OTL Extras logfile created on: 1/7/2012 11:34:54 AM - Run 1 OTL by OldTimer - Version 3.2.31.0 Folder = C:\downloads\malware\spyware\hijackthis Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1023.29 Mb Total Physical Memory | 406.33 Mb Available Physical Memory | 39.71% Memory free 39.97 Gb Paging File | 39.52 Gb Available in Paging File | 98.89% Paging File free Paging file location(s): C:\pagefile.sys 40000 50000 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 552.11 Gb Total Space | 102.19 Gb Free Space | 18.51% Space Free | Partition Type: NTFS Drive D: | 93.36 Gb Total Space | 12.25 Gb Free Space | 13.12% Space Free | Partition Type: NTFS Drive E: | 379.40 Gb Total Space | 255.44 Gb Free Space | 67.33% Space Free | Partition Type: NTFS Computer Name: GECHHO2 | User Name: erich | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days [color=#E56717]========== Extra Registry (SafeList) ==========[/color] [color=#E56717]========== File Associations ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* [color=#E56717]========== Shell Spawning ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* exefile [open] -- "%1" %* piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) [color=#E56717]========== Security Center Settings ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [color=#E56717]========== System Restore Settings ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr] "Start" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService] "Start" = 2 [color=#E56717]========== Firewall Settings ==========[/color] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 [color=#E56717]========== Authorized Applications List ==========[/color] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation) "C:\Program Files\Steam\steamapps\longlive2012\team fortress 2\hl2.exe" = C:\Program Files\Steam\steamapps\longlive2012\team fortress 2\hl2.exe:*:Enabled:hl2 "C:\Program Files\Steam\steamapps\common\alpha protocol\APLauncher.exe" = C:\Program Files\Steam\steamapps\common\alpha protocol\APLauncher.exe:*:Enabled:Alpha Protocol -- (Obsidian Entertainment, Inc.) "C:\Program Files\Steam\steamapps\common\poker night at the inventory\CelebrityPoker.exe" = C:\Program Files\Steam\steamapps\common\poker night at the inventory\CelebrityPoker.exe:*:Enabled:Poker Night at the Inventory -- (Telltale Games) [color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam "{0D3F9802-689F-9B6D-8E44-B55971F0CCBB}" = FlipShare "{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX850_series" = Canon MX850 series "{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform "{2436F2A8-4B7E-4B6C-AE4E-604C84AA6A4F}" = Nero Core Components 10 "{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java(TM) 6 Update 26 "{3248F0A8-6813-11D6-A77B-00B0D0150000}" = J2SE Runtime Environment 5.0 "{33643918-7957-4839-92C7-EA96CB621A98}" = Nero Express 10 Help (CHM) "{34490F4E-48D0-492E-8249-B48BECF0537C}" = Nero DiscSpeed 10 "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{523B2B1B-D8DB-4B41-90FF-C4D799E2758A}" = Nero ControlCenter 10 Help (CHM) "{555868C6-49FB-484F-BB43-8980651A1B00}" = Nero BurnRights 10 Help (CHM) "{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}" = Nero Update "{66049135-9659-4AAD-9169-9CCA269EBB3E}" = Nero InfoTool 10 Help (CHM) "{6DFB899F-17A2-48F0-A533-ED8D6866CF38}" = Nero Control Center 10 "{70550193-1C22-445C-8FA4-564E155DB1A7}" = Nero Express 10 "{7D0A13FA-56BC-4755-8BAF-45A69BA6A5C8}" = Nero Multimedia Suite 10 Essentials "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12 "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007 "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007 "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007 "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007 "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007 "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007 "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007 "{943CFD7D-5336-47AF-9418-E02473A5A517}" = Nero BurnRights 10 "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{AC76BA86-7AD7-1033-7B44-A80000000002}" = Adobe Reader 8 "{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C18A0418-442A-4186-AF98-D08F5054A2FC}" = Nero DiscSpeed 10 Help (CHM) "{C3273C55-E1E4-41FF-8D69-0158090DB8D8}" = Nero CoverDesigner 10 Help (CHM) "{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX "{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser "{CCF6F57B-F6B4-4508-BF45-63AAC9DE416A}" = Quicken 2010 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}" = Presto! PageManager 7.15.20 "{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime "{F412B4AF-388C-4FF5-9B2F-33DB1C536953}" = Nero InfoTool 10 "{F467862A-D9CA-47ED-8D81-B4B3C9399272}" = Nero MediaHub 10 Help (CHM) "{F5CB822F-B365-43D1-BCC0-4FDA1A2017A7}" = Nero 10 Movie ThemePack Basic "{F6117F9C-ADB5-4590-9BE4-12C7BEC28702}" = Nero StartSmart 10 Help (CHM) "{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio "{FCF00A6E-FB58-477A-ABE9-232907105521}" = Nero CoverDesigner 10 "3ivx MPEG-4 5.0.3" = 3ivx MPEG-4 5.0.3 (remove only) "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "avast" = avast! Internet Security "Avidemux 2.5" = Avidemux 2.5 "CanonSolutionMenu" = Canon Utilities Solution Menu "Daniusoft MOD Converter_is1" = Daniusoft MOD Converter(Build 2.1.0.33) "EASEUS Data Recovery Wizard 5.5.1_is1" = EASEUS Data Recovery Wizard 5.5.1 "Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX "E-Hammer1.0.0" = E-Hammer "Free RAR Extract Frog" = Free RAR Extract Frog "Free Studio_is1" = Free Studio version 5.2.1 "HijackThis" = HijackThis 1.99.1 "HOMESTUDENTR" = Microsoft Office Home and Student 2007 "ie8" = Windows Internet Explorer 8 "InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager "MAGIX Movie Edit Pro 11 US" = MAGIX Movie Edit Pro 11 (US) "MAGIX Music Manager US" = MAGIX Music Manager (US) "MAGIX Photo Manager US" = MAGIX Photo Manager (US) "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "MP Navigator EX 1.1" = Canon MP Navigator EX 1.1 "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "NVIDIA Drivers" = NVIDIA Drivers "Steam App 31280" = Poker Night at the Inventory "Steam App 34010" = Alpha Protocol "Steam App 440" = Team Fortress 2 "SystemRequirementsLab" = System Requirements Lab "VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 3 "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 [color=#E56717]========== Last 10 Event Log Errors ==========[/color] [ Application Events ] Error - 7/16/2011 4:09:48 PM | Computer Name = GECHHO2 | Source = Application Hang | ID = 1002 Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error - 7/16/2011 4:09:48 PM | Computer Name = GECHHO2 | Source = Application Hang | ID = 1002 Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error - 7/16/2011 5:35:05 PM | Computer Name = GECHHO2 | Source = Application Hang | ID = 1002 Description = Hanging application moviemk.exe, version 2.1.4028.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error - 7/16/2011 5:35:10 PM | Computer Name = GECHHO2 | Source = Application Hang | ID = 1001 Description = Fault bucket 00000009. Error - 8/6/2011 1:54:30 PM | Computer Name = GECHHO2 | Source = Application Hang | ID = 1002 Description = Hanging application moviemk.exe, version 2.1.4028.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error - 8/6/2011 1:54:31 PM | Computer Name = GECHHO2 | Source = Application Hang | ID = 1002 Description = Hanging application moviemk.exe, version 2.1.4028.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error - 8/6/2011 1:54:37 PM | Computer Name = GECHHO2 | Source = Application Hang | ID = 1001 Description = Fault bucket 1989228820. Error - 8/6/2011 1:54:38 PM | Computer Name = GECHHO2 | Source = Application Hang | ID = 1001 Description = Fault bucket 1989228820. Error - 8/6/2011 5:53:15 PM | Computer Name = GECHHO2 | Source = Application Hang | ID = 1002 Description = Hanging application moviemk.exe, version 2.1.4028.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error - 8/7/2011 5:41:05 PM | Computer Name = GECHHO2 | Source = Application Hang | ID = 1002 Description = Hanging application CelebrityPoker.exe, version 2010.12.3.50720, hang module hungapp, version 0.0.0.0, hang address 0x00000000. [ System Events ] Error - 1/7/2012 12:40:42 AM | Computer Name = GECHHO2 | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Error - 1/7/2012 12:41:07 AM | Computer Name = GECHHO2 | Source = Service Control Manager | ID = 7001 Description = The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: %%31 Error - 1/7/2012 12:41:07 AM | Computer Name = GECHHO2 | Source = Service Control Manager | ID = 7001 Description = The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: %%31 Error - 1/7/2012 12:41:07 AM | Computer Name = GECHHO2 | Source = Service Control Manager | ID = 7001 Description = The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: %%31 Error - 1/7/2012 12:41:07 AM | Computer Name = GECHHO2 | Source = Service Control Manager | ID = 7001 Description = The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: %%31 Error - 1/7/2012 12:41:07 AM | Computer Name = GECHHO2 | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswFW aswRdr aswSnx aswSP aswTdi Fips i8042prt intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip Error - 1/7/2012 12:41:21 AM | Computer Name = GECHHO2 | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Error - 1/7/2012 12:44:45 AM | Computer Name = GECHHO2 | Source = Dhcp | ID = 1002 Description = The IP address lease 192.168.20.15 for the Network Card with network address 00192126F346 has been denied by the DHCP server 192.168.20.1 (The DHCP Server sent a DHCPNACK message). Error - 1/7/2012 1:09:35 AM | Computer Name = GECHHO2 | Source = Print | ID = 19 Description = Sharing printer failed + 1722, Printer Send To OneNote 2007 share name Printer. Error - 1/7/2012 2:42:07 PM | Computer Name = GECHHO2 | Source = Service Control Manager | ID = 7034 Description = The MBAMService service terminated unexpectedly. It has done this 1 time(s). < End of report >