Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Indonesian Virus?


  • Please log in to reply

#1
LCgirl

LCgirl

    New Member

  • Member
  • Pip
  • 5 posts
Hi,

I think my laptop have been infected by the "Indonesian virus". I get this message at startup:

Windows Update (6300-NGSRP-TMR521A-SMG-542PH-3180) . Check system setting or upgrade system.Maybe your system not full patch .System still safe. www.microsoft.com PATCH CODE : AS3-CTRKEA-SR.

And the View Tab in the Folder Options have been changed to Indonesian language. There used to be a random pop-up saying "Indonesian smile", but that has gone now after I've run an antivirus program.

My laptop seems to be working fine though, except for the annoying message at startup. I've tried several anti-virus programs, but still can't get rid of it. I've also tried searching for the solution, but the one I found was for XP, and I'm running Vista SP2.

Thanks in advance for your help.
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,166 posts
  • MVP
We really need for you to first do the prep work described in
http://www.geekstogo...uide-t2852.html

Your virus infects several key registry entries and we need to make sure these have been fixed before we go much further. The prep work also protects your system in case something goes wrong during the fix.

The message you are seeing is just the pre-logon legal notice which is set in the registry and easily removed.

Ron
  • 0

#3
LCgirl

LCgirl

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I've done all the prep work. Except when I was doing the RootRepeal, I only got to step 5. After the scan, I got a report, but I didn't get the next dialog to select 'all drives'. Could you explain how to do step 7?

I've also done MBAM and OTL, should I post the logs?
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,166 posts
  • MVP
Just post the two logs. I don't think this infection uses a root kit.
  • 0

#5
LCgirl

LCgirl

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
MBAM Log:
Malwarebytes' Anti-Malware 1.42
Database version: 3303
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18828

6/12/2009 9:47:49 AM
mbam-log-2009-12-06 (09-47-49).txt

Scan type: Quick Scan
Objects scanned: 96507
Time elapsed: 5 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTL Log:
OTL logfile created on: 6/12/2009 10:09:33 AM - Run 1
OTL by OldTimer - Version 3.1.11.7 Folder = C:\Users\IMSB\Downloads
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18828)
Locale: 00004809 | Country: Singapore | Language: ENE | Date Format: d/M/yyyy

1014.66 Mb Total Physical Memory | 381.57 Mb Available Physical Memory | 37.61% Memory free
2.23 Gb Paging File | 1.43 Gb Available in Paging File | 64.13% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 140.57 Gb Total Space | 47.69 Gb Free Space | 33.92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 1.55 Gb Total Space | 1.32 Gb Free Space | 84.85% Space Free | Partition Type: NTFS
Drive F: | 6.92 Gb Total Space | 0.76 Gb Free Space | 11.00% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MEDIUNBB093
Current User Name: IMSB
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/06 01:32:54 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Users\IMSB\Downloads\OTL.exe
PRC - [2009/10/31 11:37:56 | 00,136,176 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
PRC - [2009/09/13 18:52:50 | 01,048,392 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2009/07/02 17:36:52 | 00,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/05/27 03:27:04 | 29,262,680 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/04/11 14:28:08 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe
PRC - [2009/04/11 14:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/11/24 22:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 22:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/04/15 13:40:10 | 00,094,208 | ---- | M] (Hewlett-Packard) -- c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
PRC - [2008/03/28 02:06:00 | 00,095,528 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
PRC - [2008/03/28 02:05:00 | 01,045,800 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2008/01/19 15:33:39 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2007/07/10 06:28:08 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe
PRC - [2007/01/04 19:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2006/05/03 07:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe


========== Modules (SafeList) ==========

MOD - [2009/12/06 01:32:54 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Users\IMSB\Downloads\OTL.exe
MOD - [2009/04/11 14:21:38 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (TipCtrl)
SRV - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/09/25 09:27:04 | 00,793,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/08/05 22:48:42 | 00,704,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/07/02 17:36:52 | 00,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/05/29 13:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/27 03:27:04 | 29,262,680 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ)
SRV - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/03/30 16:28:36 | 01,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/24 22:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 22:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 22:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/09/20 15:24:38 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c91af1f7191b20) Google Update Service (gupdate1c91af1f7191b20)
SRV - [2008/04/15 13:40:10 | 00,094,208 | ---- | M] (Hewlett-Packard) -- c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe -- (HP Health Check Service)
SRV - [2008/01/19 15:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/07/10 06:28:08 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe -- (XAudioService)
SRV - [2007/03/06 02:30:06 | 00,110,592 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe -- (Com4Qlb)
SRV - [2007/01/04 19:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/11/02 03:17:32 | 00,073,728 | R--- | M] (MicroVision Development, Inc.) -- c:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/05/03 07:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe -- (hpqwmiex)
SRV - [2004/10/22 19:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...b&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...b&pf=laptop

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...b&pf=laptop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.sg/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.openintab: true
FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: {000a9d1c-beef-4f90-9363-039d445309b8}:0.5.33.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.1.3
FF - prefs.js..extensions.enabledItems: {00352F14-3F76-4e4d-ACFF-9976D7E4B3B9}:0.6.8
FF - prefs.js..extensions.enabledItems: {069FB356-C69F-7349-D092-AB28AF836D0E}:0.9.028

FF - HKLM\software\mozilla\Firefox\Extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files\Google\Google Gears\Firefox\ [2009/11/04 11:45:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/07 09:14:28 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/16 10:25:20 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/12/01 20:25:25 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2008/07/15 13:24:55 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\mozilla\Extensions
[2008/07/15 13:24:55 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\mozilla\Firefox\Profiles\64v1xzmd.default\extensions
[2009/12/05 13:22:43 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\mozilla\Firefox\Profiles\qr67kj5q.default\extensions
[2009/09/25 11:52:32 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\mozilla\Firefox\Profiles\qr67kj5q.default\extensions\{00352F14-3F76-4e4d-ACFF-9976D7E4B3B9}
[2009/08/12 23:51:25 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\mozilla\Firefox\Profiles\qr67kj5q.default\extensions\{069FB356-C69F-7349-D092-AB28AF836D0E}
[2009/08/13 23:58:59 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\mozilla\Firefox\Profiles\qr67kj5q.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/08/01 23:54:03 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\mozilla\Firefox\Profiles\qr67kj5q.default\extensions\[email protected]
[2009/09/25 11:52:33 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\mozilla\Firefox\Profiles\qr67kj5q.default\extensions\{00352F14-3F76-4e4d-ACFF-9976D7E4B3B9}\chrome\mozapps\extensions
[2009/12/05 13:22:43 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/16 10:25:20 | 00,024,576 | ---- | M] (RealNetworks) -- C:\Program Files\Mozilla Firefox\plugins\npgcplug.dll
[2007/02/13 03:30:16 | 00,164,352 | ---- | M] (Indiepath Ltd) -- C:\Program Files\Mozilla Firefox\plugins\npigl.dll
[2005/04/28 04:10:49 | 00,102,400 | ---- | M] (RealNetworks) -- C:\Program Files\Mozilla Firefox\plugins\npracplug.dll
[2009/07/31 18:44:15 | 00,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2008/07/22 11:24:33 | 00,002,151 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
[2009/07/31 18:44:15 | 00,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/07/31 18:44:15 | 00,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/07/31 18:44:15 | 00,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (318435 bytes) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10922 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\AdvancedOptions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutorun = 229
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMyGames = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll (Google Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/10/07 20:58:12 | 00,000,000 | ---D | M]
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 14 Days ==========

[2009/12/06 09:40:10 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/06 09:40:07 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/06 09:40:06 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/06 09:37:43 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/12/02 14:07:51 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/12/02 12:00:56 | 00,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2009/12/02 11:59:25 | 00,000,000 | ---D | C] -- C:\Users\IMSB\Documents\Simply Super Software
[2009/12/02 11:58:46 | 00,000,000 | ---D | C] -- C:\Program Files\Trojan Remover
[2009/12/02 11:58:46 | 00,000,000 | ---D | C] -- C:\Users\IMSB\AppData\Roaming\Simply Super Software
[2009/12/02 11:58:46 | 00,000,000 | ---D | C] -- C:\ProgramData\Simply Super Software
[2009/12/01 20:25:23 | 00,000,000 | ---D | C] -- C:\Users\IMSB\AppData\Roaming\Thunderbird
[2009/12/01 20:25:23 | 00,000,000 | ---D | C] -- C:\Users\IMSB\AppData\Local\Thunderbird
[2009/12/01 20:25:17 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Thunderbird
[2009/11/30 11:41:42 | 00,000,000 | ---D | C] -- C:\Program Files\AveIconifier2
[2008/07/16 12:13:23 | 00,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll

========== Files - Modified Within 14 Days ==========

[2009/12/06 10:10:13 | 07,864,320 | -HS- | M] () -- C:\Users\IMSB\ntuser.dat
[2009/12/06 10:10:01 | 00,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-338721479-4205688528-2889561002-1006UA.job
[2009/12/06 09:53:13 | 00,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/12/06 09:53:13 | 00,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/12/06 09:51:30 | 00,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2009/12/06 09:51:11 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/12/06 09:51:03 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/12/06 09:48:23 | 00,065,536 | -HS- | M] () -- C:\Users\IMSB\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TM.blf
[2009/12/06 09:48:22 | 00,524,288 | -HS- | M] () -- C:\Users\IMSB\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000001.regtrans-ms
[2009/12/06 09:48:16 | 01,890,801 | -H-- | M] () -- C:\Users\IMSB\AppData\Local\IconCache.db
[2009/12/06 09:43:11 | 00,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2009/12/06 09:40:15 | 00,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/06 09:37:45 | 00,000,733 | ---- | M] () -- C:\Users\IMSB\Desktop\NTREGOPT.lnk
[2009/12/06 09:37:45 | 00,000,714 | ---- | M] () -- C:\Users\IMSB\Desktop\ERUNT.lnk
[2009/12/06 02:01:45 | 00,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{90952BBD-582B-4162-927B-A75D9EA6EE3E}.job
[2009/12/05 19:10:00 | 00,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-338721479-4205688528-2889561002-1006Core.job
[2009/12/05 11:09:09 | 00,126,976 | ---- | M] () -- C:\Users\IMSB\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/02 14:07:56 | 00,001,874 | ---- | M] () -- C:\Users\IMSB\Desktop\HijackThis.lnk
[2009/12/02 11:59:20 | 00,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Trojan Remover.lnk
[2009/12/01 20:25:28 | 00,000,000 | ---- | M] () -- C:\Windows\nsreg.dat
[2009/12/01 20:25:21 | 00,001,790 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Thunderbird.lnk
[2009/11/30 20:09:36 | 00,001,021 | ---- | M] () -- C:\Users\IMSB\Desktop\Bookworm Adventures FF.lnk
[2009/11/30 12:19:59 | 00,000,832 | ---- | M] () -- C:\Users\IMSB\Desktop\AveIcon.exe - Shortcut.lnk
[2009/11/27 20:43:47 | 00,000,714 | ---- | M] () -- C:\Users\Public\Desktop\Opera.lnk
[2009/11/27 20:07:38 | 00,000,986 | ---- | M] () -- C:\Users\IMSB\Desktop\Bookworm Adventures MK.lnk
[2009/11/25 21:29:14 | 00,795,370 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/11/25 21:29:14 | 00,665,482 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/11/25 21:29:14 | 00,125,656 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/11/22 14:01:12 | 00,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat

========== Files Created - No Company Name ==========

[2009/12/06 09:40:15 | 00,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/06 09:37:45 | 00,000,733 | ---- | C] () -- C:\Users\IMSB\Desktop\NTREGOPT.lnk
[2009/12/06 09:37:45 | 00,000,714 | ---- | C] () -- C:\Users\IMSB\Desktop\ERUNT.lnk
[2009/12/02 14:07:56 | 00,001,874 | ---- | C] () -- C:\Users\IMSB\Desktop\HijackThis.lnk
[2009/12/02 11:59:20 | 00,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Trojan Remover.lnk
[2009/12/02 11:59:02 | 00,162,304 | ---- | C] () -- C:\Windows\System32\ztvunrar36.dll
[2009/12/02 11:59:02 | 00,153,088 | ---- | C] () -- C:\Windows\System32\UNRAR3.dll
[2009/12/02 11:59:02 | 00,077,312 | ---- | C] () -- C:\Windows\System32\ztvunace26.dll
[2009/12/02 11:59:02 | 00,075,264 | ---- | C] () -- C:\Windows\System32\unacev2.dll
[2009/12/01 20:25:28 | 00,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2009/12/01 20:25:21 | 00,001,790 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Thunderbird.lnk
[2009/11/30 20:09:36 | 00,001,021 | ---- | C] () -- C:\Users\IMSB\Desktop\Bookworm Adventures FF.lnk
[2009/11/30 12:19:59 | 00,000,832 | ---- | C] () -- C:\Users\IMSB\Desktop\AveIcon.exe - Shortcut.lnk
[2009/11/27 20:07:38 | 00,000,986 | ---- | C] () -- C:\Users\IMSB\Desktop\Bookworm Adventures MK.lnk
[2009/11/09 19:57:34 | 00,001,052 | ---- | C] () -- C:\Users\IMSB\AppData\Roaming\DVDSubEdit.ini
[2009/09/24 13:24:46 | 00,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
[2009/09/24 13:24:45 | 00,881,664 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/09/24 13:24:45 | 00,205,824 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/09/24 13:24:44 | 00,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/09/24 13:24:44 | 00,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2009/09/24 10:56:32 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/29 14:09:25 | 00,087,552 | ---- | C] () -- C:\Windows\System32\cpwmon2k.dll
[2009/03/27 20:53:07 | 00,000,000 | ---- | C] () -- C:\Users\IMSB\AppData\Local\prvlcl.dat
[2009/03/27 18:36:24 | 00,000,032 | R--- | C] () -- C:\ProgramData\hash.dat
[2008/12/01 18:59:39 | 00,001,356 | ---- | C] () -- C:\Users\IMSB\AppData\Local\d3d9caps.dat
[2008/12/01 11:29:28 | 00,012,800 | ---- | C] () -- C:\Windows\System32\DeskHack.dll
[2008/09/17 18:01:59 | 00,000,000 | ---- | C] () -- C:\Windows\Nancy Drew.INI
[2008/09/16 23:20:15 | 00,000,000 | ---- | C] () -- C:\Windows\Game.INI
[2008/08/22 20:24:52 | 00,000,000 | ---- | C] () -- C:\Windows\WB.ini
[2008/08/22 20:22:25 | 00,058,792 | ---- | C] () -- C:\Windows\System32\wbload.dll
[2008/08/11 15:49:06 | 00,000,412 | ---- | C] () -- C:\Windows\MAXLINK.INI
[2008/07/20 22:18:16 | 00,000,025 | ---- | C] () -- C:\Windows\cdplayer.ini
[2008/07/16 12:24:29 | 00,000,244 | ---- | C] () -- C:\Users\IMSB\AppData\Local\DownloadLog.txt
[2008/07/13 21:14:37 | 00,126,976 | ---- | C] () -- C:\Users\IMSB\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/09 15:28:10 | 00,000,000 | ---- | C] () -- C:\Users\IMSB\AppData\Local\QSwitch.txt
[2008/07/09 15:28:10 | 00,000,000 | ---- | C] () -- C:\Users\IMSB\AppData\Local\DSwitch.txt
[2008/07/09 15:28:10 | 00,000,000 | ---- | C] () -- C:\Users\IMSB\AppData\Local\AtStart.txt
[2008/07/09 15:22:58 | 00,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2008/07/09 15:22:58 | 00,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2008/07/09 15:22:58 | 00,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2008/07/09 15:22:58 | 00,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2008/07/09 15:22:58 | 00,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2008/07/09 15:22:58 | 00,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2008/05/05 00:08:55 | 00,020,480 | ---- | C] () -- C:\Windows\System32\CPUINFO2.DLL
[2007/11/05 12:38:02 | 00,017,408 | ---- | C] () -- C:\Windows\System32\rpcnetp.dll
[2007/08/24 20:46:48 | 00,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1322.dll
[2007/08/24 20:28:04 | 00,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/29 04:11:30 | 00,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/11/02 18:25:44 | 00,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 15:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/09/25 15:02:34 | 00,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/25 15:02:34 | 00,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/03/09 18:58:00 | 01,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2002/10/16 06:54:04 | 00,153,088 | ---- | C] () -- C:\Windows\System32\unrar.dll

========== LOP Check ==========

[2008/11/24 12:48:26 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\.purple
[2009/06/23 09:14:13 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\avidemux
[2009/10/16 17:05:04 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\BitDefender
[2009/01/07 11:08:13 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\Canon
[2008/10/03 18:31:18 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\Dexpot
[2009/11/16 17:39:34 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\Flood Light Games
[2009/06/18 20:04:02 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\GamesCafe
[2009/06/19 14:16:45 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\GrabPro
[2009/06/25 01:42:15 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\gtk-2.0
[2008/07/09 15:24:01 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\Hewlett Packard
[2008/10/14 11:27:04 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\MessengerGadget
[2008/07/31 15:36:38 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\MysteryStudio
[2008/07/21 14:28:55 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\Opera
[2009/06/19 15:11:20 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\Orbit
[2009/04/20 20:57:46 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\PlayFirst
[2009/06/26 20:14:15 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\Quirky Games
[2008/09/16 22:13:56 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\Righteous Kill
[2008/08/06 19:44:05 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\SampleView
[2008/08/11 15:48:42 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\ScanSoft
[2009/12/02 11:58:46 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\Simply Super Software
[2009/12/01 20:25:26 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\Thunderbird
[2009/12/06 02:55:14 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\uTorrent
[2008/09/25 19:28:25 | 00,000,000 | ---D | M] -- C:\Users\IMSB\AppData\Roaming\WinBatch
[2009/12/06 09:48:37 | 00,032,570 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2009/12/06 02:01:45 | 00,000,416 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{90952BBD-582B-4162-927B-A75D9EA6EE3E}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/19 15:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/19 15:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/19 15:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/19 15:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2007/11/05 13:07:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=313FF294978EA6AF715722D708FB249F -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.20494_none_b858f78adaed51b3\AGP440.sys
[2007/11/05 13:07:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=CE71AFD6738AA025D742CDBCFBDC8B9C -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f2490cb0\AGP440.sys
[2007/11/05 13:07:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=CE71AFD6738AA025D742CDBCFBDC8B9C -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.16399_none_b7d45c31c1cb309c\AGP440.sys
[2006/11/02 17:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\ERDNT\cache\AGP440.sys
[2006/11/02 17:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
[2006/11/02 17:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/11 14:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\ERDNT\cache\atapi.sys
[2009/04/11 14:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 14:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 14:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/19 15:41:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/19 15:41:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 17:49:36 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/07/13 22:29:38 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2008/07/13 22:29:38 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008/07/13 22:29:37 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 17:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll
[2006/11/02 17:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 17:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2008/01/19 15:42:51 | 00,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/19 15:42:51 | 00,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 17:51:25 | 00,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 17:51:25 | 00,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2006/11/02 17:46:11 | 00,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2009/04/11 14:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\ERDNT\cache\netlogon.dll
[2009/04/11 14:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2009/04/11 14:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/19 15:35:36 | 00,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 17:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2006/11/02 17:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/19 15:42:09 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/19 15:42:09 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/19 15:36:19 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2006/11/02 17:46:12 | 00,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll
[2009/04/11 14:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\ERDNT\cache\scecli.dll
[2009/04/11 14:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2009/04/11 14:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\ProgramData\TEMP:CB0AACC9
< End of report >

Extras:

OTL Extras logfile created on: 6/12/2009 10:09:33 AM - Run 1
OTL by OldTimer - Version 3.1.11.7 Folder = C:\Users\IMSB\Downloads
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18828)
Locale: 00004809 | Country: Singapore | Language: ENE | Date Format: d/M/yyyy

1014.66 Mb Total Physical Memory | 381.57 Mb Available Physical Memory | 37.61% Memory free
2.23 Gb Paging File | 1.43 Gb Available in Paging File | 64.13% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 140.57 Gb Total Space | 47.69 Gb Free Space | 33.92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 1.55 Gb Total Space | 1.32 Gb Free Space | 84.85% Space Free | Partition Type: NTFS
Drive F: | 6.92 Gb Total Space | 0.76 Gb Free Space | 11.00% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MEDIUNBB093
Current User Name: IMSB
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SystemRoot%\hh.exe" %1
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- Reg Error: Key error. File not found
.cmd [@ = cmdfile] -- Reg Error: Key error. File not found
.com [@ = ComFile] -- Reg Error: Key error. File not found
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.pif [@ = piffile] -- Reg Error: Key error. File not found
.vbs [@ = VBSFile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SystemRoot%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-338721479-4205688528-2889561002-1006]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{734F20BA-DAFF-4B60-8080-E9B569B5B60B}" = lport=2869 | protocol=6 | dir=in | app=system |
"{969650F5-EAE0-4C01-9F19-A7E8D18D619C}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00E78292-3AE8-41E5-B7DB-6AE9ECE79FFA}" = protocol=17 | dir=in | app=c:\program files\google\google talk\googletalk.exe |
"{1C9C0C80-D658-476C-A95A-2EEFA0783F4D}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{2048E8CC-A5EB-4847-BF36-2DF3D1F9D744}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{38E38F5A-FE2F-4894-8B54-2AF68145CE47}" = protocol=6 | dir=in | app=c:\program files\google\google talk\googletalk.exe |
"{3C0D5714-69E3-45DB-9C54-9DE58D0366A5}" = protocol=6 | dir=in | app=c:\program files\ivt corporation\bluesoleil\bluesoleilcs.exe |
"{616A44F3-C8FC-4485-A0D2-CB08FD76DE18}" = protocol=6 | dir=in | app=c:\program files\opera\opera.exe |
"{67272651-1BC9-40D6-AEF3-12FD02F742DC}" = protocol=17 | dir=in | app=c:\program files\ivt corporation\bluesoleil\bluesoleilcs.exe |
"{806634F7-CA88-4CD0-BCF3-8AD6ECFA940A}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{B5443DF8-9051-470E-9553-4B0E27A6B3C8}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{BAAE2393-70B5-480F-95D2-54871E3DB269}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{C096EEDC-A90D-41B4-BFA9-0ACFC742F98D}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{C66F4E14-6EE1-4DC4-8AC7-4043A912EF63}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{D9F73079-B322-4EF9-AD59-5682C59DB70F}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{DA5D5668-C903-4C4C-ABEA-7DEB01013694}" = protocol=17 | dir=in | app=c:\program files\opera\opera.exe |
"{F53D88EF-2C58-4B41-8119-60EDA38AF472}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{F73FA17D-6879-4A31-926A-98FD3BE4612F}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{FFE89823-EBC7-48FE-AC42-5F6F302E61E2}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"TCP Query User{051EFFA3-2804-4C5B-A859-09702CE36D9D}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"TCP Query User{1C84D037-06D2-4064-8346-2EFE47EFBB3A}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{29C99629-A05D-4D3A-9473-F0245C3224E0}C:\program files\real\realplayer\realplay.exe" = protocol=6 | dir=in | app=c:\program files\real\realplayer\realplay.exe |
"TCP Query User{313DBE21-B69F-4B98-AAC5-EBBFEBDC8A20}C:\program files\k-lite codec pack\media player classic\mplayerc.exe" = protocol=6 | dir=in | app=c:\program files\k-lite codec pack\media player classic\mplayerc.exe |
"TCP Query User{44EE1BCF-6113-42CA-95A9-A7082AD44065}C:\program files\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"TCP Query User{51313F9E-59BE-4885-9306-4989CAF47913}C:\program files\orbitdownloader\orbitnet.exe" = protocol=6 | dir=in | app=c:\program files\orbitdownloader\orbitnet.exe |
"TCP Query User{70F2573F-ADB8-455B-86C5-5BD1BFB7C016}C:\program files\morun.net\sticker lite\sticker.exe" = protocol=6 | dir=in | app=c:\program files\morun.net\sticker lite\sticker.exe |
"TCP Query User{7DBAFD49-F706-407D-9B55-99C44C207350}C:\program files\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"TCP Query User{CA8CDC8C-4009-4621-9684-D3B793BBB679}C:\users\imsb\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe" = protocol=6 | dir=in | app=c:\users\imsb\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe |
"TCP Query User{CF604FB8-E8C2-4E0F-9466-DFBB5CD12E47}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{0ED79ECB-0DB1-4153-AC51-94D728224DE2}C:\program files\orbitdownloader\orbitnet.exe" = protocol=17 | dir=in | app=c:\program files\orbitdownloader\orbitnet.exe |
"UDP Query User{2EEF7FC0-DFFA-47EC-A464-72C9DCA85B48}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"UDP Query User{4CC0E634-597C-40AC-A208-AFFEFA9FF4D5}C:\program files\morun.net\sticker lite\sticker.exe" = protocol=17 | dir=in | app=c:\program files\morun.net\sticker lite\sticker.exe |
"UDP Query User{8A03DD88-7857-4F10-8919-2A17D1308C2C}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{A75DC7EA-AEC8-4E1F-8F03-4BF953F510F6}C:\program files\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"UDP Query User{C944933C-7E81-42EA-A74C-ADCA95091BBF}C:\users\imsb\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe" = protocol=17 | dir=in | app=c:\users\imsb\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe |
"UDP Query User{C9742FB2-8B2A-482A-8C0E-DB4A91C93B3F}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{E6BA0D02-EE0C-44F0-ACAA-2BE3FCE383F2}C:\program files\k-lite codec pack\media player classic\mplayerc.exe" = protocol=17 | dir=in | app=c:\program files\k-lite codec pack\media player classic\mplayerc.exe |
"UDP Query User{EBC5F7D8-BFFD-42DD-9E48-5D7E5723C9B5}C:\program files\real\realplayer\realplay.exe" = protocol=17 | dir=in | app=c:\program files\real\realplayer\realplay.exe |
"UDP Query User{FCFA4E73-FCC4-443C-8C6E-877D87C84268}C:\program files\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP190_series" = Canon MP190 series MP Drivers
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check for Health Check
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 13
"{29FA9E38-7A6D-475E-8C15-15EE8BA9639E}" = ESU for Microsoft Vista
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{2C86D799-6203-4BE4-8175-126D69742F2F}" = Vista Default Settings
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.30 A3
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3912A629-0020-0005-3131-2FBA74D4DF0A}" = InterVideo WinDVD
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{3F9F7336-6DF8-476F-ABF6-C70A17FAF619}" = HP Backup and Recovery Manager Installer
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{48B3FB4D-CE22-488C-8E9F-24EBB77EAC0F}" = Microsoft Security Essentials
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{521F72F4-FFE4-4959-AA88-EED06125211F}" = HP Notebook Accessories Product Tour
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{5D97A4A7-C274-4B63-86D9-07A33435F505}" = InterVideo DVD Check
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check
"{690BE098-6D0D-493D-B079-BD7E8F81A141}" = Opera 10.10
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D3DB611-D5E8-4E4B-8952-0D3F549F9CC6}" = HP Active Support Library 32 bit components
"{70CEFEBA-F757-4DBE-8A21-027C326137CE}" = Application Installer 4.00.B13
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{90120000-0015-0401-0000-0000000FF1CE}" = Microsoft Office Access MUI (Arabic) 2007
"{90120000-0015-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0401-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Arabic) 2007
"{90120000-0016-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0017-0401-0000-0000000FF1CE}" = Microsoft Office SharePoint Designer MUI (Arabic) 2007
"{90120000-0017-0401-0000-0000000FF1CE}_OMUI.ar-sa_{665DB297-FBC5-46C1-AE27-10355A47442E}" = Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
"{90120000-0018-0401-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Arabic) 2007
"{90120000-0018-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0401-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Arabic) 2007
"{90120000-0019-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0401-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Arabic) 2007
"{90120000-001A-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0401-0000-0000000FF1CE}" = Microsoft Office Word MUI (Arabic) 2007
"{90120000-001B-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0401-0000-0000000FF1CE}" = Microsoft Office Proof (Arabic) 2007
"{90120000-001F-0401-0000-0000000FF1CE}_OMUI.ar-sa_{14809F99-C601-4D4A-9391-F1E8FAA964C5}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_OMUI.ar-sa_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_OMUI.ar-sa_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0401-0000-0000000FF1CE}" = Microsoft Office Proofing (Arabic) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0401-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Arabic) 2007
"{90120000-0044-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0401-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Arabic) 2007
"{90120000-006E-0401-0000-0000000FF1CE}_OMUI.ar-sa_{C1547C6B-A758-4270-964E-4EE8D323C99D}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_OMUI.ar-sa_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0401-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Arabic) 2007
"{90120000-00A1-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_OMUI.ar-sa_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0100-0401-0000-0000000FF1CE}" = Microsoft Office O MUI (Arabic) 2007
"{90120000-0100-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0101-0401-0000-0000000FF1CE}" = Microsoft Office X MUI (Arabic) 2007
"{90120000-0101-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0401-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (Arabic) 2007
"{90120000-0114-0401-0000-0000000FF1CE}_OMUI.ar-sa_{F3C3851B-43B8-4B86-89BA-ECAD6518AD22}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9E2CCD5E-1990-4EF2-9B61-32F0BBACC29B}" = HP Active Support Library
"{A0A77CDC-2419-4D5C-AD2C-E09E5926B806}" = Microsoft Antimalware
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB5E289E-76BF-4251-9F3F-9B763F681AE0}" = HP Customer Experience Enhancements
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.7
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{B51C3024-333B-4FB6-B1EC-49ECE2DE6056}" = HP User Guides 0077
"{BBE5C83E-4DC5-494F-8A23-3AAE242E94C2}" = HP Easy Setup - Frontend
"{BC2FE771-EDBE-3087-A676-2B6C45A2BF7E}" = Google Gears
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CBAE4F50-9FC9-4557-AB36-9826DF3C103C}" = HP Wireless Assistant
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E333CA5F-00ED-4EEF-90E5-6A33A8FE969F}" = HP Help and Support
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F92B1106-FFD9-4953-964D-D841055FA06A}" = ScanSoft OmniPage SE 4
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"AoA Audio Extractor_is1" = AoA Audio Extractor 1.0
"Avidemux 2.5" = Avidemux 2.5
"Boilsoft Video Splitter_is1" = Boilsoft Video Splitter 5.01
"CanonMyPrinter" = Canon My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CCleaner" = CCleaner (remove only)
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"CutePDF Writer Installation" = CutePDF Writer 2.8
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"ERUNT_is1" = ERUNT 1.1j
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.1.0 (Full)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"Mozilla Thunderbird (2.0.0.23)" = Mozilla Thunderbird (2.0.0.23)
"MP Navigator EX 1.2" = Canon MP Navigator EX 1.2
"ObjectDock" = ObjectDock
"OMUI.ar-sa" = Microsoft Office Language Pack 2007 - Arabic العربية
"PROSet" = Intel® Network Connections Drivers
"RealArcade 1.2" = RealArcade
"RealPlayer 6.0" = RealPlayer
"SubtitleCreator" = SubtitleCreator
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Trojan Remover_is1" = Trojan Remover 6.8.1
"VistaGlazz_is1" = VistaGlazz 1.3
"VLC media player" = VLC media player 1.0.3
"VobSub" = VobSub v2.23 (Remove Only)
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 30/7/2009 6:27:20 AM | Computer Name = MEDIUNBB093 | Source = MsiInstaller | ID = 11500
Description =

Error - 30/7/2009 6:27:23 AM | Computer Name = MEDIUNBB093 | Source = MsiInstaller | ID = 11500
Description =

Error - 30/7/2009 6:35:43 AM | Computer Name = MEDIUNBB093 | Source = System Restore | ID = 8193
Description =

Error - 30/7/2009 6:35:53 AM | Computer Name = MEDIUNBB093 | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 30/7/2009 8:05:48 AM | Computer Name = MEDIUNBB093 | Source = System Restore | ID = 8193
Description =

Error - 30/7/2009 8:15:49 AM | Computer Name = MEDIUNBB093 | Source = System Restore | ID = 8193
Description =

Error - 30/7/2009 8:15:51 AM | Computer Name = MEDIUNBB093 | Source = MsiInstaller | ID = 11308
Description =

Error - 30/7/2009 8:30:49 AM | Computer Name = MEDIUNBB093 | Source = EventSystem | ID = 4609
Description =

Error - 30/7/2009 8:33:34 AM | Computer Name = MEDIUNBB093 | Source = EventSystem | ID = 4609
Description =

Error - 3/8/2009 6:36:42 AM | Computer Name = MEDIUNBB093 | Source = Application Hang | ID = 1002
Description = The program firefox.exe version 1.9.1.3483 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 1f0 Start Time: 01ca14245ab0c1c0 Termination Time: 31

[ OSession Events ]
Error - 14/8/2008 7:22:53 AM | Computer Name = MEDIUNBB093 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6308.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 8035
seconds with 5460 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 2/12/2009 2:58:24 AM | Computer Name = MEDIUNBB093 | Source = Service Control Manager | ID = 7026
Description =

Error - 2/12/2009 10:29:31 PM | Computer Name = MEDIUNBB093 | Source = Service Control Manager | ID = 7026
Description =

Error - 3/12/2009 6:12:50 AM | Computer Name = MEDIUNBB093 | Source = Service Control Manager | ID = 7011
Description =

Error - 3/12/2009 9:40:42 PM | Computer Name = MEDIUNBB093 | Source = Service Control Manager | ID = 7026
Description =

Error - 4/12/2009 6:20:42 PM | Computer Name = MEDIUNBB093 | Source = Service Control Manager | ID = 7011
Description =

Error - 4/12/2009 11:08:09 PM | Computer Name = MEDIUNBB093 | Source = Service Control Manager | ID = 7026
Description =

Error - 5/12/2009 9:25:20 PM | Computer Name = MEDIUNBB093 | Source = Service Control Manager | ID = 7026
Description =

Error - 5/12/2009 9:31:52 PM | Computer Name = MEDIUNBB093 | Source = Service Control Manager | ID = 7031
Description =

Error - 5/12/2009 9:34:31 PM | Computer Name = MEDIUNBB093 | Source = Service Control Manager | ID = 7026
Description =

Error - 5/12/2009 9:52:47 PM | Computer Name = MEDIUNBB093 | Source = Service Control Manager | ID = 7026
Description =


< End of report >
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,166 posts
  • MVP
Looks like whatever program you used got rid of the malware. Just to make sure tho let's run Combofix.

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Reply with the contents of C:\Combofix.txt

Good that I asked for an OTL log. I see you have Vista and not XP. I have a fix for the registry changes that I know is OK for XP but I'm not sure about how well it will work on Vista. I'll have to go through my Vista machine and see if the same registry keys appear and have the same values. That will take me a while. We can test how well the fix works on the two registry values that I know are being used in this infection.


Copy the text between the lines of stars by highlighting and Ctrl + c.

********************************************************************************

[Version]

Signature="$Chicago$"

Provider=Ron Kinner

[DefaultInstall]


DelReg=del


[del]


HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system,legalnoticecaption

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system,legalnoticetext

****************************************************************************************************

Now open Notepad by Start, Run, notepad, OK. Paste the text into notepad by Ctrl + v. Verify that you got it all then File, Save As, (on your desktop) "fix.inf" OK. (Please type the quotation marks around the file name or it will be saved with a .txt extension and won't work.) Close notepad. You should have a file fix.inf on your desktop. Right click on it and select Install. You will have to select Continue before it will run.

Reboot and see if the warning is gone.

Post back with the Combofix log and tell me if the warning is gone.

Ron
  • 0

#7
LCgirl

LCgirl

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
The warning is gone now, but the Folder Options is still messed up.

Here's the ComboFix log:

ComboFix 09-12-05.03 - IMSB 06/12/2009 20:48.2.1 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1256.966.1033.18.1015.423 [GMT 8:00]
Running from: c:\users\IMSB\Desktop\george.exe
SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\WLSetup
c:\programdata\Microsoft\WLSetup\Logs\2009-02-03_15-40_15ac-g10jiqic.log
c:\programdata\Microsoft\WLSetup\Logs\2009-02-03_15-40_17a8-xzxzyzp2.log
c:\programdata\Microsoft\WLSetup\Logs\2009-02-21_08-26_608-eeq8ugc1.log
c:\programdata\Microsoft\WLSetup\Logs\2009-05-23_20-14_1760-n3tpf8s1.log
c:\programdata\Microsoft\WLSetup\Logs\2009-07-30_18-16_b28-27bli6pq.log
c:\programdata\Microsoft\WLSetup\Logs\2009-07-30_19-58_b20-fi6r4h2j.log
c:\programdata\Microsoft\WLSetup\Logs\2009-07-30_20-17_b04-3kk0jnpw.log
c:\programdata\Microsoft\WLSetup\Logs\2009-07-30_20-32_740-k3wd8x9g.log
c:\programdata\Microsoft\WLSetup\Logs\2009-07-30_20-32_7b4-4tjk51nr.log
c:\programdata\Microsoft\WLSetup\Logs\2009-07-30_20-34_52c-84v5lf8z.log
c:\programdata\Microsoft\WLSetup\Logs\2009-08-21_02-07_cd8-8nfan3a4.log
c:\programdata\Microsoft\WLSetup\wlt958D.tmp

.
((((((((((((((((((((((((( Files Created from 2009-11-06 to 2009-12-06 )))))))))))))))))))))))))))))))
.

2009-12-06 12:59 . 2009-12-06 12:59 -------- d-----w- c:\users\IMSB\AppData\Local\temp
2009-12-06 12:59 . 2009-12-06 12:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-06 12:59 . 2009-12-06 12:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-06 01:40 . 2009-12-03 08:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-06 01:40 . 2009-12-03 08:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-06 01:40 . 2009-12-06 01:40 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-06 01:37 . 2009-12-06 01:37 4096 d-----w- c:\program files\ERUNT
2009-12-02 06:07 . 2009-12-02 06:07 -------- d-----w- c:\program files\Trend Micro
2009-12-02 03:59 . 2006-06-19 05:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-12-02 03:59 . 2006-05-25 07:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-12-02 03:59 . 2005-08-25 17:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-12-02 03:59 . 2003-02-02 12:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-12-02 03:59 . 2002-03-05 17:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-12-02 03:58 . 2009-12-02 03:59 4096 d-----w- c:\program files\Trojan Remover
2009-12-02 03:58 . 2009-12-02 03:58 -------- d-----w- c:\users\IMSB\AppData\Roaming\Simply Super Software
2009-12-02 03:58 . 2009-12-02 03:58 -------- d-----w- c:\programdata\Simply Super Software
2009-12-01 12:25 . 2009-12-01 12:25 0 ----a-w- c:\windows\nsreg.dat
2009-12-01 12:25 . 2009-12-01 12:25 -------- d-----w- c:\users\IMSB\AppData\Local\Thunderbird
2009-12-01 12:25 . 2009-12-01 12:25 -------- d-----w- c:\users\IMSB\AppData\Roaming\Thunderbird
2009-12-01 12:25 . 2009-12-01 12:25 8192 d-----w- c:\program files\Mozilla Thunderbird
2009-11-30 03:41 . 2009-11-30 03:44 4096 d-----w- c:\program files\AveIconifier2
2009-11-25 07:12 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 02:40 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 02:40 . 2009-08-11 16:44 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-18 02:05 . 2009-11-18 02:05 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-17 18:21 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-11-17 18:21 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-11-17 18:21 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-11-17 18:19 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-11-17 18:19 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-11-17 18:19 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-11-17 18:19 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-11-17 18:19 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-11-17 18:19 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-11-17 18:19 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-11-17 18:19 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-11-17 18:19 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-11-17 18:18 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-11-17 18:18 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-11-17 18:18 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-11-16 09:39 . 2009-11-16 09:39 -------- d-----w- c:\users\IMSB\AppData\Roaming\Flood Light Games
2009-11-16 09:39 . 2009-11-16 09:39 -------- d-----w- c:\programdata\Flood Light Games
2009-11-16 02:00 . 2009-11-16 02:09 4096 d-----w- c:\program files\RealArcade
2009-11-16 01:50 . 2009-11-16 01:51 4096 d-----w- c:\program files\Subtitle Workshop 4
2009-11-14 09:10 . 2009-11-14 09:10 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-12 03:38 . 2009-11-13 13:37 4096 d-----w- c:\users\IMSB\AppData\Local\MediaMonkey
2009-11-11 09:46 . 2009-11-11 09:46 117760 ----a-w- c:\users\IMSB\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-11 09:46 . 2009-11-11 09:46 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-11 09:45 . 2009-11-11 09:45 4096 d-----w- c:\program files\SUPERAntiSpyware
2009-11-11 09:45 . 2009-11-11 09:45 -------- d-----w- c:\users\IMSB\AppData\Roaming\SUPERAntiSpyware.com
2009-11-11 09:44 . 2009-11-11 09:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-11 09:22 . 2009-11-11 09:22 -------- d-----w- c:\users\IMSB\AppData\Roaming\Malwarebytes
2009-11-11 09:22 . 2009-11-11 09:22 -------- d-----w- c:\programdata\Malwarebytes
2009-11-11 02:53 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 02:52 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-10 07:16 . 2009-11-10 07:16 -------- d-----w- c:\program files\CodeGazer
2009-11-09 11:58 . 2009-11-13 08:23 -------- d-----w- c:\users\IMSB\AppData\Local\SubtitleCreator
2009-11-09 11:57 . 2009-11-09 11:57 4096 d-----w- c:\program files\SubtitleCreator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-05 18:55 . 2008-07-15 06:35 163840 d-----w- c:\users\IMSB\AppData\Roaming\uTorrent
2009-11-30 12:01 . 2008-12-09 11:10 -------- d-----w- c:\programdata\GameHouse
2009-11-27 12:43 . 2008-07-21 05:43 4096 d-----w- c:\program files\Opera
2009-11-27 09:08 . 2008-07-16 04:13 4096 d-----w- c:\program files\Real
2009-11-23 08:26 . 2009-09-25 04:14 16384 d-----w- c:\program files\Avidemux 2.5
2009-11-22 06:01 . 2006-11-09 21:07 12 ----a-w- c:\windows\bthservsdp.dat
2009-11-20 04:24 . 2008-08-07 04:01 -------- d-----w- c:\programdata\Roxio
2009-11-18 02:04 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 02:04 . 2009-11-18 02:04 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-16 16:16 . 2008-09-16 13:46 4096 d-----w- c:\users\IMSB\AppData\Roaming\vlc
2009-11-14 12:06 . 2009-01-03 07:50 186980 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-14 09:16 . 2009-01-03 05:11 8192 d-----w- c:\program files\Safari
2009-11-12 13:12 . 2008-07-26 07:39 4096 d-----w- c:\users\IMSB\AppData\Roaming\Apple Computer
2009-11-11 08:56 . 2008-08-01 03:42 4096 d-----w- c:\program files\sakhr
2009-11-11 07:32 . 2009-10-31 05:04 8192 d-----w- c:\program files\iTunes
2009-11-11 03:39 . 2008-07-09 07:28 118488 ----a-w- c:\users\IMSB\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-11 03:35 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-11 03:02 . 2007-11-05 05:27 24576 d-----w- c:\programdata\Microsoft Help
2009-11-10 07:19 . 2009-09-24 02:55 615424 ----a-w- c:\windows\system32\themeui.dll
2009-11-04 13:28 . 2009-11-04 13:28 -------- d-----w- c:\program files\Gabest
2009-11-04 03:45 . 2008-09-20 07:24 4096 d-----w- c:\program files\Google
2009-11-02 12:42 . 2009-10-02 18:14 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-31 05:04 . 2009-10-31 05:04 -------- d-----w- c:\program files\iPod
2009-10-31 05:04 . 2009-05-29 06:17 -------- d-----w- c:\program files\Common Files\Apple
2009-10-31 04:49 . 2009-10-31 04:49 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-24 10:39 . 2007-11-05 05:20 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-23 03:13 . 2009-10-23 03:13 4096 d-----w- c:\program files\Microsoft Security Essentials
2009-10-23 02:30 . 2009-10-16 08:47 4096 d-----w- c:\program files\Common Files\BitDefender
2009-10-23 02:29 . 2009-10-16 09:22 81984 ----a-w- c:\windows\system32\bdod.bin
2009-10-19 03:58 . 2008-07-09 07:46 4096 d-----w- c:\program files\Microsoft Works
2009-10-19 02:32 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Sidebar
2009-10-19 02:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-10-19 02:32 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Photo Gallery
2009-10-19 02:32 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Defender
2009-10-17 14:02 . 2009-10-17 14:02 23600 ----a-w- c:\windows\system32\drivers\TVICHW32.SYS
2009-10-17 02:22 . 2009-10-16 09:04 -------- d-----w- c:\programdata\BitDefender
2009-10-16 09:05 . 2009-10-16 09:05 -------- d-----w- c:\users\IMSB\AppData\Roaming\BitDefender
2009-10-16 09:04 . 2009-10-16 09:04 -------- d-----w- c:\program files\BitDefender
2009-10-16 04:16 . 2009-10-16 04:35 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-16 02:16 . 2007-11-05 05:31 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-01 01:02 . 2009-11-17 18:20 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-11-17 18:20 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-11-17 18:20 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-09-25 02:10 . 2009-11-17 18:20 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-11-17 18:20 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-11-17 18:20 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-11-17 18:20 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-11-17 18:20 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-11-17 18:20 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-11-17 18:20 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-11-17 18:20 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-11-17 18:20 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-11-17 18:20 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-11-17 18:20 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-11-17 18:20 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-11-17 18:20 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-11-17 18:20 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-11-17 18:20 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-11-17 18:20 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-11-17 18:20 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-11-17 18:20 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-11-17 18:20 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-11-17 18:20 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-11-17 18:20 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-11-17 18:20 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-11-17 18:20 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-11-17 18:20 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-11-17 18:20 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-11-17 18:20 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-11-17 18:20 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-14 09:29 . 2009-10-16 00:26 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 16:48 . 2009-10-16 00:27 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 14:59 . 2009-10-28 01:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-10 14:58 . 2009-10-28 01:41 310784 ----a-w- c:\windows\system32\unregmp2.exe
2008-07-16 04:13 . 2008-07-16 04:13 774144 ----a-w- c:\program files\RngInterstitial.dll
2007-11-05 04:25 . 2007-11-05 04:24 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

------- Sigcheck -------

[-] 2009-11-10 . 690D53BD10A804BB6D0A772D1C0E6907 . 247296 . . [6.0.6000.16386] . . c:\windows\System32\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMyGames"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):06,1f,6f,5c,65,50,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-338721479-4205688528-2889561002-1006]
"EnableNotificationsRef"=dword:00000001

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 9:24 PM 74480]
R3 dfmirage;dfmirage;c:\windows\System32\drivers\dfmirage.sys [27/3/2008 3:31 AM 34128]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\System32\drivers\MpNWMon.sys [18/6/2009 6:48 PM 42480]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [17/11/2008 3:40 PM 3668480]
S2 gupdate1c91af1f7191b20;Google Update Service (gupdate1c91af1f7191b20);c:\program files\Google\Update\GoogleUpdate.exe [20/9/2008 3:24 PM 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [30/9/2008 2:12 PM 21504]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [21/8/2009 2:39 AM 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [5/8/2009 10:48 PM 704864]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 9:24 PM 7408]
S3 TipCtrl;TipCtrl;"c:\program files\uTIPu\TipCtrl.exe" --> c:\program files\uTIPu\TipCtrl.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.sg/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_MY&c=74&bd=smb&pf=laptop
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\IMSB\AppData\Roaming\Mozilla\Firefox\Profiles\qr67kj5q.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\IMSB\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-Activation Assistant for the 2007 Microsoft Office suites - c:\programdata\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-CanonMyPrinter - c:\program files\Canon\MyPrinter\uninst.exe uninst.ini
AddRemove-CanonSolutionMenu - c:\program files\Canon\SolutionMenu\uninst.exe uninst.ini
AddRemove-Easy-PhotoPrint EX - c:\program files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
AddRemove-RealArcade 1.2 - c:\program files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-06 20:59
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-06 21:04
ComboFix-quarantined-files.txt 2009-12-06 13:04

Pre-Run: 48,940,662,784 bytes free
Post-Run: 48,894,210,048 bytes free

- - End Of File - - AA3D98BD2DE3A10FAD8FA6B9532FE830
  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,166 posts
  • MVP
Looks good. I converted the XP fix to Vista and checked it against my Vista. Even ran it on mine and it didn't cause any obvious problems so I think it's good.

Copy the following as before and call it "fix2.inf" then right click on it and Install as before.

*********************************************************************************
[Version]

Signature="$Chicago$"

Provider=Galak and Kinner


[DefaultInstall]

AddReg=UnhookRegKey

DelReg=del


[UnhookRegKey]

HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""

HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" /S"

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,Shell,0,"Explorer.exe"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder,Bitmap,0x00020000,"C:\WINDOWS\SYSTEM32\SHELL32.DLL,4"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder,Text,0,"@shell32.dll,-30498"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ClassicViewState,text,0,"@shell32.dll,-30506"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DesktopProcess,text,0,"@shell32.dll,-30507"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\FolderSizeTip,text,0,"@shell32.dll,-30514"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\FriendlyTree,text,0,"@shell32.dll,-30511"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden,Bitmap,0x00020000,"%SystemRoot%\system32\SHELL32.dll,4"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden,text,0,"@shell32.dll,-30499"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,text,0,"@shell32.dll,-30500"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN,text,0,"@shell32.dll,-30501"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,CheckedValue,0x00010001,1

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,DefaultValue,0x00010001,2

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,text,0,"@shell32.dll,-30503"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,type,0,"CheckBox"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\PersistBrowsers,text,0,"@shell32.dll,-30513"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowCompColor,text,0,"@shell32.dll,-30512"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPath,text,0,"@shell32.dll,-30504"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowInfoTip,text,0,"@shell32.dll,-30502"

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,text,0,"@shell32.dll,-30508"


[del]

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCMD

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions

HKCU, Software\Microsoft\Windows\CurrentVersion\Run,Intelprc

HKCU, Software\Microsoft\Windows\CurrentVersion\Run,Network

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SystemWindows

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ControlPanelInMyComputer

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DisableThumbCache

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\NetCrawler

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPathAddress

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SimpleSharing

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets\AUTO

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets\NOHIDE

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets\NONE

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\WebViewBarricade

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system,legalnoticecaption

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system,legalnoticetext

*********************************************************************************************************************

This should reset all of the registry values that Sophos and McAfee report are modified by your virus to the values on my Vista. Hopefully this should fix all of your problems. Let me know how it goes.

Ron
  • 0

#9
LCgirl

LCgirl

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
It works! Thanks very much for your time and help. I really appreciate it. :)
  • 0

#10
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,166 posts
  • MVP
You do not have the latest Java. Get the latest at:

http://www.java.com/...nload/index.jsp

Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)

I see
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 13
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7

Old versions of Java are vulnerable to attack plus each one you have wastes 100 meg of hard drive space.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past. The Acrobat download is getting ridiculously large so you might want to try Foxit:
http://www.foxitsoft...loads/index.php
(They have started adding an ask.com toolbar (which they call foxit toolbar) to their download but you can go into Add/Remove Programs after the install and Remove it.)
Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions. So far as I know there is only one legitimate user of javascript in pdf files and that's the IRS so you may have to turn it on for them but otherwise leave it off.

Finally you should seriously consider getting rid of utorrent. Files received through any of the P2P programs are dangerous. You don't know whre they have been or what's been done to them. If you must use utorrent, scan any files you received with your antivirus and better yet go to virustotal.com and submit them. Virustotal will send your file to some 30 + antivirus companies for their opinion.

You can delete george.exe and also c:\qoobox and c:\george if you want to. Keep erunt and the recovery console. You can uninstall or remove any other programs (and their logs) we had you install.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP