Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

22 Infections Including Trojan Downloaders - MSE Can't Clean

Started by gku , Aug 29 2010 04:18 PM

This topic is locked

#1
gku

Posted 29 August 2010 - 04:18 PM

Member

Member
16 posts

My weekly Microsoft Security Essentials scan ran this morning (Quick scan only). It turned up 6 items or so, of medium threat level, so I ran a full scan. The full scan identified 22 items, listed here, with their threat levels listed after them:

Adware:Win32/Midaddle High
TrojanDownloader:Win32/Agent.AB Severe
SoftwareBundler:Win32/KaZaA Medium
Adware:Win32Altnet Medium
Adware:Win32/ABetterInternet.A High
BrowserModifier:Win32/ClearSearch High
Adware:Win32/Toprebates.C Medium
Adware:Win32/SEP Severe
Trojan:Win32/SecondThought Severe
TrojanDownloader:Win32/Small.TF Severe
Adware:Win32/Ebates.A High
Program:Win32/PowerRegScheduler Medium
Adware:Win32/WinFetcher Medium
Adware:Win32/TwainTech High
Adware:Win32/ABetterInternet.F High
BrowserModifier:Win32/Adstart Medium
Adware:Win32/Ezula.F High
Adware;Win32/Avenuemedia High
TrojanDropper:Win32/Agent.EC
Adware:Win32/StatBlaster High
Adware:Win32/Clickspring.C High
Trojan:Win32/VB.KQ Severe

I clicked the Clean button, and the green progress bar froze almost immediately at about 1/20th done. I waited for a few minutes, but since MSE said it would only take a few seconds, I used Task Manager to abort. I then repeated the scan, jotted down the list above from it (they didn't show in history, I'm guessing because I forced it to end), and tried the Clean again, this time giving it two hours. It got no further than before. At that point, I came to this site, and followed the Malware and Spyware Cleaning Guide. I ran TFC (Temp File Cleaner) and ERUNT without problems, and ran the quick MalwareBytes scan as instructed - it found no issues (log posted at very bottom, below the 2 OTL logs). I then saw that MSE was your top-recommended virus removal pick, so I ran another scan with it, rather than installing something else, with the same result - it stuck in the same place, given an hour and a half wait. I rebooted, then attempted to run GMER Rootkit Scanner. It popped up this error:

C:\Windows/system32\config\system: The system cannot find the file specified.

Perhaps because I'm running Win 7 64 bit? In any event, I couldn't get it to produce anything but that error. Lastly, I ran OTL. Here are the logs (I'll thank you here, in advance, so as not to intermingle log and text):

OTL logfile created on: 8/29/2010 2:34:14 PM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Users\Geoff\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

8.00 Gb Total Physical Memory | 4.00 Gb Available Physical Memory | 44.00% Memory free
16.00 Gb Paging File | 14.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 279.46 Gb Total Space | 163.96 Gb Free Space | 58.67% Space Free | Partition Type: NTFS
Drive D: | 409.17 Gb Total Space | 233.14 Gb Free Space | 56.98% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GEOFF-PC
Current User Name: Geoff
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Users\Geoff\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
PRC - C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation)
PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
PRC - C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
PRC - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
PRC - C:\Users\Geoff\AppData\Roaming\Dropbox\bin\Dropbox.exe ()
PRC - C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
PRC - C:\Program Files (x86)\ASUS\AI Manager\Page\iGear\GearHelp.exe (ASUSTeK Computer Inc.)
PRC - C:\Windows\SysWOW64\AsHookDevice.exe (ASUSTeK Computer Inc.)
PRC - C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe (ASUSTeK Computer Inc.)
PRC - C:\Program Files (x86)\ASUS\EPU-4 Engine\FourEngine.exe ()
PRC - C:\Program Files\Razer\Arctosa\razerhid.exe (Razer USA Ltd.)

========== Modules (SafeList) ==========

MOD - C:\Users\Geoff\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\SysWOW64\msscript.ocx (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV:64bit: - (MsMpSvc) -- C:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (DAUpdaterSvc) -- c:\Program Files (x86)\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe (BioWare)
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (Stereo Service) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (SeaPort) -- C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_64) -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (IntuitUpdateService) -- C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
SRV - (Device Handle Service) -- C:\Windows\SysWOW64\AsHookDevice.exe (ASUSTeK Computer Inc.)
SRV - (fsssvc) -- C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV:64bit: - (sptd) -- C:\Windows\SysNative\drivers\sptd.sys ()
DRV:64bit: - (VBoxNetAdp) -- C:\Windows\SysNative\drivers\VBoxNetAdp.sys (Sun Microsystems, Inc.)
DRV:64bit: - (MTsensor) -- C:\Windows\SysNative\drivers\ASACPI.sys ()
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (Ntfs) -- C:\Windows\SysNative\wbem\ntfs.mof ()
DRV:64bit: - (netr28x) -- C:\Windows\SysNative\drivers\netr28x.sys (Ralink Technology, Corp.)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (NVHDA) -- C:\Windows\SysNative\drivers\nvhda64v.sys (NVIDIA Corporation)
DRV:64bit: - (RTL8169) -- C:\Windows\SysNative\drivers\Rtlh64.sys (Realtek Corporation )
DRV:64bit: - (fssfltr) -- C:\Windows\SysNative\drivers\fssfltr.sys (Microsoft Corporation)
DRV - (ASInsHelp) -- C:\Windows\SysWOW64\drivers\AsInsHelp64.sys ()

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.asus.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.asus.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2F 56 1C 32 4E AA CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.startup.homepage: "http://highergroundp....com/index.cgi"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..network.proxy.ftp: "168.94.74.68"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.gopher: "168.94.74.68"
FF - prefs.js..network.proxy.gopher_port: 8080
FF - prefs.js..network.proxy.http: "168.94.74.68"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "168.94.74.68"
FF - prefs.js..network.proxy.socks_port: 8080
FF - prefs.js..network.proxy.ssl: "168.94.74.68"
FF - prefs.js..network.proxy.ssl_port: 8080

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/08/03 07:40:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/08/03 07:40:47 | 000,000,000 | ---D | M]

[2010/02/12 08:10:37 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Mozilla\Extensions
[2010/08/27 19:43:33 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Mozilla\Firefox\Profiles\er7d5gp3.default\extensions
[2010/08/20 19:51:07 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Geoff\AppData\Roaming\Mozilla\Firefox\Profiles\er7d5gp3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/02/14 08:12:26 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/02/13 20:13:50 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

O1 HOSTS File: ([2006/09/18 14:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2:64bit: - BHO: (Windows Live Family Safety Browser Helper Class) - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O4:64bit: - HKLM..\Run: [MSSE] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Arctosa] C:\Program Files\Razer\Arctosa\razerhid.exe (Razer USA Ltd.)
O4 - HKLM..\Run: [RunAIShell] C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe (ASUSTeK Computer Inc.)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [Steam] C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation)
O4 - Startup: C:\Users\Geoff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Geoff\AppData\Roaming\Dropbox\bin\Dropbox.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O24 - Desktop WallPaper: C:\Windows\web\Wallpaper\img23.jpg
O24 - Desktop BackupWallPaper: C:\Windows\web\Wallpaper\img23.jpg
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{02168669-503a-11df-8184-00248ce68ba9}\Shell - "" = AutoRun
O33 - MountPoints2\{02168669-503a-11df-8184-00248ce68ba9}\Shell\AutoRun\command - "" = H:\Autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 90 Days ==========

[2010/08/29 14:33:22 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Geoff\Desktop\OTL.exe
[2010/08/29 08:21:39 | 000,000,000 | ---D | C] -- C:\Users\Geoff\AppData\Roaming\Malwarebytes
[2010/08/29 08:21:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/08/29 08:21:23 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/08/29 08:21:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/08/29 08:21:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/08/29 08:19:34 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/08/29 08:18:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2010/08/29 08:10:49 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Desktop\Malware and Spyware Cleaning Guide - Geeks to Go Forums_files
[2010/08/26 21:48:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\BioWare
[2010/08/26 21:47:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Dragon Age Origins Character Creator
[2010/08/26 06:36:45 | 000,000,000 | ---D | C] -- C:\ProgramData\BioWare
[2010/08/26 06:36:22 | 000,000,000 | ---D | C] -- C:\Users\Geoff\AppData\Roaming\NVIDIA
[2010/08/25 17:59:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NVIDIA Corporation
[2010/08/25 17:51:23 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA Corporation
[2010/08/25 17:51:19 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2010/08/25 13:29:36 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Desktop\More kittens
[2010/08/25 13:29:36 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Desktop\2004_09_15
[2010/08/25 13:29:36 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Desktop\2004_09_14
[2010/08/25 12:58:11 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Desktop\Law School Stuff from Old Computer
[2010/08/14 19:06:45 | 000,000,000 | ---D | C] -- C:\Users\Geoff\AppData\Local\Electronic Arts
[2010/08/14 18:54:19 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Documents\Electronic Arts
[2010/08/14 18:54:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Electronic Arts
[2010/08/11 17:09:12 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Documents\StarCraft II
[2010/08/11 17:09:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\StarCraft II
[2010/08/11 17:09:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard Entertainment
[2010/08/11 17:09:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Blizzard Entertainment
[2010/07/16 18:03:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\directx
[2010/07/16 18:00:10 | 000,000,000 | ---D | C] -- C:\DeusEx
[2010/07/10 05:38:00 | 000,065,128 | ---- | C] (Khronos Group) -- C:\Windows\SysNative\OpenCL.dll
[2010/07/10 05:38:00 | 000,056,936 | ---- | C] (Khronos Group) -- C:\Windows\SysWow64\OpenCL.dll
[2010/06/30 03:00:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Antimalware
[2010/06/25 03:01:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft.NET

========== Files - Modified Within 90 Days ==========

[2010/08/29 14:37:45 | 001,835,008 | -HS- | M] () -- C:\Users\Geoff\NTUSER.DAT
[2010/08/29 14:32:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Geoff\Desktop\OTL.exe
[2010/08/29 14:26:06 | 000,009,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/08/29 14:26:06 | 000,009,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/08/29 14:23:43 | 000,726,316 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/08/29 14:23:43 | 000,623,940 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/08/29 14:23:43 | 000,106,316 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/08/29 14:18:18 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/08/29 14:18:00 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/08/29 14:17:48 | 2146,787,327 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/29 14:09:07 | 002,421,046 | -H-- | M] () -- C:\Users\Geoff\AppData\Local\IconCache.db
[2010/08/29 09:02:43 | 000,293,376 | ---- | M] () -- C:\Users\Geoff\Desktop\gmer.exe
[2010/08/29 08:21:28 | 000,001,017 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/29 08:18:34 | 000,000,932 | ---- | M] () -- C:\Users\Geoff\Desktop\NTREGOPT.lnk
[2010/08/29 08:18:34 | 000,000,913 | ---- | M] () -- C:\Users\Geoff\Desktop\ERUNT.lnk
[2010/08/29 08:10:57 | 000,097,396 | ---- | M] () -- C:\Users\Geoff\Desktop\Malware and Spyware Cleaning Guide - Geeks to Go Forums.htm
[2010/08/27 21:38:27 | 000,013,042 | ---- | M] () -- C:\Users\Geoff\Desktop\Blessed Weapons.zip
[2010/08/26 21:48:33 | 000,001,256 | ---- | M] () -- C:\Users\Public\Desktop\Dragon Age Origins Character Creator.lnk
[2010/08/25 18:11:44 | 000,000,221 | ---- | M] () -- C:\Users\Geoff\Desktop\Dragon Age Origins.url
[2010/08/25 13:20:38 | 005,780,037 | ---- | M] () -- C:\Users\Geoff\Desktop\HG_Jan_05.7z
[2010/08/14 18:59:24 | 000,002,077 | ---- | M] () -- C:\Users\Public\Desktop\Dead Space™.lnk
[2010/08/14 10:22:10 | 000,001,167 | ---- | M] () -- C:\Users\Geoff\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2010/08/14 10:22:10 | 000,001,143 | ---- | M] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2010/08/13 03:20:29 | 000,345,368 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/08/13 03:03:33 | 000,001,143 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Works.lnk
[2010/08/11 17:22:03 | 000,001,442 | ---- | M] () -- C:\Users\Geoff\Desktop\StarCraft II.exe - Shortcut.lnk
[2010/08/02 14:43:45 | 000,090,163 | ---- | M] () -- C:\Users\Geoff\Desktop\1stegg.JPG
[2010/07/10 05:38:00 | 000,065,128 | ---- | M] (Khronos Group) -- C:\Windows\SysNative\OpenCL.dll
[2010/07/10 05:38:00 | 000,056,936 | ---- | M] (Khronos Group) -- C:\Windows\SysWow64\OpenCL.dll
[2010/07/09 15:38:00 | 000,012,264 | ---- | M] () -- C:\Windows\SysNative\nvinfo.pb
[2010/06/30 03:00:27 | 000,001,039 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk
[2010/06/13 12:30:14 | 002,354,516 | ---- | M] () -- C:\Users\Geoff\Desktop\DnYak.JPG
[2010/06/02 15:55:51 | 000,001,445 | ---- | M] () -- C:\Users\Public\Desktop\Star Wars - Knights of the Old Republic II - The Sith Lords.lnk

========== Files Created - No Company Name ==========

[2010/08/29 08:21:28 | 000,001,017 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/29 08:18:34 | 000,000,932 | ---- | C] () -- C:\Users\Geoff\Desktop\NTREGOPT.lnk
[2010/08/29 08:18:33 | 000,000,913 | ---- | C] () -- C:\Users\Geoff\Desktop\ERUNT.lnk
[2010/08/29 08:10:48 | 000,097,396 | ---- | C] () -- C:\Users\Geoff\Desktop\Malware and Spyware Cleaning Guide - Geeks to Go Forums.htm
[2010/08/27 21:38:26 | 000,013,042 | ---- | C] () -- C:\Users\Geoff\Desktop\Blessed Weapons.zip
[2010/08/26 21:48:33 | 000,001,256 | ---- | C] () -- C:\Users\Public\Desktop\Dragon Age Origins Character Creator.lnk
[2010/08/25 18:11:44 | 000,000,221 | ---- | C] () -- C:\Users\Geoff\Desktop\Dragon Age Origins.url
[2010/08/25 13:22:32 | 2867,035,986 | ---- | C] () -- C:\Users\Geoff\Desktop\Documents and Settings.rar
[2010/08/25 13:20:09 | 005,780,037 | ---- | C] () -- C:\Users\Geoff\Desktop\HG_Jan_05.7z
[2010/08/25 13:18:57 | 109,909,710 | ---- | C] () -- C:\Users\Geoff\Desktop\Path of Ascension CEP Epic.mod
[2010/08/14 18:59:24 | 000,002,077 | ---- | C] () -- C:\Users\Public\Desktop\Dead Space™.lnk
[2010/08/14 10:22:10 | 000,001,167 | ---- | C] () -- C:\Users\Geoff\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2010/08/14 10:22:10 | 000,001,143 | ---- | C] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2010/08/13 03:03:33 | 000,001,143 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Works.lnk
[2010/08/11 17:22:03 | 000,001,442 | ---- | C] () -- C:\Users\Geoff\Desktop\StarCraft II.exe - Shortcut.lnk
[2010/08/02 14:43:43 | 000,090,163 | ---- | C] () -- C:\Users\Geoff\Desktop\1stegg.JPG
[2010/06/13 12:29:48 | 002,354,516 | ---- | C] () -- C:\Users\Geoff\Desktop\DnYak.JPG
[2010/06/02 17:51:25 | 000,012,264 | ---- | C] () -- C:\Windows\SysNative\nvinfo.pb
[2010/06/02 15:55:51 | 000,001,445 | ---- | C] () -- C:\Users\Public\Desktop\Star Wars - Knights of the Old Republic II - The Sith Lords.lnk
[2010/02/14 07:40:21 | 000,000,600 | ---- | C] () -- C:\Users\Geoff\AppData\Local\PUTTY.RND
[2010/02/13 21:47:27 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/02/13 07:44:37 | 000,000,134 | ---- | C] () -- C:\Users\Geoff\AppData\Roaming\wklnhst.dat
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 14:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/05/15 16:35:10 | 000,221,184 | ---- | C] () -- C:\Windows\SysWow64\drivers\ServiceHelp.dll
[2009/05/15 16:34:26 | 000,024,576 | ---- | C] () -- C:\Windows\SysWow64\AsIO.dll
[2009/05/15 16:34:26 | 000,013,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsIO.sys
[2009/05/15 16:34:24 | 000,011,832 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsInsHelp64.sys
[2009/05/15 16:34:24 | 000,010,216 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsInsHelp32.sys
[2009/05/15 16:30:45 | 000,001,746 | ---- | C] () -- C:\Windows\Language_trs.ini
[2009/05/15 16:13:43 | 000,026,261 | ---- | C] () -- C:\Windows\Ascd_log.ini
[2009/05/15 16:13:32 | 000,019,853 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2007/12/28 08:22:02 | 000,010,296 | ---- | C] () -- C:\Windows\SysWow64\drivers\ASUSHWIO.SYS

========== LOP Check ==========

[2010/04/23 21:20:47 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\CreeperWorld
[2010/04/23 21:17:57 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\CreeperWorldDEMO.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
[2010/04/25 00:20:25 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\DAEMON Tools Lite
[2010/08/29 14:18:56 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Dropbox
[2010/02/13 21:15:45 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\FileZilla
[2010/02/13 20:14:24 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Foxit
[2010/04/23 00:53:57 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\gtk-2.0
[2010/02/14 16:05:48 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Leadertech
[2010/03/18 23:45:21 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\runic games
[2010/02/14 08:16:54 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Subversion
[2010/02/27 01:42:57 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Template
[2010/08/14 19:58:08 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\uTorrent
[2009/07/13 22:08:49 | 000,018,890 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009/07/13 18:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2010/02/10 06:17:25 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2010/08/29 14:17:48 | 2146,787,327 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/29 14:17:56 | 4294,041,599 | -HS- | M] () -- C:\pagefile.sys
[2009/05/15 16:18:44 | 000,001,701 | ---- | M] () -- C:\RHDSetup.log
[2009/05/15 16:24:18 | 000,000,087 | ---- | M] () -- C:\setup.log

< %systemroot%\Fonts\*.com >
[2009/07/13 22:32:31 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2009/07/13 22:32:31 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2009/07/13 22:32:31 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2009/07/13 22:32:31 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/06/10 13:49:50 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2008/12/04 22:55:20 | 000,307,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >
[2010/08/20 19:50:13 | 000,001,686 | -HS- | M] () -- C:\Users\Geoff\AppData\Roaming\Microsoft\LastFlashConfig.wfc

< %PROGRAMFILES%\*.* >
[2009/07/13 21:54:24 | 000,000,174 | -HS- | M] () -- C:\Program Files (x86)\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/02/10 04:33:34 | 000,000,221 | -HS- | M] () -- C:\Users\Geoff\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop (1).ini
[2010/02/10 05:39:35 | 000,000,221 | -HS- | M] () -- C:\Users\Geoff\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2010/08/29 09:02:43 | 000,293,376 | ---- | M] () -- C:\Users\Geoff\Desktop\gmer.exe
[2010/08/29 14:32:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Geoff\Desktop\OTL.exe
[2010/02/13 22:34:18 | 020,565,723 | ---- | M] (IDM Computer Solutions, Inc.) -- C:\Users\Geoff\Desktop\UltraEdit Text Editor.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >
[2009/06/10 14:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\addins\FXSEXT.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >
[2010/08/25 18:00:32 | 000,008,192 | ---- | M] () -- C:\Windows\security\database\edb.chk
[2010/08/25 18:00:32 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edb.log
[2010/08/25 18:00:32 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00001.jrs
[2010/08/25 18:00:32 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00002.jrs
[2010/08/25 18:00:32 | 000,786,432 | ---- | M] () -- C:\Windows\security\database\edbtmp.log
[2010/08/25 18:00:32 | 001,056,768 | ---- | M] () -- C:\Windows\security\database\tmp.edb

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2010/08/03 03:18:18 | 000,000,402 | -HS- | M] () -- C:\Users\Geoff\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
< End of report >

OTL Extras logfile created on: 8/29/2010 2:34:14 PM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Users\Geoff\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

8.00 Gb Total Physical Memory | 4.00 Gb Available Physical Memory | 44.00% Memory free
16.00 Gb Paging File | 14.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 279.46 Gb Total Space | 163.96 Gb Free Space | 58.67% Space Free | Partition Type: NTFS
Drive D: | 409.17 Gb Total Space | 233.14 Gb Free Space | 56.98% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GEOFF-PC
Current User Name: Geoff
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" File not found
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files (x86)\FlashFXP\FlashFXP.exe" = C:\Program Files (x86)\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3 -- File not found
"C:\Program Files (x86)\FlashFXP\FlashFXP.exe" = C:\Program Files (x86)\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3 -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files (x86)\FlashFXP\FlashFXP.exe" = C:\Program Files (x86)\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3 -- File not found
"C:\Program Files (x86)\FlashFXP\FlashFXP.exe" = C:\Program Files (x86)\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3 -- File not found

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{23170F69-40C1-2702-0465-000001000000}" = 7-Zip 4.65 (x64 edition)
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{48B0F24F-B828-4B1A-A22E-C65454B32A7A}" = Windows Live Family Safety
"{70AC9B8B-5DC4-4E5E-964B-2A695D157FCB}" = Sun VirtualBox
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95C9C76F-ECF3-40FA-94F8-5DDFB6BAF40D}" = Microsoft Security Essentials
"{9F313496-82E8-4A99-9D4C-311531023746}" = TortoiseSVN 1.6.7.18415 (64 bit)
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Essentials" = Microsoft Security Essentials
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}" = Windows Live Call
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{06E6E30D-B498-442F-A943-07DE41D7F785}" = Microsoft Search Enhancement Pack
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{2208D65A-1BF9-485E-A308-1BA6CADCDC1D}" = Windows Live Movie Maker Beta
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2B4C7E1E-E446-4740-ADB5-9842E742EE8A}" = Windows Live Toolbar
"{2D9C81F2-CF30-47F9-860E-58DACF92ABC9}" = Razer Arctosa
"{35D5A740-EAA2-012B-AD08-000000000000}" = TurboTax 2009 waziper
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{4AF95DE2-B54D-4C3F-9494-FD3B558E2C2D}" = AI Manager
"{4D87DC92-C328-46EC-A7B4-9C88129DC696}" = Dead Space™
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8A809006-C25A-4A3A-9DAB-94659BCDB107}" = NVIDIA PhysX
"{8F66047B-1AF3-40D9-80D7-106E2EDC2C2A}" = EPU-4 Engine
"{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}" = Azurewave Wireless LAN Card
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = iSEEK AnswerWorks English Runtime
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{AC76BA86-7AD7-1033-7B44-A81100000003}" = Adobe Reader 8.1.1
"{B09B47DC-8775-9A6D-C482-1265E615E87D}" = Creeper World DEMO
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C1583439-B034-4881-819C-D52A0587662B}" = Neverwinter Nights
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D3F80A98-05AB-4D8C-9272-766CCFA6A48D}" = THE SETTLERS - Rise of an Empire
"{D8B5B7C3-47B1-40FA-8251-59C74A543880}" = Dragon Age: Origins Character Creator
"{D9D754A1-EAC5-406C-A28B-C49B1E846711}" = Windows Live Essentials
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{F73A5B18-EB75-4B2C-B32D-9457576E2417}" = Windows Live Photo Gallery
"{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Ask Toolbar_is1" = Foxit Toolbar
"CreeperWorldDEMO.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1" = Creeper World DEMO
"ERUNT_is1" = ERUNT 1.1j
"Fallout 2 Restoration Project_is1" = FO2 Restoration Project 2.0
"Fallout2" = Fallout2
"FileZilla Client" = FileZilla Client 3.3.1
"Foxit Reader" = Foxit Reader
"GameSpy Arcade" = GameSpy Arcade
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"mIRC" = mIRC
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"PuTTY_is1" = PuTTY version 0.60
"Runic Games Torchlight" = Torchlight
"Sid Meier's Alpha Centauri" = Sid Meier's Alpha Centauri
"Star Wars: Knights of the Old Republic II - The ~0219FD26_is1" = Star Wars®: Knights of the Old Republic ™ II: The Sith Lords
"Star Wars: Knights of the Old Republic_is1" = Star Wars®: Knights of the Old Republic ™
"StarCraft II" = StarCraft II
"Steam App 17450" = Dragon Age: Origins
"TurboTax 2009" = TurboTax 2009
"uTorrent" = µTorrent
"WinGimp-2.0_is1" = GIMP 2.6.8
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinMerge_is1" = WinMerge 2.12.4
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/4/2010 8:53:12 PM | Computer Name = Geoff-PC | Source = Application Error | ID = 1000
Description = Faulting application name: YahooMessenger.exe, version: 10.0.0.1102,
time stamp: 0x4af9f8ef Faulting module name: MSVCR80.dll, version: 8.0.50727.4927,
time stamp: 0x4a2752ff Exception code: 0xc000000d Fault offset: 0x00008aa0 Faulting
process id: 0x9c0 Faulting application start time: 0x01cb3433397d3390 Faulting application
path: C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe Faulting module
path: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4927_none_d08a205e442db5b5\MSVCR80.dll
Report
Id: d1fc6e68-a02b-11df-a135-00248ce68ba9

Error - 8/5/2010 3:30:12 AM | Computer Name = Geoff-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\Program Files (x86)\Common
Files\Adobe AIR\Versions\1.0\Adobe AIR.dll".Error in manifest or policy file "c:\Program
Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll" on line 3. The value
"MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute
"version" in element "assemblyIdentity" is invalid.

Error - 8/6/2010 12:21:32 AM | Computer Name = Geoff-PC | Source = Application Error | ID = 1000
Description = Faulting application name: YahooMessenger.exe, version: 10.0.0.1102,
time stamp: 0x4af9f8ef Faulting module name: ymsdk.dll_unloaded, version: 0.0.0.0,
time stamp: 0x4af9f9b4 Exception code: 0xc0000005 Fault offset: 0x6103432d Faulting
process id: 0x108c Faulting application start time: 0x01cb34cd2503e616 Faulting application
path: C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe Faulting module
path: ymsdk.dll Report Id: 17186ac3-a112-11df-a135-00248ce68ba9

Error - 8/6/2010 3:30:12 AM | Computer Name = Geoff-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\Program Files (x86)\Common
Files\Adobe AIR\Versions\1.0\Adobe AIR.dll".Error in manifest or policy file "c:\Program
Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll" on line 3. The value
"MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute
"version" in element "assemblyIdentity" is invalid.

Error - 8/7/2010 8:07:45 PM | Computer Name = Geoff-PC | Source = Application Error | ID = 1000
Description = Faulting application name: YahooMessenger.exe, version: 10.0.0.1102,
time stamp: 0x4af9f8ef Faulting module name: MSVCR80.dll, version: 8.0.50727.4927,
time stamp: 0x4a2752ff Exception code: 0xc000000d Fault offset: 0x00008aa0 Faulting
process id: 0x598 Faulting application start time: 0x01cb35717afe2984 Faulting application
path: C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe Faulting module
path: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4927_none_d08a205e442db5b5\MSVCR80.dll
Report
Id: f7df640d-a280-11df-a135-00248ce68ba9

Error - 8/7/2010 9:21:38 PM | Computer Name = Geoff-PC | Source = Application Error | ID = 1000
Description = Faulting application name: YahooMessenger.exe, version: 10.0.0.1102,
time stamp: 0x4af9f8ef Faulting module name: MSVCR80.dll, version: 8.0.50727.4927,
time stamp: 0x4a2752ff Exception code: 0xc000000d Fault offset: 0x00008aa0 Faulting
process id: 0xd24 Faulting application start time: 0x01cb36918e61dcb1 Faulting application
path: C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe Faulting module
path: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4927_none_d08a205e442db5b5\MSVCR80.dll
Report
Id: 4a1466f9-a28b-11df-a135-00248ce68ba9

Error - 8/8/2010 3:33:00 AM | Computer Name = Geoff-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\Program Files (x86)\Common
Files\Adobe AIR\Versions\1.0\Adobe AIR.dll".Error in manifest or policy file "c:\Program
Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll" on line 3. The value
"MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute
"version" in element "assemblyIdentity" is invalid.

Error - 8/9/2010 3:30:12 AM | Computer Name = Geoff-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\Program Files (x86)\Common
Files\Adobe AIR\Versions\1.0\Adobe AIR.dll".Error in manifest or policy file "c:\Program
Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll" on line 3. The value
"MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute
"version" in element "assemblyIdentity" is invalid.

Error - 8/9/2010 3:30:31 AM | Computer Name = Geoff-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 8/9/2010 10:46:22 AM | Computer Name = Geoff-PC | Source = Application Error | ID = 1000
Description = Faulting application name: YahooMessenger.exe, version: 10.0.0.1102,
time stamp: 0x4af9f8ef Faulting module name: MSVCR80.dll, version: 8.0.50727.4927,
time stamp: 0x4a2752ff Exception code: 0xc000000d Fault offset: 0x00008aa0 Faulting
process id: 0x1018 Faulting application start time: 0x01cb36bf67a6b8a5 Faulting application
path: C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe Faulting module
path: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4927_none_d08a205e442db5b5\MSVCR80.dll
Report
Id: dfecfab3-a3c4-11df-a135-00248ce68ba9

[ System Events ]
Error - 8/29/2010 5:51:43 AM | Computer Name = Geoff-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Dragon
Age: Origins - Content Updater service to connect.

Error - 8/29/2010 5:52:13 AM | Computer Name = Geoff-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the Browser service.

Error - 8/29/2010 5:52:13 AM | Computer Name = Geoff-PC | Source = Service Control Manager | ID = 7000
Description = The Computer Browser service failed to start due to the following
error: %%1053

Error - 8/29/2010 5:52:43 AM | Computer Name = Geoff-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Dragon
Age: Origins - Content Updater service to connect.

Error - 8/29/2010 5:53:05 AM | Computer Name = Geoff-PC | Source = Service Control Manager | ID = 7022
Description = The Windows Update service hung on starting.

Error - 8/29/2010 5:53:13 AM | Computer Name = Geoff-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the Browser service.

Error - 8/29/2010 5:53:13 AM | Computer Name = Geoff-PC | Source = Service Control Manager | ID = 7000
Description = The Computer Browser service failed to start due to the following
error: %%1053

Error - 8/29/2010 5:53:43 AM | Computer Name = Geoff-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the Appinfo service.

Error - 8/29/2010 5:53:43 AM | Computer Name = Geoff-PC | Source = Service Control Manager | ID = 7000
Description = The Application Information service failed to start due to the following
error: %%1053

Error - 8/29/2010 11:13:18 AM | Computer Name = Geoff-PC | Source = Service Control Manager | ID = 7034
Description = The Device Handle Service service terminated unexpectedly. It has
done this 1 time(s).

< End of report >

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4502

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

8/29/2010 8:27:52 AM
mbam-log-2010-08-29 (08-27-52).txt

Scan type: Quick scan
Objects scanned: 130053
Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#2
BlackOxide

Posted 01 September 2010 - 02:54 PM

Trusted Helper

Malware Removal
1,976 posts

Hi, gku! Welcome to GeeksToGo! My name is BlackOxide and I will be assisting you with your Malware/Security problems. Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just incase you are unable to access this site.

Please note:

I am currently in training, so my replies will need to be quickly checked before I post them to you, so there may be a small delay in between.
Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.

OK, lets start

First of all lets get a fresh OTL scan done as the last one was a few days ago, then we'll go from there

Please do the following...

OTL Quick Scan

Double click on the OTL icon to run it.
When the window appears, underneath Output at the top, make sure Standard Output is selected.
Copy and Paste the following into the Custom Scans/Fixes box at the bottom.

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open a notepad window.
Please post the contents of this log

In your next reply
Please post the contents of...
OTL log

#3
Funky

Posted 01 September 2010 - 06:26 PM

New Member

Member
6 posts

Thanks for taking the time to help.

It's been an interesting few days - when I tried to log in to reply to this, my login was blocked somehow - it said the login was accepted, like it did on the other two computers in the house, but then booted me out to the 'logged out' version of the forum page, instead of logging me in.

I now suspect this is the work of someone phising for info - I was contacted via yahoo last night by someone who tried to get me to go to a website and 'take an IQ test' - the person wasn't acting like themselves at all (and last time I spoke with them they were terminally ill). Here is the link to the page, should it be relevant - I didn't click on it, obviously: xwww.showinvite.net/ju35 (minus the leading 'x'). Curiously, my computer, which has been horribly slow since this infection began, has been much faster since I told them that I wouldn't be opening anything with it until my virus was resolved. I'll be changing all my passwords using another computer, regardless.

Anyhow, here's the log you requested - thank you again for your help.

OTL logfile created on: 9/1/2010 4:31:07 PM - Run 2
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Users\Geoff\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

8.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 6.00% Memory free
16.00 Gb Paging File | 14.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 279.46 Gb Total Space | 164.27 Gb Free Space | 58.78% Space Free | Partition Type: NTFS
Drive D: | 409.17 Gb Total Space | 233.14 Gb Free Space | 56.98% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GEOFF-PC
Current User Name: Geoff
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/30 16:46:24 | 000,407,336 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe
PRC - [2010/08/29 14:32:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Geoff\Desktop\OTL.exe
PRC - [2010/08/24 19:04:56 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Steam\Steam.exe
PRC - [2010/08/03 07:40:45 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2010/07/09 16:09:52 | 000,248,936 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2010/05/14 11:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2010/04/01 02:16:20 | 000,357,696 | ---- | M] (DT Soft Ltd) -- C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
PRC - [2010/02/25 22:10:20 | 021,979,992 | ---- | M] () -- C:\Users\Geoff\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/08/21 11:47:34 | 000,411,648 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files (x86)\ASUS\AI Manager\Page\iGear\GearHelp.exe
PRC - [2009/08/19 21:55:40 | 000,196,608 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Windows\SysWOW64\AsHookDevice.exe
PRC - [2009/08/19 21:37:26 | 000,225,280 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe
PRC - [2009/03/31 01:37:40 | 005,748,736 | ---- | M] () -- C:\Program Files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
PRC - [2008/10/06 07:03:04 | 000,147,456 | ---- | M] (Razer USA Ltd.) -- C:\Program Files\Razer\Arctosa\razerhid.exe

========== Modules (SafeList) ==========

MOD - [2010/08/29 14:32:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Geoff\Desktop\OTL.exe
MOD - [2009/07/13 18:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2009/07/13 18:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/03/25 23:48:42 | 000,017,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2009/07/13 18:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2010/08/30 16:46:24 | 000,407,336 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/08/25 18:26:06 | 000,025,832 | ---- | M] (BioWare) [On_Demand | Running] -- c:\Program Files (x86)\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2010/07/09 16:09:52 | 000,248,936 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2010/05/14 11:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2010/03/18 14:27:14 | 000,138,576 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_64)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/08/19 21:55:40 | 000,196,608 | ---- | M] (ASUSTeK Computer Inc.) [Auto | Running] -- C:\Windows\SysWOW64\AsHookDevice.exe -- (Device Handle Service)
SRV - [2008/12/08 17:01:58 | 000,533,344 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/04/25 00:10:47 | 000,834,544 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2010/02/12 20:30:26 | 000,145,360 | ---- | M] (Sun Microsystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VBoxNetAdp.sys -- (VBoxNetAdp)
DRV:64bit: - [2009/07/16 11:38:40 | 000,015,416 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV:64bit: - [2009/07/13 18:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 18:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 18:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 13:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 13:35:35 | 000,620,544 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netr28x.sys -- (netr28x)
DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/04/28 22:43:34 | 000,081,440 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2009/01/20 07:49:48 | 000,195,584 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2008/12/08 17:35:52 | 000,061,792 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV - [2008/01/04 13:34:48 | 000,011,832 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysWOW64\drivers\AsInsHelp64.sys -- (ASInsHelp)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.asus.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.asus.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2F 56 1C 32 4E AA CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.startup.homepage: "http://highergroundp....com/index.cgi"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..network.proxy.ftp: "168.94.74.68"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.gopher: "168.94.74.68"
FF - prefs.js..network.proxy.gopher_port: 8080
FF - prefs.js..network.proxy.http: "168.94.74.68"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "168.94.74.68"
FF - prefs.js..network.proxy.socks_port: 8080
FF - prefs.js..network.proxy.ssl: "168.94.74.68"
FF - prefs.js..network.proxy.ssl_port: 8080

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/08/03 07:40:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/08/03 07:40:47 | 000,000,000 | ---D | M]

[2010/02/12 08:10:37 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Mozilla\Extensions
[2010/09/01 13:45:39 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Mozilla\Firefox\Profiles\er7d5gp3.default\extensions
[2010/08/20 19:51:07 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Geoff\AppData\Roaming\Mozilla\Firefox\Profiles\er7d5gp3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/02/14 08:12:26 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/02/13 20:13:50 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

O1 HOSTS File: ([2006/09/18 14:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2:64bit: - BHO: (Windows Live Family Safety Browser Helper Class) - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O4:64bit: - HKLM..\Run: [MSSE] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Arctosa] C:\Program Files\Razer\Arctosa\razerhid.exe (Razer USA Ltd.)
O4 - HKLM..\Run: [RunAIShell] C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe (ASUSTeK Computer Inc.)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [Steam] C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation)
O4 - Startup: C:\Users\Geoff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Geoff\AppData\Roaming\Dropbox\bin\Dropbox.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O24 - Desktop WallPaper: C:\Windows\web\Wallpaper\img23.jpg
O24 - Desktop BackupWallPaper: C:\Windows\web\Wallpaper\img23.jpg
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{02168669-503a-11df-8184-00248ce68ba9}\Shell - "" = AutoRun
O33 - MountPoints2\{02168669-503a-11df-8184-00248ce68ba9}\Shell\AutoRun\command - "" = H:\Autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 90 Days ==========

[2010/08/29 14:33:22 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Geoff\Desktop\OTL.exe
[2010/08/29 08:21:39 | 000,000,000 | ---D | C] -- C:\Users\Geoff\AppData\Roaming\Malwarebytes
[2010/08/29 08:21:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/08/29 08:21:23 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/08/29 08:21:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/08/29 08:21:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/08/29 08:19:34 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/08/29 08:18:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2010/08/26 21:48:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\BioWare
[2010/08/26 21:47:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Dragon Age Origins Character Creator
[2010/08/26 06:36:45 | 000,000,000 | ---D | C] -- C:\ProgramData\BioWare
[2010/08/26 06:36:22 | 000,000,000 | ---D | C] -- C:\Users\Geoff\AppData\Roaming\NVIDIA
[2010/08/25 17:59:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NVIDIA Corporation
[2010/08/25 17:51:23 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA Corporation
[2010/08/25 17:51:19 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2010/08/25 13:29:36 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Desktop\More kittens
[2010/08/25 13:29:36 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Desktop\2004_09_15
[2010/08/25 13:29:36 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Desktop\2004_09_14
[2010/08/25 12:58:11 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Desktop\Law School Stuff from Old Computer
[2010/08/14 19:06:45 | 000,000,000 | ---D | C] -- C:\Users\Geoff\AppData\Local\Electronic Arts
[2010/08/14 18:54:19 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Documents\Electronic Arts
[2010/08/14 18:54:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Electronic Arts
[2010/08/11 17:09:12 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Documents\StarCraft II
[2010/08/11 17:09:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\StarCraft II
[2010/08/11 17:09:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard Entertainment
[2010/08/11 17:09:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Blizzard Entertainment
[2010/07/16 18:03:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\directx
[2010/07/16 18:00:10 | 000,000,000 | ---D | C] -- C:\DeusEx
[2010/07/10 05:38:00 | 000,065,128 | ---- | C] (Khronos Group) -- C:\Windows\SysNative\OpenCL.dll
[2010/07/10 05:38:00 | 000,056,936 | ---- | C] (Khronos Group) -- C:\Windows\SysWow64\OpenCL.dll
[2010/06/30 03:00:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Antimalware
[2010/06/25 03:01:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft.NET

========== Files - Modified Within 90 Days ==========

[2010/09/01 16:33:55 | 001,835,008 | -HS- | M] () -- C:\Users\Geoff\NTUSER.DAT
[2010/09/01 13:41:44 | 000,009,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/01 13:41:44 | 000,009,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/01 13:40:06 | 000,726,316 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/09/01 13:40:06 | 000,623,940 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/09/01 13:40:06 | 000,106,316 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/09/01 13:34:14 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/01 13:34:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/01 13:33:55 | 2146,787,327 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/01 12:31:21 | 002,421,983 | -H-- | M] () -- C:\Users\Geoff\AppData\Local\IconCache.db
[2010/08/29 14:32:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Geoff\Desktop\OTL.exe
[2010/08/29 09:02:43 | 000,293,376 | ---- | M] () -- C:\Users\Geoff\Desktop\gmer.exe
[2010/08/29 08:21:28 | 000,001,017 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/29 08:18:34 | 000,000,932 | ---- | M] () -- C:\Users\Geoff\Desktop\NTREGOPT.lnk
[2010/08/29 08:18:34 | 000,000,913 | ---- | M] () -- C:\Users\Geoff\Desktop\ERUNT.lnk
[2010/08/27 21:38:27 | 000,013,042 | ---- | M] () -- C:\Users\Geoff\Desktop\Blessed Weapons.zip
[2010/08/26 21:48:33 | 000,001,256 | ---- | M] () -- C:\Users\Public\Desktop\Dragon Age Origins Character Creator.lnk
[2010/08/25 18:11:44 | 000,000,221 | ---- | M] () -- C:\Users\Geoff\Desktop\Dragon Age Origins.url
[2010/08/25 13:20:38 | 005,780,037 | ---- | M] () -- C:\Users\Geoff\Desktop\HG_Jan_05.7z
[2010/08/14 18:59:24 | 000,002,077 | ---- | M] () -- C:\Users\Public\Desktop\Dead Space™.lnk
[2010/08/14 10:22:10 | 000,001,167 | ---- | M] () -- C:\Users\Geoff\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2010/08/14 10:22:10 | 000,001,143 | ---- | M] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2010/08/13 03:20:29 | 000,345,368 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/08/13 03:03:33 | 000,001,143 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Works.lnk
[2010/08/11 17:22:03 | 000,001,442 | ---- | M] () -- C:\Users\Geoff\Desktop\StarCraft II.exe - Shortcut.lnk
[2010/08/02 14:43:45 | 000,090,163 | ---- | M] () -- C:\Users\Geoff\Desktop\1stegg.JPG
[2010/07/10 05:38:00 | 000,065,128 | ---- | M] (Khronos Group) -- C:\Windows\SysNative\OpenCL.dll
[2010/07/10 05:38:00 | 000,056,936 | ---- | M] (Khronos Group) -- C:\Windows\SysWow64\OpenCL.dll
[2010/07/09 15:38:00 | 000,012,264 | ---- | M] () -- C:\Windows\SysNative\nvinfo.pb
[2010/06/30 03:00:27 | 000,001,039 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk
[2010/06/13 12:30:14 | 002,354,516 | ---- | M] () -- C:\Users\Geoff\Desktop\DnYak.JPG

========== Files Created - No Company Name ==========

[2010/08/29 08:21:28 | 000,001,017 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/29 08:18:34 | 000,000,932 | ---- | C] () -- C:\Users\Geoff\Desktop\NTREGOPT.lnk
[2010/08/29 08:18:33 | 000,000,913 | ---- | C] () -- C:\Users\Geoff\Desktop\ERUNT.lnk
[2010/08/27 21:38:26 | 000,013,042 | ---- | C] () -- C:\Users\Geoff\Desktop\Blessed Weapons.zip
[2010/08/26 21:48:33 | 000,001,256 | ---- | C] () -- C:\Users\Public\Desktop\Dragon Age Origins Character Creator.lnk
[2010/08/25 18:11:44 | 000,000,221 | ---- | C] () -- C:\Users\Geoff\Desktop\Dragon Age Origins.url
[2010/08/25 13:22:32 | 2867,035,986 | ---- | C] () -- C:\Users\Geoff\Desktop\Documents and Settings.rar
[2010/08/25 13:20:09 | 005,780,037 | ---- | C] () -- C:\Users\Geoff\Desktop\HG_Jan_05.7z
[2010/08/25 13:18:57 | 109,909,710 | ---- | C] () -- C:\Users\Geoff\Desktop\Path of Ascension CEP Epic.mod
[2010/08/14 18:59:24 | 000,002,077 | ---- | C] () -- C:\Users\Public\Desktop\Dead Space™.lnk
[2010/08/14 10:22:10 | 000,001,167 | ---- | C] () -- C:\Users\Geoff\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2010/08/14 10:22:10 | 000,001,143 | ---- | C] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2010/08/13 03:03:33 | 000,001,143 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Works.lnk
[2010/08/11 17:22:03 | 000,001,442 | ---- | C] () -- C:\Users\Geoff\Desktop\StarCraft II.exe - Shortcut.lnk
[2010/08/02 14:43:43 | 000,090,163 | ---- | C] () -- C:\Users\Geoff\Desktop\1stegg.JPG
[2010/06/13 12:29:48 | 002,354,516 | ---- | C] () -- C:\Users\Geoff\Desktop\DnYak.JPG
[2010/02/14 07:40:21 | 000,000,600 | ---- | C] () -- C:\Users\Geoff\AppData\Local\PUTTY.RND
[2010/02/13 21:47:27 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/02/13 07:44:37 | 000,000,134 | ---- | C] () -- C:\Users\Geoff\AppData\Roaming\wklnhst.dat
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 14:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/05/15 16:35:10 | 000,221,184 | ---- | C] () -- C:\Windows\SysWow64\drivers\ServiceHelp.dll
[2009/05/15 16:34:26 | 000,024,576 | ---- | C] () -- C:\Windows\SysWow64\AsIO.dll
[2009/05/15 16:34:26 | 000,013,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsIO.sys
[2009/05/15 16:34:24 | 000,011,832 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsInsHelp64.sys
[2009/05/15 16:34:24 | 000,010,216 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsInsHelp32.sys
[2009/05/15 16:30:45 | 000,001,746 | ---- | C] () -- C:\Windows\Language_trs.ini
[2009/05/15 16:13:43 | 000,026,261 | ---- | C] () -- C:\Windows\Ascd_log.ini
[2009/05/15 16:13:32 | 000,019,853 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2007/12/28 08:22:02 | 000,010,296 | ---- | C] () -- C:\Windows\SysWow64\drivers\ASUSHWIO.SYS

========== LOP Check ==========

[2010/04/23 21:20:47 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\CreeperWorld
[2010/04/23 21:17:57 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\CreeperWorldDEMO.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
[2010/04/25 00:20:25 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\DAEMON Tools Lite
[2010/09/01 13:34:43 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Dropbox
[2010/02/13 21:15:45 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\FileZilla
[2010/02/13 20:14:24 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Foxit
[2010/04/23 00:53:57 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\gtk-2.0
[2010/02/14 16:05:48 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Leadertech
[2010/03/18 23:45:21 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\runic games
[2010/02/14 08:16:54 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Subversion
[2010/02/27 01:42:57 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Template
[2010/08/14 19:58:08 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\uTorrent
[2009/07/13 22:08:49 | 000,020,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009/07/13 18:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2010/02/10 06:17:25 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2010/09/01 13:33:55 | 2146,787,327 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/01 13:34:03 | 4294,041,599 | -HS- | M] () -- C:\pagefile.sys
[2009/05/15 16:18:44 | 000,001,701 | ---- | M] () -- C:\RHDSetup.log
[2009/05/15 16:24:18 | 000,000,087 | ---- | M] () -- C:\setup.log

< %systemroot%\Fonts\*.com >
[2009/07/13 22:32:31 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2009/07/13 22:32:31 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2009/07/13 22:32:31 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2009/07/13 22:32:31 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/06/10 13:49:50 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2008/12/04 22:55:20 | 000,307,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >
[2010/08/20 19:50:13 | 000,001,686 | -HS- | M] () -- C:\Users\Geoff\AppData\Roaming\Microsoft\LastFlashConfig.wfc

< %PROGRAMFILES%\*.* >
[2009/07/13 21:54:24 | 000,000,174 | -HS- | M] () -- C:\Program Files (x86)\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/02/10 04:33:34 | 000,000,221 | -HS- | M] () -- C:\Users\Geoff\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop (1).ini
[2010/02/10 05:39:35 | 000,000,221 | -HS- | M] () -- C:\Users\Geoff\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2010/08/29 09:02:43 | 000,293,376 | ---- | M] () -- C:\Users\Geoff\Desktop\gmer.exe
[2010/08/29 14:32:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Geoff\Desktop\OTL.exe
[2010/02/13 22:34:18 | 020,565,723 | ---- | M] (IDM Computer Solutions, Inc.) -- C:\Users\Geoff\Desktop\UltraEdit Text Editor.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >
[2009/06/10 14:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\addins\FXSEXT.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >
[2010/08/25 18:00:32 | 000,008,192 | ---- | M] () -- C:\Windows\security\database\edb.chk
[2010/08/25 18:00:32 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edb.log
[2010/08/25 18:00:32 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00001.jrs
[2010/08/25 18:00:32 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00002.jrs
[2010/08/25 18:00:32 | 000,786,432 | ---- | M] () -- C:\Windows\security\database\edbtmp.log
[2010/08/25 18:00:32 | 001,056,768 | ---- | M] () -- C:\Windows\security\database\tmp.edb

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2010/08/03 03:18:18 | 000,000,402 | -HS- | M] () -- C:\Users\Geoff\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

< %SYSTEMROOT%\Installer\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
< End of report >

#4
gku

Posted 01 September 2010 - 09:21 PM

Member

Topic Starter
Member
16 posts

Doh! The above account (Funky) is also mine. Sorry, mixup, have two logins here it seems.

Geoff

#5
BlackOxide

Posted 02 September 2010 - 02:29 PM

Trusted Helper

Malware Removal
1,976 posts

Hey,

No worries on the user account names

Thanks for keeping me updated with the issues you have come across. With the logging in/logging out issue, has this happened again since it did it the first time?

I'll be changing all my passwords using another computer, regardless.

Good thinking. It's always wise to hop onto another PC and change your passwords for the websites you often log into if you've had any malware present

I've had a look through the OTL log and it appears in good shape. Lets do a scan with AVP by Kaspersky to see if this reveals any malware. Please follow the instructions below....

AVP Virus Scan by Kaspersky
Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode.

You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
Accept the Licence agreement and click on next
It will by default install it to your desktop folder.Click Next.
It will then open a box There will be a tab that says AutoScan.
Under AutoScan make sure these are checked.

Note - System Memory option is not available on 64 bit Operating Systems

Hidden Startup Objects
System Memory
Disk Boot Sectors.
My Computer.
Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear as default.

Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be Neutralized then chooose The delete option when prompted.
After that is done click on the reports button at the bottom and save it to file name it Kas.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

In your next reply
Please post the contents of...
AVP log

#6
gku

Posted 02 September 2010 - 05:14 PM

Member

Topic Starter
Member
16 posts

Thanks for keeping me updated with the issues you have come across. With the logging in/logging out issue, has this happened again since it did it the first time?

Yes, it's an ongoing issue. Turns out that second account came in handy - I used another computer to reset the pass again, making it different from my others (and thus harmless), and then tried to login with the same result. It works on all computers but the infected computer, which does not permit login.

More news - I've been mostly keeping the computer offline, but despite that, a windows update message showed next to the Shut Down option in the start menu, when I went to restart the computer to run Kaspersky. Not trusting it, and unable to locate an option to Shut Down without installing the update/s, I simply turned the computer's power off. I'm fairly new to Win 7, so if that option was carried over from Win XP I'd love to hear about it.

Anyway, I ran Kaspersky. I couldn't find a save option in the report, so I Selected All, and pasted into a text:
Autoscan: completed 15 minutes ago (events: 7, objects: 376678, time: 01:06:47)
9/2/2010 2:30:58 PM Task started
9/2/2010 3:23:19 PM Detected Trojans Trojan.Win32.Agent.djoh High Exact File D:\Program Downloads\Drivers\Driver Cleaner\DCProSetup.exe/data0007/ ASPack
9/2/2010 3:23:20 PM Detected Trojans Trojan.Win32.Agent.djoh High Exact File D:\Program Downloads\Drivers\Driver Cleaner\dcprosetup_14.zip/DCProSetup.exe/data0007/ ASPack
9/2/2010 3:23:53 PM Deleted Trojans Trojan.Win32.Agent.djoh High Exact File D:\Program Downloads\Drivers\Driver Cleaner\ DCProSetup.exe
9/2/2010 3:23:54 PM Deleted Trojans Trojan.Win32.Agent.djoh High Exact File D:\Program Downloads\Drivers\Driver Cleaner\dcprosetup_14.zip/ DCProSetup.exe
9/2/2010 3:37:19 PM Processing error File D:\Torrents\torchlight\ [PC] Torchlight - 2009.rar Read error
9/2/2010 3:37:46 PM Task completed

It appears to have found only one of the 22 infections, albeit one of the nasty ones. My computer is much less sluggish after restarting after the scan, but I have NOT run more scans to see what still shows - I'm waiting until you can provide your next instructions before doing anything else. The update notification next to Shut Down in the Start Menu still shows after the Kaspersky scan - here's to hoping it's an actual Windows update, though I will not allow it to shut down normally so it can install until I hear back from you. Thank you again for your help.

Geoff

Edited by gku, 02 September 2010 - 05:17 PM.

#7
gku

Posted 02 September 2010 - 08:12 PM

Member

Topic Starter
Member
16 posts

Update: Microsoft Security Essentials, of its own accord, popped up a warning showing that I still have 22 infections, listing in the window only the 6 medium-level threats it had shown before.

Also, I still cannot log in to these forums using the infected computer.

Geoff

#8
BlackOxide

Posted 03 September 2010 - 01:57 PM

Trusted Helper

Malware Removal
1,976 posts

Yes, it's an ongoing issue. Turns out that second account came in handy - I used another computer to reset the pass again, making it different from my others (and thus harmless), and then tried to login with the same result. It works on all computers but the infected computer, which does not permit login.

That's interesting... we'll run through a few things below, then let me know at the end whether you can login properly on the infected computer after going through all of the steps

I've been mostly keeping the computer offline, but despite that, a windows update message showed next to the Shut Down option in the start menu, when I went to restart the computer to run Kaspersky. Not trusting it, and unable to locate an option to Shut Down without installing the update/s, I simply turned the computer's power off. I'm fairly new to Win 7, so if that option was carried over from Win XP I'd love to hear about it.

Yep, this sounds very much like a legit Windows Update that it wants to install when you Shut Down the PC. I would let this update go through, you shouldn't have any problems with it

Personally I have changed my Windows Update settings on my Windows 7 PC. I have never liked Microsoft installing updates when they feel like it and wanting to reboot my PC. I like to be prompted and when my PC is available to be shut down, I'll click to install the updates and let it reboot. Click here for a good little article on Windows 7 Update. I have mine on 'Check for Updates but let me choose whether to download and install them'.

Ok, lets run through a few steps....

1)
Lets clear your System Restore points, as these may contain infections which MSE might be alerting to....

Run OTL, copy and paste the following into the Custom Scans/Fixes area at the bottom
```
:Commands
[CLEARALLRESTOREPOINTS]
[EmptyTemp]
[EmptyFlash]
```
Then Click Run Fix

2)
Clear FireFox's Cache and Cookies

Open Firefox
Click Tools, then Clear Recent History
Make sure Everything is selected in the Time range to clear at the top
Make sure both Cookies and Cache have a tick next to them and leave the others unticked
Click Clear Now at the bottom
This will now remove FireFox's Cache and Cookies from the PC

3)
Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

4)
The following Proxy settings are set in FireFox. Do you need these anymore, they point to Best Buy?

FF - prefs.js..network.proxy.ftp: "168.94.74.68"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.gopher: "168.94.74.68"
FF - prefs.js..network.proxy.gopher_port: 8080
FF - prefs.js..network.proxy.http: "168.94.74.68"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "168.94.74.68"
FF - prefs.js..network.proxy.socks_port: 8080
FF - prefs.js..network.proxy.ssl: "168.94.74.68"
FF - prefs.js..network.proxy.ssl_port: 8080

In your next reply
Please post the contents of...
ESET Online Scan
Let me know whether the proxy settings belonging to Best Buy are now relevant
Let me know whether you can now log in to this forum on the infected PC after doing the above steps

#9
Funky

Posted 03 September 2010 - 05:25 PM

New Member

Member
6 posts

Ok, all steps completed. Here's the OTL log - you didn't request it, but it's short. After running it, and selecting the Reboot Now option after it prompted me, windows ran what appeared to be the Chkdsk utility. It didn't take terribly long, but it said it deleted a few corrupt bits of data. The log:

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Geoff
->Temp folder emptied: 554783 bytes
->Temporary Internet Files folder emptied: 685730 bytes
->FireFox cache emptied: 41819533 bytes
->Flash cache emptied: 1272 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 9413008 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 50.00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Geoff
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.11.0 log created on 09032010_134226

Files\Folders moved on Reboot...
C:\Users\Geoff\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Windows\temp\TMP00000001AE214B0352183020 not found!

Registry entries deleted on Reboot...

I then cleared Firefox's cache and cookies per your instructions, and then I ran the ESET scanner. Here's the log, it's only 3 lines:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

It was on a slightly different path than the one you indicated, so I hope it's the correct one - I found it in C:\Program Files(x86)\ESET\ESET Online Scanner. I did NOT uninstall it afterwards, so if that's not the proper log, the right one is likely still around.

As to #4, I have no idea why this computer would have Proxy settings or anything else relating to Best Buy on it. I purchased it via Tiger Direct, as a refurb, and it had almost no junk programs on it when I got it. It's an ASUS, if that matters, and I'm fairly certain I've never even browsed to a Best Buy webpage on it. I have internet access via Comcast cable. So, in answer to your question, barring some misapprehension on my part, those proxy settings have never been relevant, and I've no idea why they're there - remnants of the malware, maybe? I never got any redirects as a result of this infection. In fact, the only symptoms have been a major slowdown, and the odd inabilty to log in as a user to this site on it since the infection. The slowdown didn't seem entirely gone after the previous scan removed Win32/Agent, but that may simply be because Microsoft Security Essentials was working overtime detecting phantom threats - I have no idea. Its icon hasn't turned yellow (or red) since the ESET scan - perhaps the restore points were spoofing it, and my performance will be back. It was turning yellow immediately on startup before I took the steps in your latest post, and would turn red after an hour or two, popping up the warning about the 22 infections. I'll have to use it further to see how the computer's performance is, speed-wise (I suspect it's due for a defrag, as well) - I've been avoiding using it much, as well as keeping it offline.

EDIT: As I was typing this, MSE's icon went red, and the same old MSE popup appeared, informing me that I have 22 potential threats - at a glance, the same 22.

As to the odd login glitch on these forums, it's still there in Firefox. It's doing the exact same thing - taking my login data, going to the Thank You, login successful page, per normal, then redirecting to the page I had been on before, but not logged in (the log in option is still in the forum header, and I'm unable to post replies). It is NOT there in Internet Explorer 64 bit, however, which is what I'm using to post this. I have no idea if it ever was there in IE 64, but as I said, Firefox was working just fine pre-infection.

Lastly, a word about the two ways I may have gotten this infection, in case it's helpful in any way. A day or two before the first issue appeared on my weekly MSE scan, two things happened that might've caused it. First, I hooked up an old hard drive to this computer using cables to convert it to a USB portable-style drive, and copied over some files. That computer had Kazaa on it, and given that that was one of the infections listed in the scan report, it seems like a likely source. The other possible infection vector was a bad internet search I did around the same time - the page I selected had one of those obnoxious popups that wouldn't go away when you clicked on the red x on the top right. I then, unfortunately, clicked on the Cancel button on the popup, instead of using Task Manager to abort it. Doh!

So, per the edit above, I'm still infected - or at least, MSE still thinks I am.

Thank you again for your time, and apologies for the somewhat lengthy reply.

Geoff

#10
BlackOxide

Posted 04 September 2010 - 08:43 AM

Trusted Helper

Malware Removal
1,976 posts

Hey,

Thanks for the info and nope I certainly don't mind lengthy replies, they give me a better picture as to what's what

What we will do here is remove those Best Buy proxy settings and then try and locate what files MSE is detecting as there is a button that you can press to show extra details which should include the filenames of those items.

Strange about the login issue for this site in FireFox. It may come down to FireFox needing to be uninstalled then reinstalled, but we'll leave that for the time being and just see if we can get those file locations from MSE and we'll go from there

1)
Removing the Best Buy proxy settings and getting a fresh OTL scan

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
FF - prefs.js..network.proxy.ftp: "168.94.74.68"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.gopher: "168.94.74.68"
FF - prefs.js..network.proxy.gopher_port: 8080
FF - prefs.js..network.proxy.http: "168.94.74.68"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "168.94.74.68"
FF - prefs.js..network.proxy.socks_port: 8080
FF - prefs.js..network.proxy.ssl: "168.94.74.68"
FF - prefs.js..network.proxy.ssl_port: 8080

:Services

:Reg

:Files

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done.
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

2)
Perform a Full Scan with MSE and then locate the file locations of the items that were found

Open MSE and make sure you are on the Home tab at the top
Under Scan Options to the right, make sure Full is selected, then click Scan now
After the scan is finished you should be able to click 'Show Details' which is just under the the Clean Computer button (see image below)

Posted Image

Now click a detected item and then click the Show Details button, you should then see the file location(s) below (see images)

Posted Image

It looks like you will need to click each detected item and then the Show details button to reveal the file locations for each infection. If you could copy and paste the item locations within your next reply that would be great.

In your next reply
Please post the contents of...
OTL log
Locations of the infections if possible

Thanks

#11
Funky

Posted 04 September 2010 - 01:09 PM

New Member

Member
6 posts

Ok, some interesting developments, and, hopefully, a resolution in sight. I flipped on the computer this morning, went to get coffee, and when I came back, MSE had already begun updating its definitions, and I let it finish. Probably not relevant, but there it is. Anyway, I saw your post 15 minutes after you posted, and got to work. First, the OTL log:

OTL logfile created on: 9/4/2010 8:10:16 AM - Run 3
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Users\Geoff\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

8.00 Gb Total Physical Memory | 7.00 Gb Available Physical Memory | 85.00% Memory free
16.00 Gb Paging File | 14.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 279.46 Gb Total Space | 162.26 Gb Free Space | 58.06% Space Free | Partition Type: NTFS
Drive D: | 409.17 Gb Total Space | 233.14 Gb Free Space | 56.98% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 488.00 Mb Total Space | 482.02 Mb Free Space | 98.77% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GEOFF-PC
Current User Name: Geoff
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/30 16:46:24 | 000,407,336 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe
PRC - [2010/08/29 14:32:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Geoff\Desktop\OTL.exe
PRC - [2010/08/24 19:04:56 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Steam\Steam.exe
PRC - [2010/08/03 07:40:45 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2010/07/09 16:09:52 | 000,248,936 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2010/06/01 10:17:48 | 005,252,408 | ---- | M] (Yahoo! Inc.) -- C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2010/05/14 11:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2010/04/01 02:16:20 | 000,357,696 | ---- | M] (DT Soft Ltd) -- C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
PRC - [2010/02/25 22:10:20 | 021,979,992 | ---- | M] () -- C:\Users\Geoff\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/08/21 11:47:34 | 000,411,648 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files (x86)\ASUS\AI Manager\Page\iGear\GearHelp.exe
PRC - [2009/08/19 21:55:40 | 000,196,608 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Windows\SysWOW64\AsHookDevice.exe
PRC - [2009/08/19 21:37:26 | 000,225,280 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe
PRC - [2009/03/31 01:37:40 | 005,748,736 | ---- | M] () -- C:\Program Files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
PRC - [2008/10/06 07:03:04 | 000,147,456 | ---- | M] (Razer USA Ltd.) -- C:\Program Files\Razer\Arctosa\razerhid.exe
PRC - [2007/10/10 11:51:56 | 000,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Adobe\Reader 8.0\Reader\reader_sl.exe

========== Modules (SafeList) ==========

MOD - [2010/08/29 14:32:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Geoff\Desktop\OTL.exe
MOD - [2009/07/13 18:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2009/07/13 18:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/03/25 23:48:42 | 000,017,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2009/07/13 18:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2010/08/30 16:46:24 | 000,407,336 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/08/25 18:26:06 | 000,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- c:\Program Files (x86)\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2010/07/09 16:09:52 | 000,248,936 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2010/05/14 11:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2010/03/18 14:27:14 | 000,138,576 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_64)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/08/19 21:55:40 | 000,196,608 | ---- | M] (ASUSTeK Computer Inc.) [Auto | Running] -- C:\Windows\SysWOW64\AsHookDevice.exe -- (Device Handle Service)
SRV - [2008/12/08 17:01:58 | 000,533,344 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/04/25 00:10:47 | 000,834,544 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2010/02/12 20:30:26 | 000,145,360 | ---- | M] (Sun Microsystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VBoxNetAdp.sys -- (VBoxNetAdp)
DRV:64bit: - [2009/07/16 11:38:40 | 000,015,416 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV:64bit: - [2009/07/13 18:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 18:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 18:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 13:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 13:35:35 | 000,620,544 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netr28x.sys -- (netr28x)
DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/04/28 22:43:34 | 000,081,440 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2009/01/20 07:49:48 | 000,195,584 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2008/12/08 17:35:52 | 000,061,792 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV - [2008/01/04 13:34:48 | 000,011,832 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysWOW64\drivers\AsInsHelp64.sys -- (ASInsHelp)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.asus.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.asus.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 6B D6 40 08 AA 4B CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.startup.homepage: "http://highergroundp....com/index.cgi"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..network.proxy.ftp: ""
FF - prefs.js..network.proxy.ftp_port: ""
FF - prefs.js..network.proxy.gopher: ""
FF - prefs.js..network.proxy.gopher_port: ""
FF - prefs.js..network.proxy.http: ""
FF - prefs.js..network.proxy.http_port: ""
FF - prefs.js..network.proxy.no_proxies_on: ""
FF - prefs.js..network.proxy.share_proxy_settings: ""
FF - prefs.js..network.proxy.socks: ""
FF - prefs.js..network.proxy.socks_port: ""
FF - prefs.js..network.proxy.ssl: ""
FF - prefs.js..network.proxy.ssl_port: ""

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/08/03 07:40:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/08/03 07:40:47 | 000,000,000 | ---D | M]

[2010/02/12 08:10:37 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Mozilla\Extensions
[2010/09/04 06:33:55 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Mozilla\Firefox\Profiles\er7d5gp3.default\extensions
[2010/08/20 19:51:07 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Geoff\AppData\Roaming\Mozilla\Firefox\Profiles\er7d5gp3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/02/14 08:12:26 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/02/13 20:13:50 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

O1 HOSTS File: ([2010/09/04 08:02:36 | 000,000,098 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2:64bit: - BHO: (Windows Live Family Safety Browser Helper Class) - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O4:64bit: - HKLM..\Run: [MSSE] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Arctosa] C:\Program Files\Razer\Arctosa\razerhid.exe (Razer USA Ltd.)
O4 - HKLM..\Run: [RunAIShell] C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe (ASUSTeK Computer Inc.)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [Steam] C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation)
O4 - Startup: C:\Users\Geoff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Geoff\AppData\Roaming\Dropbox\bin\Dropbox.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O24 - Desktop WallPaper: C:\Windows\web\Wallpaper\img23.jpg
O24 - Desktop BackupWallPaper: C:\Windows\web\Wallpaper\img23.jpg
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{02168669-503a-11df-8184-00248ce68ba9}\Shell - "" = AutoRun
O33 - MountPoints2\{02168669-503a-11df-8184-00248ce68ba9}\Shell\AutoRun\command - "" = H:\Autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/09/03 13:56:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2010/09/03 13:42:26 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/09/02 14:27:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2010/09/02 14:15:59 | 074,678,192 | ---- | C] ( ) -- C:\Users\Geoff\Desktop\setup_9.0.0.722_02.09.2010_12-28.exe
[2010/08/29 14:33:22 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Geoff\Desktop\OTL.exe
[2010/08/29 08:21:39 | 000,000,000 | ---D | C] -- C:\Users\Geoff\AppData\Roaming\Malwarebytes
[2010/08/29 08:21:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/08/29 08:21:23 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/08/29 08:21:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/08/29 08:21:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/08/29 08:19:34 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/08/29 08:18:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2010/08/26 21:48:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\BioWare
[2010/08/26 21:47:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Dragon Age Origins Character Creator
[2010/08/26 06:36:45 | 000,000,000 | ---D | C] -- C:\ProgramData\BioWare
[2010/08/26 06:36:22 | 000,000,000 | ---D | C] -- C:\Users\Geoff\AppData\Roaming\NVIDIA
[2010/08/25 17:59:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NVIDIA Corporation
[2010/08/25 17:51:23 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA Corporation
[2010/08/25 17:51:19 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2010/08/25 13:29:36 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Desktop\More kittens
[2010/08/25 13:29:36 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Desktop\2004_09_15
[2010/08/25 13:29:36 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Desktop\2004_09_14
[2010/08/25 12:58:11 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Desktop\Law School Stuff from Old Computer
[2010/08/14 19:06:45 | 000,000,000 | ---D | C] -- C:\Users\Geoff\AppData\Local\Electronic Arts
[2010/08/14 18:54:19 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Documents\Electronic Arts
[2010/08/14 18:54:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Electronic Arts
[2010/08/11 17:09:12 | 000,000,000 | ---D | C] -- C:\Users\Geoff\Documents\StarCraft II
[2010/08/11 17:09:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\StarCraft II
[2010/08/11 17:09:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard Entertainment
[2010/08/11 17:09:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Blizzard Entertainment
[2010/07/16 18:03:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\directx
[2010/07/16 18:00:10 | 000,000,000 | ---D | C] -- C:\DeusEx
[2010/07/10 05:38:00 | 000,065,128 | ---- | C] (Khronos Group) -- C:\Windows\SysNative\OpenCL.dll
[2010/07/10 05:38:00 | 000,056,936 | ---- | C] (Khronos Group) -- C:\Windows\SysWow64\OpenCL.dll
[2010/06/30 03:00:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Antimalware
[2010/06/25 03:01:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft.NET

========== Files - Modified Within 90 Days ==========

[2010/09/04 08:13:48 | 000,009,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/04 08:13:48 | 000,009,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/04 08:12:00 | 000,726,316 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/09/04 08:12:00 | 000,623,940 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/09/04 08:12:00 | 000,106,316 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/09/04 08:05:58 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/04 08:05:40 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/04 08:05:28 | 2146,787,327 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/04 08:04:21 | 001,835,008 | -HS- | M] () -- C:\Users\Geoff\NTUSER.DAT
[2010/09/04 08:04:12 | 001,526,778 | -H-- | M] () -- C:\Users\Geoff\AppData\Local\IconCache.db
[2010/09/04 08:02:36 | 000,000,098 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\Hosts
[2010/09/03 13:46:46 | 000,003,400 | ---- | M] () -- C:\bootsqm.dat
[2010/09/03 13:27:51 | 000,000,000 | ---- | M] () -- C:\Users\Geoff\Desktop\Documents and Settings.rarEF24D812
[2010/09/02 14:21:36 | 935,264,255 | ---- | M] () -- C:\Users\Geoff\Desktop\Documents and Settings.rarEAB4ADCE
[2010/09/02 14:21:27 | 074,678,192 | ---- | M] ( ) -- C:\Users\Geoff\Desktop\setup_9.0.0.722_02.09.2010_12-28.exe
[2010/08/29 14:32:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Geoff\Desktop\OTL.exe
[2010/08/29 09:02:43 | 000,293,376 | ---- | M] () -- C:\Users\Geoff\Desktop\gmer.exe
[2010/08/29 08:21:28 | 000,001,017 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/29 08:18:34 | 000,000,932 | ---- | M] () -- C:\Users\Geoff\Desktop\NTREGOPT.lnk
[2010/08/29 08:18:34 | 000,000,913 | ---- | M] () -- C:\Users\Geoff\Desktop\ERUNT.lnk
[2010/08/27 21:38:27 | 000,013,042 | ---- | M] () -- C:\Users\Geoff\Desktop\Blessed Weapons.zip
[2010/08/26 21:48:33 | 000,001,256 | ---- | M] () -- C:\Users\Public\Desktop\Dragon Age Origins Character Creator.lnk
[2010/08/25 18:11:44 | 000,000,221 | ---- | M] () -- C:\Users\Geoff\Desktop\Dragon Age Origins.url
[2010/08/25 13:20:38 | 005,780,037 | ---- | M] () -- C:\Users\Geoff\Desktop\HG_Jan_05.7z
[2010/08/14 18:59:24 | 000,002,077 | ---- | M] () -- C:\Users\Public\Desktop\Dead Space™.lnk
[2010/08/14 10:22:10 | 000,001,167 | ---- | M] () -- C:\Users\Geoff\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2010/08/14 10:22:10 | 000,001,143 | ---- | M] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2010/08/13 03:20:29 | 000,345,368 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/08/13 03:03:33 | 000,001,143 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Works.lnk
[2010/08/11 17:22:03 | 000,001,442 | ---- | M] () -- C:\Users\Geoff\Desktop\StarCraft II.exe - Shortcut.lnk
[2010/08/02 14:43:45 | 000,090,163 | ---- | M] () -- C:\Users\Geoff\Desktop\1stegg.JPG
[2010/07/10 05:38:00 | 000,065,128 | ---- | M] (Khronos Group) -- C:\Windows\SysNative\OpenCL.dll
[2010/07/10 05:38:00 | 000,056,936 | ---- | M] (Khronos Group) -- C:\Windows\SysWow64\OpenCL.dll
[2010/07/09 15:38:00 | 000,012,264 | ---- | M] () -- C:\Windows\SysNative\nvinfo.pb
[2010/06/30 03:00:27 | 000,001,039 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk
[2010/06/13 12:30:14 | 002,354,516 | ---- | M] () -- C:\Users\Geoff\Desktop\DnYak.JPG

========== Files Created - No Company Name ==========

[2010/09/03 13:46:46 | 000,003,400 | ---- | C] () -- C:\bootsqm.dat
[2010/09/03 13:27:51 | 000,000,000 | ---- | C] () -- C:\Users\Geoff\Desktop\Documents and Settings.rarEF24D812
[2010/09/02 14:21:36 | 935,264,255 | ---- | C] () -- C:\Users\Geoff\Desktop\Documents and Settings.rarEAB4ADCE
[2010/08/29 08:21:28 | 000,001,017 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/29 08:18:34 | 000,000,932 | ---- | C] () -- C:\Users\Geoff\Desktop\NTREGOPT.lnk
[2010/08/29 08:18:33 | 000,000,913 | ---- | C] () -- C:\Users\Geoff\Desktop\ERUNT.lnk
[2010/08/27 21:38:26 | 000,013,042 | ---- | C] () -- C:\Users\Geoff\Desktop\Blessed Weapons.zip
[2010/08/26 21:48:33 | 000,001,256 | ---- | C] () -- C:\Users\Public\Desktop\Dragon Age Origins Character Creator.lnk
[2010/08/25 18:11:44 | 000,000,221 | ---- | C] () -- C:\Users\Geoff\Desktop\Dragon Age Origins.url
[2010/08/25 13:22:32 | 2867,035,986 | ---- | C] () -- C:\Users\Geoff\Desktop\Documents and Settings.rar
[2010/08/25 13:20:09 | 005,780,037 | ---- | C] () -- C:\Users\Geoff\Desktop\HG_Jan_05.7z
[2010/08/25 13:18:57 | 109,909,710 | ---- | C] () -- C:\Users\Geoff\Desktop\Path of Ascension CEP Epic.mod
[2010/08/14 18:59:24 | 000,002,077 | ---- | C] () -- C:\Users\Public\Desktop\Dead Space™.lnk
[2010/08/14 10:22:10 | 000,001,167 | ---- | C] () -- C:\Users\Geoff\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2010/08/14 10:22:10 | 000,001,143 | ---- | C] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2010/08/13 03:03:33 | 000,001,143 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Works.lnk
[2010/08/11 17:22:03 | 000,001,442 | ---- | C] () -- C:\Users\Geoff\Desktop\StarCraft II.exe - Shortcut.lnk
[2010/08/02 14:43:43 | 000,090,163 | ---- | C] () -- C:\Users\Geoff\Desktop\1stegg.JPG
[2010/06/13 12:29:48 | 002,354,516 | ---- | C] () -- C:\Users\Geoff\Desktop\DnYak.JPG
[2010/02/14 07:40:21 | 000,000,600 | ---- | C] () -- C:\Users\Geoff\AppData\Local\PUTTY.RND
[2010/02/13 21:47:27 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/02/13 07:44:37 | 000,000,134 | ---- | C] () -- C:\Users\Geoff\AppData\Roaming\wklnhst.dat
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 14:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/05/15 16:35:10 | 000,221,184 | ---- | C] () -- C:\Windows\SysWow64\drivers\ServiceHelp.dll
[2009/05/15 16:34:26 | 000,024,576 | ---- | C] () -- C:\Windows\SysWow64\AsIO.dll
[2009/05/15 16:34:26 | 000,013,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsIO.sys
[2009/05/15 16:34:24 | 000,011,832 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsInsHelp64.sys
[2009/05/15 16:34:24 | 000,010,216 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsInsHelp32.sys
[2009/05/15 16:30:45 | 000,001,746 | ---- | C] () -- C:\Windows\Language_trs.ini
[2009/05/15 16:13:43 | 000,026,261 | ---- | C] () -- C:\Windows\Ascd_log.ini
[2009/05/15 16:13:32 | 000,019,853 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2007/12/28 08:22:02 | 000,010,296 | ---- | C] () -- C:\Windows\SysWow64\drivers\ASUSHWIO.SYS

========== LOP Check ==========

[2010/04/23 21:20:47 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\CreeperWorld
[2010/04/23 21:17:57 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\CreeperWorldDEMO.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
[2010/04/25 00:20:25 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\DAEMON Tools Lite
[2010/09/04 08:07:16 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Dropbox
[2010/02/13 21:15:45 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\FileZilla
[2010/02/13 20:14:24 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Foxit
[2010/04/23 00:53:57 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\gtk-2.0
[2010/02/14 16:05:48 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Leadertech
[2010/03/18 23:45:21 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\runic games
[2010/02/14 08:16:54 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Subversion
[2010/02/27 01:42:57 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\Template
[2010/08/14 19:58:08 | 000,000,000 | ---D | M] -- C:\Users\Geoff\AppData\Roaming\uTorrent
[2009/07/13 22:08:49 | 000,023,120 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

I then did the full scan with MSE per your instructions, and this time found only 6 infections, instead of the 22 it had been finding before - perhaps the trojan kaspersky removed was downloading the rest to the computer when I turned it on? Anyway, all 6 were medium threats, and all were located in a single rar, a file I had copied over from the hard drive of my last computer, which had the Documents and Settings of the computer before it in a single rar (yes, that's two computers removed from my present one

). Here are the listings, for your perusal:

SoftwareBundler:Win32/KaZaA

containerfile:C:\Users\Geoff\Desktop\Documents and Settings.rar
file:C:\Users\Geoff\AppData\Roaming\Microsoft\Windows\Recent\Documents and Settings.rar.lnk
file:C:\Users\Geoff\Desktop\Documents and Settings.rar->Documents and Settings\Geoff Ulreich\Local Settings\Temp\p2psetup.exe
file:C:\Users\Geoff\Desktop\Documents and Settings.rar->Documents and Settings\Geoff Ulreich\Start Menu\Programs\Kazaa Media Desktop\Kazaa Website.url

Adware:Win32/Altnet

containerfile:C:\Users\Geoff\Desktop\Documents and Settings.rar
file:C:\Users\Geoff\AppData\Roaming\Microsoft\Windows\Recent\Documents and Settings.rar.lnk
file:C:\Users\Geoff\Desktop\Documents and Settings.rar->Documents and Settings\Geoff Ulreich\Local Settings\Temp\ADMCache\admB.tmp

Adware:Win32/Toprebates.C

containerfile:C:\Users\Geoff\Desktop\Documents and Settings.rar
file:C:\Users\Geoff\AppData\Roaming\Microsoft\Windows\Recent\Documents and Settings.rar.lnk
file:C:\Users\Geoff\Desktop\Documents and Settings.rar->Documents and Settings\Geoff Ulreich\Local Settings\Temp\THICC9.tmp\MMaker2.exe->(nsis-1-jkill.exe)

Program:Win32/PowerRegScheduler

containerfile:C:\Users\Geoff\Desktop\Documents and Settings.rar
file:C:\Users\Geoff\AppData\Roaming\Microsoft\Windows\Recent\Documents and Settings.rar.lnk
file:C:\Users\Geoff\Desktop\Documents and Settings.rar->Documents and Settings\Geoff Ulreich\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

Adware:Win32/WinFetcher

containerfile:C:\Users\Geoff\Desktop\Documents and Settings.rar
file:C:\Users\Geoff\AppData\Roaming\Microsoft\Windows\Recent\Documents and Settings.rar.lnk
file:C:\Users\Geoff\Desktop\Documents and Settings.rar->Documents and Settings\Geoff Ulreich\Local Settings\Temp\JjGA.exe

Adware:Win32/Adstart

containerfile:C:\Users\Geoff\Desktop\Documents and Settings.rar
file:C:\Users\Geoff\AppData\Roaming\Microsoft\Windows\Recent\Documents and Settings.rar.lnk
file:C:\Users\Geoff\Desktop\Documents and Settings.rar->Documents and Settings\Geoff Ulreich\Local Settings\Temp\adlinstallwin32.exe

I suppose I'm comfortable simply deleting the rar, since I already extracted everything of import from it days ago, when I first copied it over. I haven't deleted it yet, in case you want me to take some other action. I guess I'm curious to know if there's a simple way for me to clean the infections from that rar without having to delete it, since MSE doesn't seem able to - I guess because they're compressed? Could it be as simple as just deleting those files from the archive? Doesn't seem like they could self-replicate when compressed, but then, if I knew that, I probably wouldn't have had to come to you to begin with.

Does this mean, then, that BOTH potential vectors for infection were actual vectors, with the Kaspersky-removed downloader likely having come from the web page popup, and then downloading the other more serious malware each time I flipped the computer on? My computer was sluggish earlier, but I quickly realized that that was during the MSE update - it seems ok speedwise now, though I'll be more comfortable making comparisons once that Documents and Settings rar is gone, and I can be sure that MSE isn't fretting over it with some of its always-active features (I have no idea if it even would).

Once that rar is dealt with, that will leave the sole remaining curiosity of my inability to log in to your forums with Firefox. I haven't tried logging in to any other sites since the infection, not wanting to risk some keystroke logger or other phishing technique, but I'll be happy to once I can run a clean scan. That should at least reveal whether it's unique to your forums or affecting all the webpages I view with Firefox.

As always, thank you for your time.

Geoff

Edited by Funky, 04 September 2010 - 01:11 PM.

#12
BlackOxide

Posted 04 September 2010 - 04:01 PM

Trusted Helper

Malware Removal
1,976 posts

Hi Geoff,

Your new OTL log looks good

I guess I'm curious to know if there's a simple way for me to clean the infections from that rar without having to delete it, since MSE doesn't seem able to - I guess because they're compressed?

Yep you should be able to do it manually. If you right click that rar file, then choose 7-Zip then 'Open Archive' it should load in 7-Zip's program. You should then be able to navigate to those files and right click them and then click 'Delete'. This should remove them from the rar archive but keep everything else

With regard to the actual infection vectors it's always quite difficult to determine exactly what has happened, but it could well be the fact that a Trojan got on through that webpage and it is common for more infections to be downloaded and placed on your machine through that original infection. That could well be what happened in your case here.

The Adware items that are in the contents of the rar file should not have automatically run on their own. Obviously, if they were double clicked or moved to the startup folder for example then they would have run. But I would doubt any of the ones detected by MSE have been activated if you haven't double clicked on them.

If you could run a Quick Scan with MBAM again, I would just like to make sure that it is still reporting a clean PC, thanks.

With the FireFox issue, after running the MBAM scan, just try logging in again to this forum once more, if it still does not login, let me know and I'll post instructions on reinstalling FireFox and backing up and restoring your Bookmarks and and saved passwords etc. Quick question, if we were to reinstall FireFox do you need any Bookmarks, saved passwords, history etc transferring over or do you already have a backup of them?

1)
Run a Quick Scan with Malwarebytes Anti-Malware (MBAM) after updating...

Open MBAM
Click the Update tab, then click Check for Updates and let it install any updates if they are available
Click the Scanner tab, then make sure Quick Scan is selected and click Scan
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
Post the log that it produces in your next reply

2)
Just try logging onto this forum, leave the other websites for now and let me know how you get on

Also, as mentioned above, if we do need to reinstall FireFox, will you need any FireFox data transferring over, like Bookmarks etc as I can post instructions on how to do this if needed.

Thanks

#13
Funky

Posted 04 September 2010 - 08:06 PM

New Member

Member
6 posts

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4545

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

9/4/2010 6:52:07 PM
mbam-log-2010-09-04 (18-52-07).txt

Scan type: Quick scan
Objects scanned: 130897
Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

It showed nothing malicious in the scan. Also, I noticed just before running MBAM that MSE's history shows the removal of the other 16 malicious objects it had detected during the scan you had me run earlier today - so it seems likely the computer is clean. Curiously, I STILL cannot login to this forum - same problem as before. I did try one other login, and it worked fine, so I'm not sure what to make of the phenomenon.

If this means I need to reinstall Firefox, I would very much like help transferring data over - I've copied its bookmarks once, some time ago, but I've forgotten how, and I've no idea how to transfer anything else - any instructions would be fantastic.

Thank you very much for all your help.

Geoff

#14
BlackOxide

Posted 05 September 2010 - 02:37 PM

Trusted Helper

Malware Removal
1,976 posts

Ok, no problem, lets get your FireFox data backed up, then we'll remove FireFox completely and reinstall it.

Firstly lets backup your current FireFox data...

Download MozBackup from here
Once downloaded, double click it to install MozBackup
Run MozBackup, click Next, then make sure Backup a Profile is selected at the top and click Mozilla Firefox 3.6.8 in the bottom section, then click Next
Select your profile above (which is usually just 'default'), then click the Browse button below to choose where you would like the file saved to
Click Next and it will prompt whether you would like to Password protect your backup file. Click Yes or No depending if you would like the backup file itself to be password protected
Once you have done this you will be presented with the following screen

Make sure the following tick boxes have a tick in them:
- General Settings
- Bookmarks
- History
- Saved Passwords
- Saved Form Details

Once you have done this click Next to create the backup file
Click Finish to exit MozBackup

Uninstall FireFox completely
Please make sure the above steps in backing up your profile with MozBackup have been completed before doing this stage.

Click Start then Control Panel
Click Programs and Features
Click Mozilla FireFox then Uninstall at the top
As you go through the uninstallation make sure Remove my Firefox personal data and customizations is ticked (see image below)

Now click Uninstall to remove Firefox
Please reboot your PC after uninstalling it

Reinstall Firefox and restore the backup

Click here to download the latest version of Firefox
Once downloaded, double click on the file to install Firefox
Once Firefox has been installed, lets restore that backup...

Open MozBackup and click Next
Choose Restore a Profle at the top, then make sure Mozilla Firefox 3.6.8 is selected at the bottom and then click Next
Click Browse at the bottom and select the backup file you made earlier and then click Next
All the available tick boxes should be ticked, so just click Next again
This should now restore your Bookmarks and other saved data back into Firefox

Now open Firefox and try logging into this site again, then let me know how you get on or if you have any questions with any of this

#15
Funky

Posted 05 September 2010 - 03:29 PM

New Member

Member
6 posts

Before deciding to renistall, I did more testing - my computer is back to full speed, by the way, so thank you.

I did have further minor issues with the rar, in that more files turned up as viruses again - I think it was because I wound up having to use WinRAR's trial version instead of 7z (7z appears not to allow selective deletion from older rars), and WinRAR does deletion by making a copy of the rar minus the deleted files, deleting the old rar, and renaming the new with the old rar's name - if the process gets interrupted, you wind up with the renamed version and sometimes the old as well. Anyway, I finally got it all sorted out - I still have the rar, and no virus alerts.

Turns out I was having the same login problem on any site that used a redirect-style login (paypal, for example). So, I set firefox to accept cookies from websites (not sure how it got switched off), and voila, I can login normally. I'm still downloading the backup utility and a copy of your instructions for when I need it, however, so your time wasn't wasted.

Looks like all my problems are resolved, so for one last time - thank you, and the Geeks To Go team, very much!

Best,
Geoff