39:14 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\IrfanView
[2009/11/30 19:21:47 | 00,000,000 | -HSD | M] -- C:\Users\carlo\AppData\Roaming\System
[2008/07/24 20:01:19 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\Template
[2009/12/03 10:35:36 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\uTorrent
[2008/12/31 16:03:05 | 00,000,000 | ---D | M] -- C:\Users\carlo\AppData\Roaming\WinFF
[2009/12/06 09:55:42 | 00,032,638 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/20 18:23:01 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\ERDNT\cache\AGP440.sys
[2008/01/20 18:23:01 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys
[2008/01/20 18:23:01 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/20 18:23:01 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/20 18:23:01 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/20 18:23:01 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006/11/02 01:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/10 22:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\ERDNT\cache\atapi.sys
[2009/04/10 22:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/10 22:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/10 22:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/20 18:23:00 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/20 18:23:00 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 01:49:36 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 01:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll
[2006/11/02 01:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 01:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: EVENTLOG.DLL >
[2007/06/05 22:06:16 | 00,033,280 | ---- | M] (UPEK Inc.) MD5=98E10163017B71CF8B804B6624EA3767 -- C:\Program Files\Protector Suite QL\eventlog.dll

< MD5 for: IASTORV.SYS >
[2008/01/20 18:23:23 | 00,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys
[2008/01/20 18:23:23 | 00,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/20 18:23:23 | 00,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 01:51:25 | 00,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/04/10 22:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\ERDNT\cache\netlogon.dll
[2009/04/10 22:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2009/04/10 22:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/20 18:24:05 | 00,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 01:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/20 18:23:21 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/20 18:23:21 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/20 18:23:21 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/20 18:24:50 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009/04/10 22:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\ERDNT\cache\scecli.dll
[2009/04/10 22:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2009/04/10 22:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 64 bytes -> C:\Users\carlo\Desktop\AKB48 - River (1280x720).avi:TOC.WMV
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:8CE646EE
< End of report >

Extras.txt:

OTL Extras logfile created on: 12/6/2009 10:09:56 AM - Run 1
OTL by OldTimer - Version 3.1.11.7 Folder = C:\Users\carlo\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.85 Gb Available Physical Memory | 92.65% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 225.10 Gb Total Space | 99.33 Gb Free Space | 44.13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CATERPILLAR
Current User Name: carlo
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SystemRoot%\hh.exe" %1
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SystemRoot%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [TVersity] -- "C:\Program Files\TVersity\Media Server\GUILaunch.exe" -type "folder" -url "%1" -title "" -tags "" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-18]
"EnableNotifications" = 0
"EnableNotifications\Ref" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-82084531-1568399576-1305024956-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1474F340-0DAD-432F-938F-6A5191070EBE}" = rport=10243 | protocol=6 | dir=out | app=system |
"{1B060063-E329-4761-A7F2-D23B7853B21C}" = rport=139 | protocol=6 | dir=out | app=system |
"{1C5DE76D-20F7-40BB-8B68-F48E12676AB6}" = lport=138 | protocol=17 | dir=in | app=system |
"{31AE877E-EF62-4A93-8420-A0D8A1D899E6}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{3ACC1612-B5C8-42EF-B793-1B8FB573B9A5}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{6C40EF8C-E1D5-4AD8-9FC5-C06B698578F8}" = lport=10243 | protocol=6 | dir=in | app=system |
"{736ACE2C-CDAD-4C95-86E2-B447093F6272}" = rport=445 | protocol=6 | dir=out | app=system |
"{83BCC916-4216-4A19-A4E7-8E66CA64B649}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{8BD58F27-1D54-4FE7-9F34-842162311880}" = lport=445 | protocol=6 | dir=in | app=system |
"{A25B4C7E-7F3B-4B62-95FC-D7903A47AF8E}" = lport=2869 | protocol=6 | dir=in | app=system |
"{A36257AE-A27D-48A9-BD31-BEC189C10B4B}" = lport=139 | protocol=6 | dir=in | app=system |
"{B1EEDABD-D728-401B-92B7-BDE621B5F895}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{B54BC4E7-7A08-4219-9F23-7831D3463EC7}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{C65FA34A-DC7C-4B74-8129-6A8D09759C70}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{D83A5339-6DD2-4A91-96E0-29BC82D8ADFB}" = rport=137 | protocol=17 | dir=out | app=system |
"{E0DA1250-BD68-4D95-AC78-D54AE453F330}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{E3EC902A-6437-43BE-976C-1CCF6024004E}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{EF2E5116-B301-490D-90A2-8F7896D9AC45}" = rport=138 | protocol=17 | dir=out | app=system |
"{FFEA3272-EA82-43A4-8656-C734392DCF4C}" = lport=137 | protocol=17 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{017F2075-101A-476E-AE60-283A9D3570C1}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{08F15A4C-D277-4C1F-A5B8-E757172D4127}" = protocol=17 | dir=in | app=c:\windows\system32\fastnetsrv.exe |
"{0F9F4F0A-F1FF-46F8-BB3B-4E45561E6F7C}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{18C3298E-5767-4322-984F-B2A18493EF7D}" = protocol=6 | dir=out | app=system |
"{1987E05F-E3A7-4F93-A3D3-A069ADB684F1}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{271AB6D0-5D48-472D-A624-7F136B49113C}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{2AEFC1BD-26A2-43EB-A0E9-D0D3E036E95E}" = protocol=58 | dir=out | [email protected],-28546 |
"{3C81E5EF-64DD-4FC7-BE3F-6608D3EBE11C}" = protocol=6 | dir=in | app=c:\program files\tversity\media server\mediaserver.exe |
"{3DEACB06-6DAF-4441-85F1-B8A4D35B2A11}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{4915CC09-B29C-4C36-BE6A-6BB893050B35}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{4BE3D186-A528-45CD-86E5-3A3E77A5FB1A}" = protocol=17 | dir=in | app=c:\program files\tversity\media server\mediaserver.exe |
"{631D8987-7FF8-4105-B566-8B886DF1C0CA}" = protocol=1 | dir=in | [email protected],-28543 |
"{650A3AE3-F876-43DC-8602-F73BF06DDF62}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{7328A4B6-F1A4-44D0-93D6-1D33832D6CFA}" = protocol=1 | dir=out | [email protected],-28544 |
"{99512558-6AA5-45E7-8D63-23F7D9C14790}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{ADC248B6-6AD2-4328-BED5-5FF82E64FC89}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{B2DB7012-7401-4D81-A8D1-008106DC3E9E}" = protocol=58 | dir=in | [email protected],-28545 |
"{BAA4FA87-444F-404F-8891-DDA02CCA495A}" = protocol=6 | dir=in | app=c:\windows\system32\fastnetsrv.exe |
"{CF49EB93-300D-48D7-B49A-5F715E338DC4}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{DD936DA2-DA0C-4013-B621-063AAE2F80A1}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{DE8F49F0-8A54-4ADE-AEED-91FC51519481}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{ED54AEFD-7E4A-492B-A8D6-A803C2158234}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"TCP Query User{0E0238C3-7453-4930-852A-47938DFEA420}C:\program files\pfportchecker\pfportchecker.exe" = protocol=6 | dir=in | app=c:\program files\pfportchecker\pfportchecker.exe |
"TCP Query User{1D34C9CC-BBD1-4E7D-B5B8-FF8016D9A1BE}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{277A7086-DC57-4DA6-BBC7-557CD5E9FEA7}C:\programdata\ba5a7a7\wsba5a.exe" = protocol=6 | dir=in | app=c:\programdata\ba5a7a7\wsba5a.exe |
"TCP Query User{8CF7FF06-EB81-474A-BDF4-F17602D23761}C:\program files\sopcast\adv\sopadver.exe" = protocol=6 | dir=in | app=c:\program files\sopcast\adv\sopadver.exe |
"TCP Query User{99984047-28E7-4F9B-8C38-23AECE0F6E36}C:\program files\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"TCP Query User{B9AD7FD4-B119-4C9B-B32A-5CE2B1125139}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{C0AE222E-2F84-4014-85AD-8C3709EEEC4A}C:\program files\tvants\tvants.exe" = protocol=6 | dir=in | app=c:\program files\tvants\tvants.exe |
"TCP Query User{CDBF1838-C270-4339-9F4E-5D5D06D54E9E}C:\program files\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"TCP Query User{DE7C9BE6-5CBC-4B19-957A-E587DEAEA3E8}C:\program files\sopcast\sopcast.exe" = protocol=6 | dir=in | app=c:\program files\sopcast\sopcast.exe |
"UDP Query User{04BB4210-33FC-4392-9D82-3601D48AF902}C:\program files\sopcast\sopcast.exe" = protocol=17 | dir=in | app=c:\program files\sopcast\sopcast.exe |
"UDP Query User{062F86D5-8FE2-46CB-AB36-AF096B8DA2A3}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{1EC9C6D4-1A1B-40D9-B2B1-A724FA9E10A8}C:\program files\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"UDP Query User{2CB006A7-A1B0-49F9-B262-D7D39738019C}C:\program files\sopcast\adv\sopadver.exe" = protocol=17 | dir=in | app=c:\program files\sopcast\adv\sopadver.exe |
"UDP Query User{4119CDAA-9174-44BF-8DD9-28990487BDDB}C:\program files\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"UDP Query User{7FCB471F-8964-4BA2-B109-752C8DE18DA7}C:\program files\tvants\tvants.exe" = protocol=17 | dir=in | app=c:\program files\tvants\tvants.exe |
"UDP Query User{84631EC5-6AF8-4FEF-8378-F96BE0FE6EF9}C:\program files\pfportchecker\pfportchecker.exe" = protocol=17 | dir=in | app=c:\program files\pfportchecker\pfportchecker.exe |
"UDP Query User{84C3B61D-EF33-4F44-9810-C825743212A7}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{B948D717-4A4D-4028-BD83-4F97E69755DA}C:\programdata\ba5a7a7\wsba5a.exe" = protocol=17 | dir=in | app=c:\programdata\ba5a7a7\wsba5a.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03D1988F-469F-4843-8E6E-E5FE9D17889D}" = WIDCOMM Bluetooth Software 6.1.0.2200
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Central Data
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160" = Canon MP160
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Central Tools
"{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = WinDVD for VAIO
"{2CD2C0DB-81C3-416B-9FA6-589B9235359B}" = OpenOffice.org 2.4
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{4DCEA9C1-4D6E-41BF-A854-28CFA8B56DBF}" = Click to Disc Editor
"{5C5EE8F2-0B38-4C13-AE4E-A87A237FE718}" =
"{64E72FB1-2343-4977-B4A8-262CD53D0BD3}" = Corel Paint Shop Pro Photo X2
"{68A69CFF-130D-4CDE-AB0E-7374ECB144C8}" = Click to Disc
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Central Audio
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{802889F8-6AF5-45A5-9764-CA5B999E50FC}" = VAIO Power Management
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ED3A392-28F1-4375-97AC-BF275B5855F9}" = OpenMG Secure Module 5.0.00
"{9074AFC0-CFDA-11DE-B484-005056806466}" = Google Earth
"{96D0B6C6-5A72-4B47-8583-A87E55F5FE81}" =
"{98FC7A64-774B-49B5-B046-4B4EBC053FA9}" = VAIO MusicBox Sample Music
"{9973498D-EA29-4A68-BE0B-C88D6E03E928}" = ArcSoft WebCam Companion 2
"{9B5F85CA-90D4-4AFC-BB37-32477FD0D2B9}" = SmartWi Connection Utility
"{A2289997-10A3-48F2-AA03-99180D761661}" = Protector Suite QL 5.6
"{A33E457B-5369-481F-8B53-71108AE2EB5B}" = Roxio Easy Media Creator 10 LJ
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A7DA438C-2E43-4C20-BFDA-C1F4A6208558}" = Setting Utility Series
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Central Copy
"{BC4CA8FA-41D2-4B81-8680-E9B7573D6500}" = PLAYSTATION®Network Downloader
"{C7477742-DDB4-43E5-AC8D-0259E1E661B1}" = VAIO Event Service
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D06F5884-B439-440B-A58D-6C057C2FF8EB}" = Click to Disc
"{D90507A2-6183-497D-9075-951DC80362DA}" = VAIO Media plus
"{E6707034-D7A4-49B1-94D0-F5AACE46F06C}" = Instant Mode
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Central Core
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1D85517-6EAC-496A-965A-FA349036E74E}" = RehanFX Shader Transitions and Effects (ShaderTFX)
"{F570A6CC-53ED-4AA9-8B08-551CD3E38D8B}" =
"{FE51662F-D8F6-43B5-99D9-D4894AF00F83}" = Roxio Easy Media Creator Home
"7-Zip" = 7-Zip 4.57
"Acoustica Effects Pack" = Acoustica Effects Pack
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Akamai" = Akamai NetSession Interface
"AoA Audio Extractor_is1" = AoA Audio Extractor 1.0
"Audacity_is1" = Audacity 1.2.6
"AutoHotkey" = AutoHotkey 1.0.47.06
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2008-01-24
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"Ext2Ifs_for_NT6" = Ext2 IFS 1.11 for Windows Vista
"ffdshow_is1" = ffdshow [rev 3097] [2009-10-08]
"Grand Fantasia" = Grand Fantasia
"HDMI" = Intel® Graphics Media Accelerator Driver
"InstallShield_{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = WinDVD for VAIO
"InstallShield_{4DCEA9C1-4D6E-41BF-A854-28CFA8B56DBF}" = Click to Disc Editor
"InstallShield_{8ED3A392-28F1-4375-97AC-BF275B5855F9}" = OpenMG Secure Module 5.0.00
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.3)" = Mozilla Firefox (3.5.3)
"Picasa 3" = Picasa 3
"Pidgin" = Pidgin
"PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
"Rmtablet" = USB Tablet Manager
"SopCast" = SopCast 3.0.3
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TVAnts 1.0" = TVAnts 1.0
"TVersity Media Server " = TVersity Media Server 1.0.0.3 RC2
"Veetle TV" = Veetle TV 0.9.15
"Winamp" = Winamp
"WinFF_is1" = WinFF 0.43
"WinGimp-2.0_is1" = Gimp 2.6.1

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player
"UnityWebPlayer" = Unity Web Player
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/3/2009 2:36:17 PM | Computer Name = Caterpillar | Source = Application Error | ID = 1000
Description = Faulting application consent.exe, version 6.0.6001.18000, time stamp
0x47918d7b, faulting module curslib.dll, version 6.0.88.4, time stamp 0x4b168454,
exception code 0xc0000005, fault offset 0x00006229, process id 0x1280, application
start time 0x01ca74477f8c8cba.

Error - 12/3/2009 2:41:20 PM | Computer Name = Caterpillar | Source = EventSystem | ID = 4609
Description =

Error - 12/3/2009 2:41:45 PM | Computer Name = Caterpillar | Source = Application Error | ID = 1000
Description = Faulting application SUPERAntiSpyware.exe, version 4.31.0.1000, time
stamp 0x4b0aba63, faulting module SUPERAntiSpyware.exe, version 4.31.0.1000, time
stamp 0x4b0aba63, exception code 0x80000003, fault offset 0x000a2c45, process id
0x538, application start time 0x01ca744842e8ee9b.

Error - 12/3/2009 2:42:14 PM | Computer Name = Caterpillar | Source = WinMgmt | ID = 10
Description =

Error - 12/3/2009 2:43:05 PM | Computer Name = Caterpillar | Source = Application Error | ID = 1000
Description = Faulting application SUPERAntiSpyware.exe, version 4.31.0.1000, time
stamp 0x4b0aba63, faulting module SUPERAntiSpyware.exe, version 4.31.0.1000, time
stamp 0x4b0aba63, exception code 0x80000003, fault offset 0x000a2c45, process id
0xc4, application start time 0x01ca7448735fbb3b.

Error - 12/3/2009 3:38:20 PM | Computer Name = Caterpillar | Source = Application Error | ID = 1000
Description = Faulting application Explorer.EXE, version 6.0.6002.18005, time stamp
0x49e01da5, faulting module curslib.dll, version 6.0.88.4, time stamp 0x4b168454,
exception code 0xc0000005, fault offset 0x00006229, process id 0x6e0, application
start time 0x01ca7450294860ab.

Error - 12/3/2009 3:38:20 PM | Computer Name = Caterpillar | Source = Application Error | ID = 1000
Description = Faulting application GoogleUpdate.exe, version 1.2.131.7, time stamp
0x48af14ef, faulting module GoogleUpdate.exe, version 1.2.131.7, time stamp 0x48af14ef,
exception code 0x80000003, fault offset 0x00006eef, process id 0x71c, application
start time 0x01ca745029994f6b.

Error - 12/3/2009 3:38:21 PM | Computer Name = Caterpillar | Source = Application Error | ID = 1000
Description = Faulting application GoogleUpdate.exe, version 1.2.131.7, time stamp
0x48af14ef, faulting module GoogleUpdate.exe, version 1.2.131.7, time stamp 0x48af14ef,
exception code 0x80000003, fault offset 0x00006eef, process id 0x874, application
start time 0x01ca74502b2473ab.

Error - 12/3/2009 3:38:33 PM | Computer Name = Caterpillar | Source = Windows Search Service | ID = 3038
Description =

Error - 12/3/2009 3:38:36 PM | Computer Name = Caterpillar | Source = Windows Search Service | ID = 3028
Description =

[ System Events ]
Error - 12/6/2009 1:51:27 PM | Computer Name = Caterpillar | Source = Service Control Manager | ID = 7000
Description =

Error - 12/6/2009 1:51:27 PM | Computer Name = Caterpillar | Source = Service Control Manager | ID = 7026
Description =

Error - 12/6/2009 1:52:24 PM | Computer Name = Caterpillar | Source = Service Control Manager | ID = 7001
Description =

Error - 12/6/2009 1:52:24 PM | Computer Name = Caterpillar | Source = Service Control Manager | ID = 7001
Description =

Error - 12/6/2009 1:57:47 PM | Computer Name = Caterpillar | Source = DCOM | ID = 10005
Description =

Error - 12/6/2009 1:58:09 PM | Computer Name = Caterpillar | Source = Service Control Manager | ID = 7000
Description =

Error - 12/6/2009 1:58:09 PM | Computer Name = Caterpillar | Source = Service Control Manager | ID = 7026
Description =

Error - 12/6/2009 1:58:09 PM | Computer Name = Caterpillar | Source = Service Control Manager | ID = 7001
Description =

Error - 12/6/2009 1:59:41 PM | Computer Name = Caterpillar | Source = Service Control Manager | ID = 7001
Description =

Error - 12/6/2009 1:59:41 PM | Computer Name = Caterpillar | Source = Service Control Manager | ID = 7001
Description =


< End of report >

Edited by chupata, 06 December 2009 - 12:25 PM.

hi

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Goored log:


GooredFix by jpshortstuff (06.12.09.1)
Log created at 13:35 on 06/12/2009 (carlo)
Firefox version 3.5.3 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:02 25/07/2008]
{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} [04:51 30/07/2008]

C:\Users\carlo\Application Data\Mozilla\Firefox\Profiles\1fgxlujm.default\extensions\
[email protected] [17:51 10/10/2009]
{0AA9101C-D3C1-4129-A9B7-D778C6A17F82} [14:58 20/06/2009]
{1a0c9ebe-ddf9-4b76-b8a3-675c77874d37} [18:02 27/11/2009]
{20a82645-c095-46ed-80e3-08825760534b} [23:21 09/08/2009]
{6D898772-AD34-4c16-86BB-9DE787A5DEA0} [06:26 11/08/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [02:45 16/07/2009]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [17:21 15/08/2009]

-=E.O.F=-


GMER log: (it didn't give me any rootkit warning, so I just saved the report when it was done)

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-06 14:49:46
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\carlo\AppData\Local\Temp\pwdyrkow.sys


---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74D07817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74D5A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74D0BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74CFF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74D075E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74CFE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74D38395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74D0DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74CFFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74CFFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74CF71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74D8CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74D2C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74CFD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74CF6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74CF687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74D02AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\BTHUSB \Device\00000067 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000067 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000069 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000069 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 85945618

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bfb57dc0a
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e3da5cfe9
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001bfb57dc0a (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001e3da5cfe9 (not active ControlSet)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.@\v a\0s\0s\0_\0a\0u\0t\0o\0_\0f\0i\0l\0e
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.@\v m\0k\0v\0_\0a\0u\0t\0o\0_\0f\0i\0l\0e

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

hi

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys | C:\Windows\System32\drivers\atapi.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

I got two error messages after reboot, from cmd.exe:

"There is no disk in the drive. Please insert a disk into drive \Device\Harddisk1\DR1"
I hit cancel on the dialog box
"There is no disk in the drive. Please insert a disk into drive \Device\Harddisk2\DR2"
Hit cancel again.

avenger.txt log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not move file "C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys"
File move operation "C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys|C:\Windows\System32\drivers\atapi.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.