Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

svchost.exe (LocalSystemNetworkRestricted) [Solved]

Started by terrorist96 , Jan 07 2010 10:12 PM

This topic is locked

#1
terrorist96

Posted 07 January 2010 - 10:12 PM

Member

Member
74 posts

What is this? I've seen this recently. I know I didn't have it before. Recently my RAM has been being used up. I have Windows 7 Ultimate 64 bit and 4 GB of RAM. It's gotten as high as 70% and has seriously bogged my computer down. And I'm not running that many programs either. At first I thought it might be SuperFetch but I did an AVG virus scan and it found this
Posted Image

and I clicked remove unhealed infections (those two were unhealed) and it said I had to remove it as a power user so I said Yes and it then said it needed to restart. Did that too and now I did another scan and it's still there. Just tried to remove it again and said to restart again. I said no. Here's a cap of my Resource Monitor and there seems to be two of them now!
Posted Image

MBAM:

Malwarebytes' Anti-Malware 1.44
Database version: 3513
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

1/7/2010 10:46:01 PM
mbam-log-2010-01-07 (22-46-01).txt

Scan type: Quick Scan
Objects scanned: 101138
Time elapsed: 3 minute(s), 13 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Users\Ali\AppData\Roaming\Microsoft\svchost.exe (Backdoor.Bot) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Ali\AppData\Roaming\Microsoft\svchost.exe (Backdoor.Bot) -> Delete on reboot.

I rebooted cuz it told me to do so and I typed my password in and it was about to log on but the screen was black and my desktop never showed up. I restarted manually and I got my computer to load up. Ran GMER and got this error as soon as I extracted the file:
Posted Image

I continued and clicked scan and got this:
Posted Image

It still scanned then said everything was fine and pressed save and named it "ark.txt" but it was a log file. I opened the text file and it was empty. I tried the scan again but this time it found something and I saved it as ark.txt again and here's what was in it:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-07 23:03:07
Windows 6.1.7600
Running: gmer.exe

---- Files - GMER 1.0.15 ----

File C:\System Volume Information\Windows Backup\Staging\{7C645AB2-1ABC-4255-8210-75860E6D5293}\Backup files 1.zip 113507885 bytes

---- EOF - GMER 1.0.15 ----

Then I downloaded OTL and here's the logs:

OTL logfile created on: 1/7/2010 11:05:46 PM - Run 1
OTL by OldTimer - Version 3.1.21.1 Folder = C:\Users\Ali\Desktop
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 931.41 Gb Total Space | 876.76 Gb Free Space | 94.13% Space Free | Partition Type: NTFS
Drive D: | 931.51 Gb Total Space | 861.41 Gb Free Space | 92.47% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 45.30 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 487.71 Mb Total Space | 5.23 Mb Free Space | 1.07% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ALI-PC
Current User Name: Ali
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/07 23:04:20 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Users\Ali\Desktop\OTL.exe
PRC - [2010/01/07 22:28:38 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2009/12/27 01:28:05 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Java\jre6\bin\jusched.exe
PRC - [2009/12/23 11:42:12 | 02,033,432 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgtray.exe
PRC - [2009/12/04 19:19:39 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
PRC - [2009/12/04 19:19:37 | 00,827,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgam.exe
PRC - [2009/12/04 19:17:15 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgcsrvx.exe
PRC - [2009/12/04 19:17:14 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgemc.exe
PRC - [2009/12/04 18:54:59 | 00,289,584 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files (x86)\uTorrent\uTorrent.exe
PRC - [2009/11/20 19:17:00 | 00,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009/08/05 14:12:02 | 00,033,280 | ---- | M] (NirSoft) -- C:\Program Files (x86)\NirSoft\Volumouse\volumouse.exe

========== Modules (SafeList) ==========

MOD - [2010/01/07 23:04:20 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Users\Ali\Desktop\OTL.exe
MOD - [2009/07/13 20:03:50 | 01,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/07/13 20:41:59 | 00,229,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wwansvc.dll -- (WwanSvc)
SRV:64bit: - [2009/07/13 20:41:56 | 00,202,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wbiosrvc.dll -- (WbioSrvc)
SRV:64bit: - [2009/07/13 20:41:56 | 00,195,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\umrdp.dll -- (UmRdpService)
SRV:64bit: - [2009/07/13 20:41:56 | 00,163,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\umpo.dll -- (Power)
SRV:64bit: - [2009/07/13 20:41:55 | 00,044,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\themeservice.dll -- (Themes)
SRV:64bit: - [2009/07/13 20:41:54 | 00,065,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sppuinotify.dll -- (sppuinotify)
SRV:64bit: - [2009/07/13 20:41:54 | 00,029,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sensrsvc.dll -- (SensrSvc)
SRV:64bit: - [2009/07/13 20:41:53 | 01,361,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\PeerDistSvc.dll -- (PeerDistSvc)
SRV:64bit: - [2009/07/13 20:41:53 | 00,327,168 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\pnrpsvc.dll -- (PNRPsvc)
SRV:64bit: - [2009/07/13 20:41:53 | 00,327,168 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\pnrpsvc.dll -- (p2pimsvc)
SRV:64bit: - [2009/07/13 20:41:53 | 00,187,904 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\provsvc.dll -- (HomeGroupProvider)
SRV:64bit: - [2009/07/13 20:41:53 | 00,067,072 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\SysNative\RpcEpMap.dll -- (RpcEptMapper)
SRV:64bit: - [2009/07/13 20:41:53 | 00,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\pnrpauto.dll -- (PNRPAutoReg)
SRV:64bit: - [2009/07/13 20:41:27 | 01,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 20:41:18 | 00,231,936 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\ListSvc.dll -- (HomeGroupListener)
SRV:64bit: - [2009/07/13 20:40:54 | 01,127,936 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FntCache.dll -- (FontCache)
SRV:64bit: - [2009/07/13 20:40:28 | 00,314,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dhcpcore.dll -- (Dhcp)
SRV:64bit: - [2009/07/13 20:40:28 | 00,291,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\defragsvc.dll -- (defragsvc)
SRV:64bit: - [2009/07/13 20:40:24 | 00,689,152 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\cscsvc.dll -- (CscService)
SRV:64bit: - [2009/07/13 20:40:13 | 00,083,968 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\bthserv.dll -- (bthserv)
SRV:64bit: - [2009/07/13 20:40:10 | 00,100,864 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\SysNative\bdesvc.dll -- (BDESVC)
SRV:64bit: - [2009/07/13 20:40:05 | 00,114,688 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\AxInstSv.dll -- (AxInstSV)
SRV:64bit: - [2009/07/13 20:40:01 | 00,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2009/07/13 20:40:01 | 00,032,256 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appidsvc.dll -- (AppIDSvc)
SRV:64bit: - [2009/07/13 20:39:51 | 01,503,744 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\wbengine.exe -- (wbengine)
SRV:64bit: - [2009/07/13 20:39:28 | 03,524,608 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\SysNative\sppsvc.exe -- (sppsvc)
SRV:64bit: - [2009/07/13 20:39:11 | 00,689,152 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FXSSVC.exe -- (Fax)
SRV:64bit: - [2007/06/07 01:50:32 | 00,567,280 | ---- | M] ( ) [Auto | Running] -- C:\Windows\SysNative\dlbtcoms.exe -- (dlbt_device)
SRV - [2009/12/16 12:46:20 | 00,135,664 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2009/12/04 19:19:39 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/12/04 19:17:14 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/11/20 19:17:00 | 00,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/07/13 22:20:14 | 00,000,000 | ---D | M] [On_Demand | Running] -- C:\Windows\Vss -- (VSS)
SRV - [2009/07/13 22:20:14 | 00,000,000 | ---D | M] [Unknown | Stopped] -- C:\Windows\SysWOW64\Msdtc -- (MSDTC)
SRV - [2009/07/13 20:16:12 | 00,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 20:15:11 | 00,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 15:30:11 | 00,061,056 | ---- | M] () [On_Demand | Running] -- C:\Windows\SysWOW64\wbem\vds.mof -- (vds)
SRV - [2009/06/10 15:39:58 | 00,089,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64)
SRV - [2008/10/25 11:44:08 | 00,065,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 50 13 74 02 F3 89 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files (x86)\AVG\AVG9\Firefox [2009/12/10 08:39:07 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/01/07 22:28:39 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/01/07 22:28:39 | 00,000,000 | ---D | M]

[2009/12/04 18:30:12 | 00,000,000 | ---D | M] -- C:\Users\Ali\AppData\Roaming\Mozilla\Extensions
[2009/12/23 18:54:52 | 00,000,000 | ---D | M] -- C:\Users\Ali\AppData\Roaming\Mozilla\Firefox\Profiles\ahpdtmjx.default\extensions
[2009/12/27 01:28:15 | 00,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2009/12/25 14:58:12 | 00,163,840 | ---- | M] (Centra Software, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\NPCentraUpdater.dll

O1 HOSTS File: (824 bytes) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files (x86)\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files (x86)\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [$Volumouse$] C:\Program Files (x86)\NirSoft\Volumouse\volumouse.exe (NirSoft)
O4 - HKCU..\Run: [Aim] C:\Program Files (x86)\AIM\aim.exe (AOL LLC)
O4 - HKCU..\Run: [uTorrent] C:\Program Files (x86)\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgppa.dll (AVG Technologies CZ, s.r.o.)
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - AppInit_DLLs: (avgrssta.dll) - C:\Windows\SysNative\avgrssta.dll (AVG Technologies CZ, s.r.o.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (pku2u) - C:\Windows\SysNative\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\SysWow64\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/22 06:07:00 | 00,000,066 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2009/06/22 04:34:52 | 00,895,423 | R--- | M] (InstallShield Software Corporation) - F:\AutoTask_V1.00.exe -- [ CDFS ]
O32 - AutoRun File - [2010/01/07 21:52:14 | 00,000,134 | -H-- | M] () - G:\autorun.inf -- [ FAT ]
O33 - MountPoints2\{3ae87f06-e142-11de-bdc1-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{3ae87f06-e142-11de-bdc1-806e6f6e6963}\Shell\AutoRun\command - "" = F:\Launcher.exe -- [2009/07/09 01:44:27 | 00,380,928 | R--- | M] (Duramicro Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
64bit: O35 - comfile [open] -- "%1" %* File not found
64bit: O35 - exefile [open] -- "%1" %* File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs:64bit: Ias - C:\Windows\SysNative\ias [2009/07/13 22:20:14 | 00,000,000 | ---D | M]
NetSvcs:64bit: Irmon - C:\Windows\SysNative\irmon.dll (Microsoft Corporation)
NetSvcs:64bit: Wmi - C:\Windows\SysNative\wmi.dll (Microsoft Corporation)
NetSvcs:64bit: Themes - C:\Windows\SysNative\themeservice.dll (Microsoft Corporation)
NetSvcs:64bit: BDESVC - C:\Windows\SysNative\bdesvc.dll (Microsoft Corporation)
NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
NetSvcs: Ias - C:\Windows\SysWOW64\ias.dll (Microsoft Corporation)
NetSvcs: Wmi - C:\Windows\SysWOW64\wmi.dll (Microsoft Corporation)
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 14 Days ==========

[2010/01/07 23:04:19 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Users\Ali\Desktop\OTL.exe
[2010/01/07 22:41:42 | 00,000,000 | ---D | C] -- C:\Users\Ali\AppData\Roaming\Malwarebytes
[2010/01/07 22:41:38 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/01/07 22:41:37 | 00,022,104 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/01/07 22:41:37 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/01/07 22:41:37 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/01/07 22:41:05 | 05,115,840 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Ali\Desktop\mbam-setup.exe
[2010/01/06 22:36:46 | 00,000,000 | ---D | C] -- C:\Users\Ali\AppData\Local\Diagnostics
[2010/01/06 20:49:17 | 00,000,000 | ---D | C] -- C:\Windows\nl-NL
[2010/01/06 20:28:39 | 00,000,000 | ---D | C] -- C:\Windows\de-DE
[2010/01/06 19:47:42 | 00,000,000 | ---D | C] -- C:\Windows\it-IT
[2010/01/06 19:39:03 | 00,000,000 | ---D | C] -- C:\Windows\ja-JP
[2010/01/06 18:43:44 | 00,000,000 | ---D | C] -- C:\Windows\fr-FR
[2010/01/06 18:43:41 | 00,000,000 | ---D | C] -- C:\Windows\SysWow64\drivers\fr-FR
[2010/01/06 18:43:41 | 00,000,000 | ---D | C] -- C:\Windows\SysWow64\fr
[2010/01/06 18:43:41 | 00,000,000 | ---D | C] -- C:\Windows\SysWow64\drivers\ar-SA
[2010/01/06 18:43:41 | 00,000,000 | ---D | C] -- C:\Windows\SysWow64\ar
[2010/01/06 18:43:41 | 00,000,000 | ---D | C] -- C:\Windows\SysWow64\040C
[2010/01/06 18:43:36 | 00,000,000 | ---D | C] -- C:\Windows\ar-SA
[2010/01/06 18:43:34 | 00,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\fr-FR
[2010/01/06 18:43:34 | 00,000,000 | ---D | C] -- C:\Windows\SysNative\fr
[2010/01/06 18:43:34 | 00,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\ar-SA
[2010/01/06 18:43:34 | 00,000,000 | ---D | C] -- C:\Windows\SysNative\ar
[2010/01/06 18:43:34 | 00,000,000 | ---D | C] -- C:\Windows\SysNative\040C
[2010/01/06 18:38:10 | 00,000,000 | -HSD | C] -- C:\Boot
[2010/01/06 18:36:41 | 00,003,584 | ---- | C] (SCM Microsystems, Inc.) -- C:\Windows\SysNative\drivers\ar-SA\pscr.sys.mui
[2010/01/06 18:36:20 | 00,009,728 | ---- | C] (Brother Industries Ltd.) -- C:\Windows\SysNative\drivers\ar-SA\BrSerIb.sys.mui
[2010/01/06 18:36:18 | 00,009,728 | ---- | C] (Brother Industries Ltd.) -- C:\Windows\SysNative\drivers\ar-SA\BrSerId.sys.mui
[2010/01/06 18:36:18 | 00,002,560 | ---- | C] (Brother Industries Ltd.) -- C:\Windows\SysNative\drivers\ar-SA\BrParwdm.sys.mui
[2010/01/06 18:08:57 | 00,000,000 | ---D | C] -- C:\Windows\SysWow64\XPSViewer
[2010/01/05 15:22:41 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Works
[2010/01/05 15:22:24 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio
[2010/01/05 15:22:23 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\DESIGNER
[2010/01/05 15:22:11 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft.NET
[2010/01/05 15:20:45 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2010/01/05 15:20:41 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio 8
[2010/01/05 15:20:05 | 00,000,000 | ---D | C] -- C:\Users\Ali\AppData\Local\Microsoft Help
[2010/01/05 15:20:04 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Office
[2010/01/05 15:20:04 | 00,000,000 | ---D | C] -- C:\ProgramData\Microsoft Help
[2010/01/05 15:19:17 | 00,000,000 | RH-D | C] -- C:\MSOCache
[2010/01/05 12:03:05 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\piPOol
[2010/01/05 12:01:16 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Xiph.Org
[2010/01/05 11:32:07 | 00,000,000 | ---D | C] -- C:\Users\Ali\AppData\Roaming\AVG9
[2010/01/04 14:54:23 | 00,000,000 | ---D | C] -- C:\Users\Ali\AppData\Roaming\Media Player Classic
[2010/01/04 14:52:50 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Combined Community Codec Pack
[2010/01/04 01:39:41 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight
[2010/01/04 01:39:16 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft
[2010/01/04 01:39:01 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Live SkyDrive
[2010/01/04 01:38:28 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Live
[2010/01/04 01:38:15 | 00,000,000 | ---D | C] -- C:\Windows\PCHEALTH
[2010/01/04 01:37:45 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
[2010/01/04 01:33:13 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Windows Live
[2010/01/03 18:45:07 | 00,000,000 | ---D | C] -- C:\Users\Ali\Desktop\Flying Lotus - L.A. EP 3 X 3 [2009]
[2010/01/03 18:42:25 | 00,000,000 | ---D | C] -- C:\Users\Ali\Desktop\Flying Lotus Discography
[2010/01/03 18:37:59 | 00,000,000 | ---D | C] -- C:\Users\Ali\Desktop\Unknown Prophets
[2010/01/03 16:57:08 | 00,000,000 | ---D | C] -- C:\Users\Ali\Desktop\ALL WORKING ACTIVATORS
[2010/01/02 19:27:00 | 00,000,000 | ---D | C] -- C:\Users\Ali\Desktop\ATHF
[2009/12/27 15:11:50 | 00,000,000 | ---D | C] -- C:\Windows\Downloaded Installations
[2009/12/27 01:28:04 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Java
[2009/12/25 14:58:19 | 00,000,000 | ---D | C] -- C:\Users\Ali\AppData\Roaming\Saba

========== Files - Modified Within 14 Days ==========

[2010/01/07 23:06:55 | 01,310,720 | -HS- | M] () -- C:\Users\Ali\NTUSER.DAT
[2010/01/07 23:04:20 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Users\Ali\Desktop\OTL.exe
[2010/01/07 23:00:16 | 01,833,054 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/01/07 23:00:16 | 00,615,122 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/01/07 23:00:16 | 00,539,584 | ---- | M] () -- C:\Windows\SysNative\perfh00C.dat
[2010/01/07 23:00:16 | 00,434,950 | ---- | M] () -- C:\Windows\SysNative\perfh001.dat
[2010/01/07 23:00:16 | 00,103,496 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/01/07 23:00:16 | 00,091,296 | ---- | M] () -- C:\Windows\SysNative\perfc00C.dat
[2010/01/07 23:00:16 | 00,076,092 | ---- | M] () -- C:\Windows\SysNative\perfc001.dat
[2010/01/07 22:58:24 | 00,053,927 | ---- | M] () -- C:\Users\Ali\Desktop\GMER error2.PNG
[2010/01/07 22:58:13 | 00,016,944 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/01/07 22:58:13 | 00,016,944 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/01/07 22:54:26 | 00,044,418 | ---- | M] () -- C:\Users\Ali\Desktop\GMER error.PNG
[2010/01/07 22:52:31 | 00,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/01/07 22:51:00 | 00,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/07 22:50:57 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/01/07 22:50:51 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/01/07 22:50:43 | 32,200,37632 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/07 22:46:53 | 02,783,589 | -H-- | M] () -- C:\Users\Ali\AppData\Local\IconCache.db
[2010/01/07 22:41:08 | 05,115,840 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Ali\Desktop\mbam-setup.exe
[2010/01/07 22:39:38 | 00,000,000 | ---- | M] () -- C:\Users\Ali\AppData\Local\prvlcl.dat
[2010/01/07 22:38:05 | 00,145,295 | ---- | M] () -- C:\Users\Ali\Desktop\scan result.PNG
[2010/01/07 22:37:28 | 00,007,610 | ---- | M] () -- C:\Users\Ali\AppData\Local\Resmon.ResmonCfg
[2010/01/07 22:37:25 | 00,105,349 | ---- | M] () -- C:\Users\Ali\Desktop\svchost resource monitor.PNG
[2010/01/07 18:03:44 | 47,552,490 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\incavi.avm
[2010/01/07 18:03:29 | 00,136,354 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\microavi.avg
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/01/07 16:07:06 | 00,022,104 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/01/06 18:43:03 | 00,344,522 | ---- | M] () -- C:\Windows\SysNative\perfi00C.dat
[2010/01/06 18:43:03 | 00,289,060 | ---- | M] () -- C:\Windows\SysNative\perfi001.dat
[2010/01/06 18:43:03 | 00,042,056 | ---- | M] () -- C:\Windows\SysNative\perfd001.dat
[2010/01/06 18:43:03 | 00,038,160 | ---- | M] () -- C:\Windows\SysNative\perfd00C.dat
[2010/01/06 16:55:06 | 00,108,840 | ---- | M] () -- C:\Users\Ali\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/01/06 16:54:24 | 00,413,312 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/01/06 16:48:59 | 00,000,478 | ---- | M] () -- C:\Windows\win.ini
[2010/01/05 15:24:04 | 00,002,693 | ---- | M] () -- C:\Users\Ali\Desktop\Microsoft Office Word 2007.lnk
[2010/01/05 13:30:27 | 00,002,288 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2010/01/02 19:57:20 | 00,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2010/01/02 19:52:32 | 25,467,284 | ---- | M] () -- C:\Users\Ali\Desktop\Stewart - Calculus - Early Transcendentals 6e HQ (Thomson, 2008).pdf
[2010/01/01 17:05:16 | 28,783,9846 | ---- | M] () -- C:\Users\Ali\Desktop\bgb_nika_noire02_1920_12000-hd.mov

========== Files Created - No Company Name ==========

[2010/01/07 22:58:24 | 00,053,927 | ---- | C] () -- C:\Users\Ali\Desktop\GMER error2.PNG
[2010/01/07 22:54:26 | 00,044,418 | ---- | C] () -- C:\Users\Ali\Desktop\GMER error.PNG
[2010/01/07 22:38:05 | 00,145,295 | ---- | C] () -- C:\Users\Ali\Desktop\scan result.PNG
[2010/01/07 22:37:25 | 00,105,349 | ---- | C] () -- C:\Users\Ali\Desktop\svchost resource monitor.PNG
[2010/01/06 19:23:57 | 00,007,610 | ---- | C] () -- C:\Users\Ali\AppData\Local\Resmon.ResmonCfg
[2010/01/06 18:44:33 | 00,539,584 | ---- | C] () -- C:\Windows\SysNative\perfh00C.dat
[2010/01/06 18:44:33 | 00,434,950 | ---- | C] () -- C:\Windows\SysNative\perfh001.dat
[2010/01/06 18:44:33 | 00,344,522 | ---- | C] () -- C:\Windows\SysNative\perfi00C.dat
[2010/01/06 18:44:33 | 00,289,060 | ---- | C] () -- C:\Windows\SysNative\perfi001.dat
[2010/01/06 18:44:33 | 00,091,296 | ---- | C] () -- C:\Windows\SysNative\perfc00C.dat
[2010/01/06 18:44:33 | 00,076,092 | ---- | C] () -- C:\Windows\SysNative\perfc001.dat
[2010/01/06 18:44:33 | 00,042,056 | ---- | C] () -- C:\Windows\SysNative\perfd001.dat
[2010/01/06 18:44:33 | 00,038,160 | ---- | C] () -- C:\Windows\SysNative\perfd00C.dat
[2010/01/06 17:40:15 | 25,467,284 | ---- | C] () -- C:\Users\Ali\Desktop\Stewart - Calculus - Early Transcendentals 6e HQ (Thomson, 2008).pdf
[2010/01/05 15:25:26 | 00,002,693 | ---- | C] () -- C:\Users\Ali\Desktop\Microsoft Office Word 2007.lnk
[2010/01/05 13:30:27 | 00,002,288 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2010/01/02 19:57:20 | 00,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2010/01/01 16:35:20 | 28,783,9846 | ---- | C] () -- C:\Users\Ali\Desktop\bgb_nika_noire02_1920_12000-hd.mov
[2009/12/16 13:03:48 | 00,000,000 | ---- | C] () -- C:\Users\Ali\AppData\Local\prvlcl.dat
[2009/12/11 21:05:12 | 00,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/12/04 19:19:48 | 00,000,943 | ---- | C] () -- C:\Windows\TATCALL.INI
[2009/12/04 19:19:48 | 00,000,277 | ---- | C] () -- C:\Windows\TATUNINS.INI
[2009/12/04 19:19:48 | 00,000,020 | ---- | C] () -- C:\Windows\TATVER.INI
[2009/12/04 19:19:31 | 00,000,099 | ---- | C] () -- C:\Windows\REDEMUNINS.INI
[2009/12/04 16:22:05 | 00,004,224 | R--- | C] () -- C:\Windows\SysWow64\drivers\REFILERW.SYS
[2009/08/03 00:21:54 | 00,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2009/08/03 00:21:54 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2009/08/03 00:21:52 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2009/08/03 00:21:52 | 00,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2009/07/13 18:42:10 | 00,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 00,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

========== LOP Check ==========

[2009/12/06 21:29:52 | 00,000,000 | ---D | M] -- C:\Users\Ali\AppData\Roaming\acccore
[2010/01/05 11:32:07 | 00,000,000 | ---D | M] -- C:\Users\Ali\AppData\Roaming\AVG9
[2010/01/07 20:11:20 | 00,000,000 | ---D | M] -- C:\Users\Ali\AppData\Roaming\Saba
[2009/12/06 22:25:42 | 00,000,000 | ---D | M] -- C:\Users\Ali\AppData\Roaming\TeamViewer
[2010/01/07 23:02:09 | 00,000,000 | ---D | M] -- C:\Users\Ali\AppData\Roaming\uTorrent
[2009/07/14 00:08:49 | 00,007,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2009/07/13 20:52:21 | 00,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\SysWow64\DriverStore\FileRepository\machine.inf_amd64_neutral_9e6bb86c3b39a3e9\AGP440.sys
[2009/07/13 20:52:21 | 00,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_1607dee2d861e021\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/13 20:52:21 | 00,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysWow64\DriverStore\FileRepository\mshdc.inf_amd64_neutral_a69a58a4286f0b22\atapi.sys
[2009/07/13 20:52:21 | 00,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/13 20:15:06 | 00,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009/07/13 20:15:06 | 00,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009/07/13 20:15:06 | 00,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
[2009/07/13 20:40:20 | 00,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_4458dccc49458461\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/13 20:48:04 | 00,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\SysWow64\DriverStore\FileRepository\iastorv.inf_amd64_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/13 20:48:04 | 00,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_0b06441fa1790136\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/13 20:41:52 | 00,692,736 | ---- | M] (Microsoft Corporation) MD5=956D030D375F207B22FB111E06EF9C35 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_59aca8ea51aaeefe\netlogon.dll
[2009/07/13 20:16:02 | 00,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\SysWOW64\netlogon.dll
[2009/07/13 20:16:02 | 00,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\SysWOW64\netlogon.dll
[2009/07/13 20:16:02 | 00,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_6401533c860bb0f9\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/07/13 20:45:45 | 00,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\SysWow64\DriverStore\FileRepository\nvraid.inf_amd64_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/13 20:45:45 | 00,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_95cfb4ced8afab0e\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/13 20:16:13 | 00,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\SysWOW64\scecli.dll
[2009/07/13 20:16:13 | 00,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\SysWOW64\scecli.dll
[2009/07/13 20:16:13 | 00,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9e577e55272d37b4\scecli.dll
[2009/07/13 20:41:53 | 00,232,448 | ---- | M] (Microsoft Corporation) MD5=398712DDDAEFB85EDF61DF6A07B65C79 -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9402d402f2cc75b9\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >
< End of report >

and the extras:

OTL Extras logfile created on: 1/7/2010 11:05:46 PM - Run 1
OTL by OldTimer - Version 3.1.21.1 Folder = C:\Users\Ali\Desktop
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 931.41 Gb Total Space | 876.76 Gb Free Space | 94.13% Space Free | Partition Type: NTFS
Drive D: | 931.51 Gb Total Space | 861.41 Gb Free Space | 92.47% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 45.30 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 487.71 Mb Total Space | 5.23 Mb Free Space | 1.07% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ALI-PC
Current User Name: Ali
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~4\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~4\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.5.3
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{2FDBBCEA-62DB-45F4-B6E5-0E1FB2A1F29D}" = Visual C++ 8.0 Runtime Setup Package (x64)
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{7AEBFFF0-15A1-48A9-88F3-06604486C7C9}" = WMPTagSupportExtender
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISE_{E64BA721-2310-4B55-BE5A-2925F9706192}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002A-0409-1000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0116-0409-1000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{C084BC61-E537-11DE-8616-005056806466}" = Google Earth
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_7" = AIM 7
"AVG9Uninstall" = AVG 9.0
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Ogg Codecs" = Ogg Codecs 0.81.15562
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Toshiba AutoTask" = Toshiba AutoTask
"uTorrent" = µTorrent
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/5/2010 3:24:47 PM | Computer Name = Ali-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary SCDEmu. System Error: The system cannot find the file specified. .

Error - 1/5/2010 3:28:07 PM | Computer Name = Ali-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary SCDEmu. System Error: The system cannot find the file specified. .

Error - 1/5/2010 3:28:10 PM | Computer Name = Ali-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary SCDEmu. System Error: The system cannot find the file specified. .

Error - 1/5/2010 3:28:14 PM | Computer Name = Ali-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary SCDEmu. System Error: The system cannot find the file specified. .

Error - 1/5/2010 3:31:32 PM | Computer Name = Ali-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary SCDEmu. System Error: The system cannot find the file specified. .

Error - 1/5/2010 4:18:04 PM | Computer Name = Ali-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary SCDEmu. System Error: The system cannot find the file specified. .

Error - 1/5/2010 4:34:52 PM | Computer Name = Ali-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary SCDEmu. System Error: The system cannot find the file specified. .

Error - 1/7/2010 12:00:26 AM | Computer Name = Ali-PC | Source = Windows Backup | ID = 4103
Description =

Error - 1/7/2010 12:01:20 AM | Computer Name = Ali-PC | Source = Windows Backup | ID = 4103
Description =

Error - 1/7/2010 10:51:47 PM | Computer Name = Ali-PC | Source = Application Hang | ID = 1002
Description = The program Explorer.EXE version 6.1.7600.16404 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: b44 Start
Time: 01ca8fed29855982 Termination Time: 26 Application Path: C:\Windows\Explorer.EXE

Report
Id: c0c99d52-fc00-11de-948c-00241d1d7eed

[ System Events ]
Error - 1/7/2010 10:43:56 PM | Computer Name = Ali-PC | Source = Service Control Manager | ID = 7031
Description = The Windows Driver Foundation - User-mode Driver Framework service
terminated unexpectedly. It has done this 2 time(s). The following corrective
action will be taken in 300000 milliseconds: Restart the service.

Error - 1/7/2010 10:47:44 PM | Computer Name = Ali-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR2.

Error - 1/7/2010 10:47:44 PM | Computer Name = Ali-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR2.

Error - 1/7/2010 10:47:45 PM | Computer Name = Ali-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR2.

Error - 1/7/2010 10:47:45 PM | Computer Name = Ali-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR2.

Error - 1/7/2010 10:47:46 PM | Computer Name = Ali-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR2.

Error - 1/7/2010 10:48:46 PM | Computer Name = Ali-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk2\DR3.

Error - 1/7/2010 10:48:56 PM | Computer Name = Ali-PC | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Desktop Window Manager Session
Manager service, but this action failed with the following error: %%1056

Error - 1/7/2010 11:23:36 PM | Computer Name = Ali-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the avg9wd service.

Error - 1/7/2010 11:37:03 PM | Computer Name = Ali-PC | Source = Service Control Manager | ID = 7031
Description = The AVG WatchDog service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 0 milliseconds: Restart
the service.

< End of report >

Many thanks to anyone who can help me out here.

Edited by terrorist96, 07 January 2010 - 10:14 PM.

#2
emeraldnzl

Posted 11 January 2010 - 04:29 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello terrorist96,

I wonder if MBAM has dealt with this. Unless I am missing something I don't see it in the OTL log.

Let's see if we can check that

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
```
:filefind
svchost.exe
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

Next

Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

Kaspersky works with Internet Explorer and Firefox 3. It uses Java Runtime Environment (JRE) .

Go to Kaspersky website and perform an online antivirus scan.

Note: you will need to turn off your security programs to allow Kaspersky to do its job.

Read through the requirements and privacy statement and click on Accept button.
It will start dowanloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Copy and paste that information in your next post.

So when you return please post
SystemLook.txt
Kaspersky scan results

#3
terrorist96

Posted 11 January 2010 - 04:45 PM

Member

Topic Starter
Member
74 posts

Hi there. Thanks for helping me out.

Here's the System Look text:

SystemLook v1.0 by jpshortstuff (10.01.10)
Log created at 17:40 on 11/01/2010 by Ali (Administrator - Elevation successful)

========== filefind ==========

Searching for "svchost.exe"
C:\Windows\System32\svchost.exe --a--- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866
C:\Windows\SysWOW64\svchost.exe --a--- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866
C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe --a--- 27136 bytes [23:31 13/07/2009] [01:39 14/07/2009] C78655BC80301D76ED4FEF1C1EA40A7D
C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe --a--- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866

-=End Of File=-

I'm about to download Kaspersky right now. What's the best way to temporarily disable AVG Internet Security 9 without uninstalling it? The components within it are: Anti-Virus, Anti-Spyware, Anti-Spam, Firewall, LinkScanner, Anti-Rootkit, System Tools, E-mail Scanner, Identity Protection, License, Web Shield, Resident Shield and Update Manager.

Also, I think it might be worth mentioning that AVG scan doesn't detect svchost anymore. However, I looked in the Firewall and saw that it had blocked A LOT of svchost stuff.

Edited by terrorist96, 11 January 2010 - 05:13 PM.

#4
emeraldnzl

Posted 11 January 2010 - 05:21 PM

GeekU Instructor

GeekU Moderator
20,051 posts

What's the best way to temporarily disable AVG Internet Security 9 without uninstalling it?

How to disable AVG's Resident Shield.

Right click the AVG icon and click Open.

In the Overview panel click on Resident Shield > Uncheck the Resident Shield Active box > Save Changes.

#5
terrorist96

Posted 11 January 2010 - 05:28 PM

Member

Topic Starter
Member
74 posts

Done. Kaspersky updated and everything but didn't install or run anything. I had to manually click scan and now I have to choose one of the following to scan:

Critical areas

My Computer

Folder...

File...

What do I pick?

Nevermind. I was thrown off cuz I never encountered the "install" or "run" step. It's scanning my computer right now.

Edited by terrorist96, 11 January 2010 - 06:01 PM.

#6
terrorist96

Posted 11 January 2010 - 07:10 PM

Member

Topic Starter
Member
74 posts

Here ya go:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, January 11, 2010
Operating system: Microsoft (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, January 11, 2010 23:36:14
Records in database: 3299308
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 117651
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 00:56:25

File name / Threat / Threats count
G:\svchost.exe Infected: Worm.Win32.Carrier.mm 1
G:\autorun.inf Infected: Worm.Win32.Carrier.fk 1

Selected area has been scanned.

-------

My G:\ is just a 512 MB flash drive that I'm using for Ready-boost since I don't need it and I might as well use that little bit of memory.

Edited by terrorist96, 11 January 2010 - 07:12 PM.

#7
emeraldnzl

Posted 11 January 2010 - 07:48 PM

GeekU Instructor

GeekU Moderator
20,051 posts

I don't think this will work on your 64bit machine but I do think it will work on your G Drive.

Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

After that run Kaspersky again. Shouldn't take so long this time.

#8
terrorist96

Posted 11 January 2010 - 08:23 PM

Member

Topic Starter
Member
74 posts

Well, I clicked on it, it asked me if I wanted to allow this program, I said yes then I got a box that said it might no have been installed correctly and it gave me the choices of "reinstall with recommended settings" or "it's installed correctly". I chose the former and nothing happened. I tried to click on it again, I clicked yes, allow then I got these two screens... It said they were both removed or healed in the end, I think.

I don't think Flash_Drivedisinfector ever ran or installed. I don't see it on my Programs and Features page.

By the way, you wouldn't know how to remove an item from the right click context menu, would you? I have "open with GIMP" when I right click a picture. I uninstalled GIMP a while back and I read here http://www.tech-reci...r-context-menu/ how to but I don't know what to select. Here's a cap of that screen too.
Posted Image

Attached Thumbnails

Edited by terrorist96, 11 January 2010 - 08:32 PM.

#9
emeraldnzl

Posted 11 January 2010 - 10:08 PM

GeekU Instructor

GeekU Moderator
20,051 posts

I don't see it on my Programs and Features page.

No it won't show there.

then I got these two screens... It said they were both removed or healed in the end, I think.

If you clicked allow it might have run. Often our tools are picked up as false positives by anti-virus programs so, as you suggest, it may not have run.

Did you run Kaspersky again to see if those ones are still there?

By the way, you wouldn't know how to remove an item from the right click context menu, would you?

Unless you are and expert I would not recommend you playing with your computers register.

We have lot's of instances of people doing this and then coming here for us to try and pick up the pieces.

Why do you want to do that, is there something particular you want to remove?

#10
terrorist96

Posted 11 January 2010 - 11:29 PM

Member

Topic Starter
Member
74 posts

Na, it's not big deal. I just wanted to remove the "Open with GIMP" option, as I stated in my last post. But it's no problem.

I'm doing the scan again right now. I still have the svchost though. My RAM is currently at 70% which is ridiculous. I have 4 GB of RAM and on the "Memory" tab of the Resource Monitor (like in my first post) svchost is still there using the a lot of RAM, only second to Firefox. There are 4 Scanning Processes though - which I assume is from Kaspersky. But still, normally my RAM is at like 50% when it should be a whole lot lower.

The scan is finally done. Here it is:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, January 12, 2010
Operating system: Microsoft (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, January 12, 2010 03:44:31
Records in database: 3300183
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
E:\
G:\

Scan statistics:
Objects scanned: 116883
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 00:58:22

File name / Threat / Threats count
G:\svchost.exe Infected: Worm.Win32.Carrier.mm 1
G:\autorun.inf Infected: Worm.Win32.Carrier.fk 1

Selected area has been scanned.

Looks like it's still there. My external HDD was off cuz it likes to turn off whenever it feels like so it didn't scan that.

And what the f.. I now always have to select "Yes, allow this program to make changes on my computer" for when starting Firefox.

Edited by terrorist96, 11 January 2010 - 11:38 PM.

#11
emeraldnzl

Posted 11 January 2010 - 11:46 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Looks like it's still there.

Let's see if this will do it. Make sure the G drive is attached, then do this:

Please run OTL.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following

:processes
killallprocesses

:Files
G:\svchost.exe
G:\autorun.inf

:Commands
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
It will produce a log for you on reboot, please post that log in your next reply.

#12
terrorist96

Posted 12 January 2010 - 11:55 AM

Member

Topic Starter
Member
74 posts

========== PROCESSES ==========
All processes killed
========== FILES ==========
File move failed. G:\svchost.exe scheduled to be moved on reboot.
G:\autorun.inf moved successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.1.24.0 log created on 01122010_125018

Files\Folders moved on Reboot...
File move failed. G:\svchost.exe scheduled to be moved on reboot.

Registry entries deleted on Reboot...

When I go on my G drive and change the folder options to view hidden files, the svchost is still there.

Couldn't I just format the drive? Since there's nothing there that I need.

Attached Thumbnails

Edited by terrorist96, 12 January 2010 - 11:56 AM.

#13
emeraldnzl

Posted 12 January 2010 - 01:48 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Couldn't I just format the drive? Since there's nothing there that I need.

Yep, sounds like a good thing to do to me.

After that run Kaspersky again just to make sure.

We will then go to clearing away the tools we have been using.

#14
terrorist96

Posted 12 January 2010 - 02:59 PM

Member

Topic Starter
Member
74 posts

Alright, I formatted it, disabled Resident Shield on AVG and am running Kaspersky again. I don't see the svchost on my flash drive anymore but it's still in my resource monitor.

Here's the result of the scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, January 12, 2010
Operating system: Microsoft (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, January 12, 2010 19:41:47
Records in database: 3301412
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 116649
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 00:53:37

No threats found. Scanned area is clean.

Selected area has been scanned.

Attached Thumbnails

#15
emeraldnzl

Posted 12 January 2010 - 04:43 PM

GeekU Instructor

GeekU Moderator
20,051 posts

I don't see the svchost on my flash drive anymore but it's still in my resource monitor.

Yes, svchost is an essential system file and should not be removed. The ones we were removing though were trojans pretending to be the genuine thing.

We have a couple of last steps to perform and then you're all set. Posted Image

Please go here to download OTC.

Run this program to remove the tools we have been using.

You will be asked to reboot the machine to finish the Cleanup process choose Yes.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep.

Next, we need to clean your restore points and set a new one:

Please go here for directions on how to do this. You need to turn System Protection off to delete all old restore points, reboot and then turn System Protection back on to create a new restore point.

-------------------------------------------------------------------------------------------------------------------

A reminder: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

Now that your machine is clean here are some things that I think are worth having a look at if you don't already know a bout them:

---------------------------------------------------------------------------------------------------------------------

Regularly check that your Java is up to date. Older versions are vunerable to malicious attack.

Download from here Java Runtime Environment (JDK) Update
Scroll to where it says "Windows XP/Vista/2000/2003/2008 online" and download and follow the instructions to install.

Reboot your computer.
You also need to uininstall older versions of Java.
Click Start > Control Panel > Programs
Remove all Java updates except the latest one you have just installed.

--------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week. For ease of use, you might consider the following free program:

ATF Cleaner

--------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* Consider using an alternate browser.

Opera may be downloaded from here. It is one of the least targeted of all browers.

Avant may be downloaded from here. Another one that is less well known.

Firefox may be downloaded from Here. I use Firefox because I like it. Used to be one of the safest but now targeted probably as much as IE.

NoScripts is a good Add-on for Firefox that prevents execution of malicious scripts. Some people may find this intrusive. Actually once you learn how easy it is to allow and disallow scripts (bottom right corner right click on the red O with the S and red slash) it becomes easy.

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

If your Microsoft Update is not working automatically. Keep your operating system up to date by visiting
Microsoft Windows Update

monthly.

And to keep your system clean run these free malware scanners
AdAware SE Personal
Spybot Search & Destroy
SuperAntiSpyWare

weekly, and be aware of what emails you open and websites you visit.

An antivirus program is essential.

Here are a couple of to choose from (these are also free for personal use):

Avast
AVIRA Note: AVIRA free comes with adware that promotes their paid for version each time it updates.

I like Avira but some people find the pop up advertisements each time it updates a bit trying.

A firewall is essential to help prevent hackers from infiltrating your computer.

Here are two good firewalls free for personal use:

Note: Do not use more than one anti-virus or firewall. Running two or more real-time anti-virus, anti-spyware and firewall monitors at the same time can cause a conflict. That conflict can result in slow computer performance, error messages, crashes of the programs or other types of failure. You will very likely end up with little or no protection.

Go here for some good advice about how to prevent infection.

Have a safe and happy computing day!