Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hacked/Backdoor? [Closed]


  • This topic is locked This topic is locked

#1
MinuteMouse

MinuteMouse

    Member

  • Member
  • PipPip
  • 21 posts
Attached File  Extras.Txt   50.08KB   43 downloads
Attached File  OTL.Txt   97.91KB   44 downloads

Hello:
I believe my system has been hacked and a backdoor installed. Music, ads suddenly playing on my computer, redirects, new, unusual files appearing, slow performance, settings on AV tools changed, "sent" mail from e-mail accounts (which I didn't send, new programs installed, security popups), desktop.ini in every folder/file location, some system viewer features disabled. I have run a number of tools recently including Combofix, aswMBR. Spyware Doctor indicated that I had 150 trojan/malware infections which I removed. Malwarebytes recently discovered infections related to Onenote. Password protected files/folders have appeared, hidden files appearing for no reason, applications attempting to run in places like I-tunes. Have changed admin/standard Passwords but if I change them while in normal mode, and then try to sign back in with the new passwords they don't work (they do if I change them in safe mode). An unknown user name has appeared on my comp, identified as the administrator (this user named simply "C"). Possible activity on an unused HD partition. Have noticed strange established connections while using the program Process Hacker. Disabled remote settings. Removed some old programs using Revo Uninstaller. I am the hub for a small home network (I have a wired desktop and two wireless comps are connected via router). Security settings were not in place previously (ie., no admin/standard PASSWORDS, DEFAULT ROUTER SETTINGS, ETC.). It's possible that I got hacked while communicating to someone via my Yahoo account, opening Youtube links, or they got my IP (but don't know this for sure). My AOL account was compromised. Need some help. Want to know if I have a backdoor. Thanks in advance!

OTL logfile created on: 1/28/2012 9:49:25 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\D\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.94 Gb Total Physical Memory | 0.73 Gb Available Physical Memory | 37.94% Memory free
4.88 Gb Paging File | 3.74 Gb Available in Paging File | 76.71% Paging File free
Paging file location(s): c:\pagefile.sys 3072 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.79 Gb Total Space | 105.58 Gb Free Space | 47.39% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 4.21 Gb Free Space | 42.14% Space Free | Partition Type: NTFS

Computer Name: D-PC | User Name: C | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/28 09:46:32 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\D\Desktop\OTL.exe
PRC - [2012/01/06 11:26:06 | 000,722,616 | ---- | M] (iolo technologies, LLC) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
PRC - [2012/01/03 06:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/12/16 22:08:59 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/12/04 17:28:54 | 015,200,352 | ---- | M] (VS Revo Group) -- C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe
PRC - [2011/10/13 23:01:50 | 000,994,360 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psia.exe
PRC - [2011/10/13 23:01:46 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi_tray.exe
PRC - [2011/04/16 17:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Norton 360\Engine\5.1.0.29\ccsvchst.exe
PRC - [2010/12/14 07:49:23 | 001,169,408 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sdclt.exe
PRC - [2009/04/10 23:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2007/12/05 06:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AERTSrv.exe


========== Modules (No Company Name) ==========

MOD - [2012/01/23 12:06:17 | 008,527,008 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll
MOD - [2011/12/16 22:08:59 | 002,124,760 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Unknown | Stopped] -- -- (getPlusHelper)
SRV - [2012/01/11 16:18:14 | 001,117,624 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe -- (sdCoreService)
SRV - [2012/01/11 14:56:12 | 000,402,336 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools\PC Tools Security\pctsAuxs.exe -- (sdAuxService)
SRV - [2012/01/11 14:56:08 | 000,071,008 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools\PC Tools Security\TFEngine\TFService.exe -- (ThreatFire)
SRV - [2012/01/06 11:26:06 | 000,722,616 | ---- | M] (iolo technologies, LLC) [Auto | Running] -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe -- (ioloSystemService)
SRV - [2012/01/03 06:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/10/13 23:01:50 | 000,994,360 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\PSIA.exe -- (Secunia PSI Agent)
SRV - [2011/06/13 21:09:22 | 000,267,568 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Fix it Center\Matsvc.exe -- (MatSvc)
SRV - [2011/04/16 17:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton 360\Norton 360\Engine\5.1.0.29\ccSvcHst.exe -- (N360)
SRV - [2009/10/20 11:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Disabled | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2008/01/29 17:09:02 | 000,394,704 | ---- | M] (Symantec, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist)
SRV - [2008/01/19 00:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/05 06:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AERTSrv.exe -- (AERTFilters)
SRV - [2007/05/31 08:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 08:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2006/10/23 05:50:35 | 000,046,640 | R--- | M] (AOL LLC) [On_Demand | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)


========== Driver Services (SafeList) ==========

DRV - [2012/01/11 16:19:24 | 000,070,536 | ---- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pctplsg.sys -- (pctplsg)
DRV - [2012/01/11 16:19:02 | 000,185,560 | ---- | M] (PC Tools) [Kernel | System | Running] -- C:\Windows\System32\drivers\PCTSD.sys -- (PCTSD)
DRV - [2012/01/11 16:14:30 | 000,253,352 | ---- | M] (PC Tools) [Kernel | System | Running] -- C:\Windows\System32\drivers\pctgntdi.sys -- (pctgntdi)
DRV - [2012/01/11 14:56:12 | 000,574,424 | --S- | M] (PC Tools) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\TfSysMon.sys -- (TFSysMon)
DRV - [2012/01/11 14:56:12 | 000,054,328 | --S- | M] (PC Tools) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2012/01/11 14:56:12 | 000,035,264 | --S- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2011/12/31 12:56:49 | 000,038,976 | ---- | M] (microOLAP Technologies LTD) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pssdk42.sys -- (PSSDK42)
DRV - [2011/12/31 08:31:22 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\19870623.sys -- (19870623)
DRV - [2011/12/15 16:33:22 | 000,368,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120126.003\IDSvix86.sys -- (IDSVix86)
DRV - [2011/12/01 16:07:06 | 000,909,728 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\Windows\system32\drivers\pctEFA.sys -- (pctEFA)
DRV - [2011/12/01 16:07:06 | 000,342,168 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\pctDS.sys -- (pctDS)
DRV - [2011/11/30 19:25:03 | 000,820,344 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20120121.002\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/11/29 23:27:49 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20120127.019\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/11/29 23:27:49 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/11/29 23:27:49 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/11/29 23:27:49 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20120127.019\NAVENG.SYS -- (NAVENG)
DRV - [2011/11/14 15:12:26 | 000,331,880 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2011/06/06 00:24:08 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/05/04 11:36:32 | 000,027,192 | ---- | M] (Resplendence Software Projects Sp.) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\rspSanity32.sys -- (rspSanity)
DRV - [2011/03/30 20:00:09 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\Drivers\N360\0501000.01D\SRTSP.SYS -- (SRTSP)
DRV - [2011/03/30 20:00:09 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\N360\0501000.01D\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/03/21 17:39:49 | 000,331,384 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\N360\0501000.01D\SYMTDIV.SYS -- (SYMTDIv)
DRV - [2011/03/14 19:31:23 | 000,744,568 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\system32\drivers\N360\0501000.01D\SYMEFA.SYS -- (SymEFA)
DRV - [2011/01/26 23:47:10 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\N360\0501000.01D\SYMDS.SYS -- (SymDS)
DRV - [2010/11/15 18:45:33 | 000,136,312 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\N360\0501000.01D\Ironx86.SYS -- (SymIRON)
DRV - [2010/09/01 01:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\psi_mf.sys -- (PSI)
DRV - [2009/12/30 10:21:18 | 000,027,192 | ---- | M] (VS Revo Group) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\revoflt.sys -- (Revoflt)
DRV - [2009/12/13 04:21:40 | 000,002,560 | ---- | M] (SupportSoft Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssrangdr.sys -- (ssrangdr)
DRV - [2009/10/20 11:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2009/07/14 18:54:00 | 009,557,216 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/12/09 09:59:30 | 000,020,392 | ---- | M] (EldoS Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\ElRawDsk.sys -- (ElRawDisk)
DRV - [2007/10/29 02:40:28 | 001,062,048 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2007/08/09 18:12:30 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\nvstor32.sys -- (nvstor32)
DRV - [2006/11/02 00:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/02 00:30:55 | 000,200,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2006/11/01 13:18:15 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2006/10/18 11:08:18 | 000,258,048 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2006/08/04 17:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Search the Web"
FF - prefs.js..browser.startup.homepage: "http://www.google.co...m/?rlz=1V1IPYX"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@emusic.com/dlm-plugin: C:\Users\D\Desktop\Downloads\etunes downloads\eMusic Download Manager\plugin\npemusic.dll (eMusic.com)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\C\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\C\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\eMusic Download Manager\Extensions\\Components: C:\Users\D\Desktop\Downloads\etunes downloads\eMusic Download Manager\xulrunner\components [2011/11/21 13:08:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\eMusic Download Manager\Extensions\\Plugins: C:\Users\D\Desktop\Downloads\etunes downloads\eMusic Download Manager\xulrunner\plugins [2012/01/20 19:24:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2010/10/28 03:03:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPlgn\ [2012/01/28 09:24:08 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\coFFPlgn_2011_7_4_3 [2012/01/28 09:24:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011/12/06 23:32:14 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/12/26 12:02:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/20 19:24:02 | 000,000,000 | ---D | M]

[2011/12/06 13:41:28 | 000,000,000 | ---D | M] (No name found) -- C:\Users\C\AppData\Roaming\mozilla\Extensions
[2011/12/25 00:54:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\C\AppData\Roaming\mozilla\Firefox\Profiles\vvb3bvb9.default\extensions
[2011/12/25 00:54:30 | 000,000,000 | ---D | M] (WOT) -- C:\Users\C\AppData\Roaming\mozilla\Firefox\Profiles\vvb3bvb9.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2011/12/25 00:54:30 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\C\AppData\Roaming\mozilla\Firefox\Profiles\vvb3bvb9.default\extensions\[email protected]
[2012/01/03 17:10:14 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/03 17:10:15 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
[2011/12/16 22:09:01 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/01/03 17:09:53 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/11/10 13:35:18 | 000,002,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\adawaretb.xml
[2011/12/16 18:38:42 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/12/16 18:25:53 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/12/16 18:38:42 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/12/16 18:38:42 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/12/16 18:38:42 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\C\AppData\Local\Google\Chrome\Application\16.0.912.77\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\C\AppData\Local\Google\Chrome\Application\16.0.912.77\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\C\AppData\Local\Google\Chrome\Application\16.0.912.77\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U29 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: downloadUpdater (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdnu.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files\Microsoft\Office Live\npOLW.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll
CHR - plugin: DivX Plus Web Player (Enabled) = C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Google Update (Enabled) = C:\Users\C\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: eMusic Remote Plugin (Enabled) = C:\Users\D\Desktop\Downloads\etunes downloads\eMusic Download Manager\plugin\npemusic.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: DivX Plus Web Player HTML5 \u003Cvideo\u003E = C:\Users\C\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.2.145_0\

O1 HOSTS File: ([2012/01/25 01:33:24 | 000,000,806 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Norton 360\Engine\5.1.0.29\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Norton 360\Engine\5.1.0.29\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Norton 360\Engine\5.1.0.29\coieplg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Norton 360\Engine\5.1.0.29\coieplg.dll (Symantec Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://oas.support....veX/MSDcode.cab (Reg Error: Key error.)
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} https://icmsweb.star...olv_cs/smsx.cab (MeadCo ScriptX)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B9C63BB0-190C-469D-BF4B-2E14F0B49D93}: DhcpNameServer = 75.75.75.75 75.75.76.76
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - File not found
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/27 23:03:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012/01/27 23:03:04 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/01/27 22:58:25 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Roaming\VS Revo Group
[2012/01/27 19:38:17 | 000,000,000 | ---D | C] -- C:\Program Files\Belarc
[2012/01/27 19:00:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hitman Pro 3.5
[2012/01/27 19:00:05 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2012/01/27 18:58:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2012/01/27 18:04:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/27 18:04:45 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/01/27 18:04:45 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/01/27 11:15:25 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Local\temp
[2012/01/27 11:14:13 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/01/27 00:27:27 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/01/27 00:27:27 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/01/27 00:27:27 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/01/27 00:27:18 | 000,000,000 | ---D | C] -- C:\user567
[2012/01/27 00:26:59 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/01/26 20:43:16 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Local\Eraser 6
[2012/01/25 11:54:42 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/01/25 00:26:34 | 000,000,000 | ---D | C] -- C:\Users\C\DoctorWeb
[2012/01/23 20:08:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2012/01/21 23:08:12 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2012/01/21 11:06:59 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Roaming\PCTools
[2012/01/21 03:20:27 | 000,574,424 | --S- | C] (PC Tools) -- C:\Windows\System32\drivers\TfSysMon.sys
[2012/01/21 03:20:27 | 000,035,264 | --S- | C] (PC Tools) -- C:\Windows\System32\drivers\TfNetMon.sys
[2012/01/21 03:20:25 | 000,054,328 | --S- | C] (PC Tools) -- C:\Windows\System32\drivers\TfFsMon.sys
[2012/01/20 00:50:00 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2012/01/20 00:50:00 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2012/01/19 21:14:01 | 000,253,352 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctgntdi.sys
[2012/01/19 21:14:01 | 000,107,864 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctwfpfilter.sys
[2012/01/19 21:13:26 | 000,017,848 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctBTFix.sys
[2012/01/19 21:13:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Tools Security
[2012/01/19 21:13:20 | 000,070,536 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys
[2012/01/19 21:13:13 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools
[2012/01/19 21:10:46 | 000,909,728 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctEFA.sys
[2012/01/19 21:10:46 | 000,342,168 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctDS.sys
[2012/01/19 21:10:41 | 000,331,880 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTCore.sys
[2012/01/19 21:10:41 | 000,162,584 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTAppEvent.sys
[2012/01/19 21:10:31 | 000,185,560 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTSD.sys
[2012/01/19 21:10:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2012/01/19 21:07:50 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2012/01/19 21:07:49 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Roaming\TestApp
[2012/01/19 19:40:16 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton
[2012/01/18 23:35:32 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Roaming\KeePass
[2012/01/18 22:05:02 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Roaming\Process Hacker 2
[2012/01/18 21:58:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2
[2012/01/18 21:58:29 | 000,000,000 | ---D | C] -- C:\Program Files\Process Hacker 2
[2012/01/18 20:24:10 | 000,000,000 | ---D | C] -- C:\Program Files\NirSoft
[2012/01/14 01:08:15 | 000,027,192 | ---- | C] (Resplendence Software Projects Sp.) -- C:\Windows\System32\drivers\rspSanity32.sys
[2012/01/14 01:08:14 | 000,000,000 | ---D | C] -- C:\Program Files\SanityCheck
[2012/01/13 02:43:30 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Local\SupportSoft
[2012/01/13 01:56:08 | 000,000,000 | ---D | C] -- C:\Microsoft
[2012/01/10 01:50:08 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Roaming\FreeFixer
[2012/01/10 01:50:08 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Local\FreeFixer
[2012/01/10 01:49:59 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FreeFixer
[2012/01/10 01:49:59 | 000,000,000 | ---D | C] -- C:\Program Files\FreeFixer
[2012/01/10 01:28:57 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Roaming\f-secure
[2012/01/10 01:28:32 | 000,000,000 | ---D | C] -- C:\ProgramData\F-Secure
[2012/01/02 23:24:28 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2012/01/02 22:57:04 | 000,076,696 | ---- | C] (Prevx) -- C:\Windows\System32\drivers\pxrts.sys
[2012/01/02 22:56:58 | 000,000,000 | ---D | C] -- C:\ProgramData\PrevxCSI
[2012/01/01 21:26:59 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Local\CrashDumps
[2012/01/01 20:40:12 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Local\VS Revo Group
[2012/01/01 20:40:06 | 000,027,192 | ---- | C] (VS Revo Group) -- C:\Windows\System32\drivers\revoflt.sys
[2012/01/01 20:40:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
[2012/01/01 20:33:53 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller
[2011/12/31 17:26:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Uniblue
[2011/12/31 17:25:35 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Roaming\OpenCandy
[2011/12/31 12:56:49 | 000,038,976 | ---- | C] (microOLAP Technologies LTD) -- C:\Windows\System32\drivers\pssdk42.sys
[2011/12/31 12:56:08 | 000,000,000 | ---D | C] -- C:\Program Files\Tenable
[2011/12/30 22:32:27 | 000,133,208 | ---- | C] (Kaspersky Lab ZAO) -- C:\Windows\System32\drivers\19870623.sys
[2011/12/30 20:51:45 | 000,000,000 | ---D | C] -- C:\Users\C\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome

========== Files - Modified Within 30 Days ==========

[2012/01/28 09:56:00 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3008658398-1242687141-1261451896-1001UA.job
[2012/01/28 09:42:58 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/28 09:42:58 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/28 09:23:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/27 23:03:07 | 000,000,766 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/01/27 20:56:00 | 000,000,840 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3008658398-1242687141-1261451896-1001Core.job
[2012/01/27 19:38:17 | 000,001,831 | ---- | M] () -- C:\Users\C\Application Data\Microsoft\Internet Explorer\Quick Launch\Belarc Advisor.lnk
[2012/01/27 19:38:17 | 000,001,807 | ---- | M] () -- C:\Users\Public\Desktop\Belarc Advisor.lnk
[2012/01/27 19:00:06 | 000,023,624 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2012/01/27 19:00:06 | 000,001,747 | ---- | M] () -- C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
[2012/01/27 18:04:47 | 000,000,868 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/27 17:45:59 | 000,000,528 | R--- | M] () -- C:\MediaID.bin
[2012/01/27 12:33:21 | 000,001,051 | ---- | M] () -- C:\Users\C\Application Data\Microsoft\Internet Explorer\Quick Launch\Revo Uninstaller Pro.lnk
[2012/01/27 12:33:21 | 000,001,027 | ---- | M] () -- C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
[2012/01/27 11:25:32 | 000,299,952 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/01/27 10:56:47 | 000,000,452 | ---- | M] () -- C:\Users\C\Documents\cc_20120127_105640.reg
[2012/01/27 01:28:34 | 002,239,098 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2012/01/26 13:57:55 | 000,002,024 | ---- | M] () -- C:\Users\C\Desktop\Google Chrome.lnk
[2012/01/26 13:57:55 | 000,001,986 | ---- | M] () -- C:\Users\C\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/01/25 20:51:17 | 000,000,512 | ---- | M] () -- C:\Users\C\Documents\MBR.dat
[2012/01/25 20:29:45 | 000,000,000 | ---- | M] () -- C:\Users\C\defogger_reenable
[2012/01/25 01:33:24 | 000,000,806 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/01/23 19:53:45 | 000,604,264 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/01/23 19:53:45 | 000,103,964 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/01/22 16:35:01 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2012/01/22 01:11:52 | 000,001,795 | ---- | M] () -- C:\Users\C\Desktop\Process Hacker 2.lnk
[2012/01/20 19:17:01 | 000,000,861 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2012/01/20 09:18:12 | 000,001,873 | ---- | M] () -- C:\Users\C\Desktop\System Mechanic.lnk
[2012/01/20 00:27:44 | 000,001,941 | ---- | M] () -- C:\Users\Public\Desktop\PC Tools Spyware Doctor with AntiVirus.lnk
[2012/01/19 21:07:51 | 000,001,632 | ---- | M] () -- C:\Users\C\Desktop\sdsetup.exe.lnk
[2012/01/19 19:40:18 | 000,000,916 | ---- | M] () -- C:\Users\C\Desktop\Norton Installation Files.lnk
[2012/01/18 23:32:50 | 000,002,686 | ---- | M] () -- C:\Users\C\Documents\NewDatabase.kdbx
[2012/01/14 01:21:47 | 000,005,039 | ---- | M] () -- C:\Users\C\AppData\Local\Temp17.html
[2012/01/14 01:20:19 | 000,001,293 | ---- | M] () -- C:\Users\C\AppData\Local\Temp1.html
[2012/01/13 02:43:31 | 000,000,177 | ---- | M] () -- C:\Users\C\Desktop\Comcast Security.url
[2012/01/13 02:43:31 | 000,000,171 | ---- | M] () -- C:\Users\C\Desktop\Comcast Email.url
[2012/01/13 02:43:31 | 000,000,074 | ---- | M] () -- C:\Users\C\Desktop\Ask Comcast.url
[2012/01/13 02:43:31 | 000,000,054 | ---- | M] () -- C:\Users\C\Desktop\Comcast Help.url
[2012/01/13 02:43:30 | 000,002,077 | ---- | M] () -- C:\Users\Public\Desktop\Comcast Desktop Software.lnk
[2012/01/13 02:43:30 | 000,000,081 | ---- | M] () -- C:\Users\C\Desktop\Comcast Account Login.url
[2012/01/11 16:19:24 | 000,070,536 | ---- | M] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys
[2012/01/11 16:19:02 | 000,185,560 | ---- | M] (PC Tools) -- C:\Windows\System32\drivers\PCTSD.sys
[2012/01/11 16:17:50 | 000,017,848 | ---- | M] (PC Tools) -- C:\Windows\System32\drivers\pctBTFix.sys
[2012/01/11 16:14:36 | 000,107,864 | ---- | M] (PC Tools) -- C:\Windows\System32\drivers\pctwfpfilter.sys
[2012/01/11 16:14:30 | 000,253,352 | ---- | M] (PC Tools) -- C:\Windows\System32\drivers\pctgntdi.sys
[2012/01/11 14:56:12 | 000,574,424 | --S- | M] (PC Tools) -- C:\Windows\System32\drivers\TfSysMon.sys
[2012/01/11 14:56:12 | 000,054,328 | --S- | M] (PC Tools) -- C:\Windows\System32\drivers\TfFsMon.sys
[2012/01/11 14:56:12 | 000,035,264 | --S- | M] (PC Tools) -- C:\Windows\System32\drivers\TfNetMon.sys
[2012/01/06 11:51:24 | 000,029,696 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\iolobtdfg.exe
[2012/01/06 11:51:16 | 000,011,776 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\smrgdf.exe
[2012/01/06 11:29:06 | 002,083,464 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\Incinerator32.dll
[2012/01/02 22:57:04 | 000,076,696 | ---- | M] (Prevx) -- C:\Windows\System32\drivers\pxrts.sys
[2012/01/02 22:56:58 | 000,000,046 | ---- | M] () -- C:\Windows\wininit.ini
[2012/01/01 20:33:53 | 000,001,019 | ---- | M] () -- C:\Users\C\Desktop\Revo Uninstaller.lnk
[2011/12/31 19:01:33 | 000,011,054 | ---- | M] () -- C:\Users\C\Documents\cc registry backup_20111231_190108.reg
[2011/12/31 13:30:29 | 000,001,024 | ---- | M] () -- C:\.rnd
[2011/12/31 12:56:49 | 000,038,976 | ---- | M] (microOLAP Technologies LTD) -- C:\Windows\System32\drivers\pssdk42.sys
[2011/12/31 08:31:22 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) -- C:\Windows\System32\drivers\19870623.sys

========== Files Created - No Company Name ==========

[2012/01/27 23:03:07 | 000,000,766 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/01/27 19:38:17 | 000,001,831 | ---- | C] () -- C:\Users\C\Application Data\Microsoft\Internet Explorer\Quick Launch\Belarc Advisor.lnk
[2012/01/27 19:38:17 | 000,001,819 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Belarc Advisor.lnk
[2012/01/27 19:38:17 | 000,001,807 | ---- | C] () -- C:\Users\Public\Desktop\Belarc Advisor.lnk
[2012/01/27 19:00:06 | 000,023,624 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2012/01/27 19:00:06 | 000,001,747 | ---- | C] () -- C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
[2012/01/27 18:04:47 | 000,000,868 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/27 17:45:59 | 000,000,528 | R--- | C] () -- C:\MediaID.bin
[2012/01/27 11:25:14 | 000,299,952 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/01/27 10:56:45 | 000,000,452 | ---- | C] () -- C:\Users\C\Documents\cc_20120127_105640.reg
[2012/01/27 00:27:27 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/01/27 00:27:27 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/01/27 00:27:27 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/01/27 00:27:27 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/01/27 00:27:27 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/01/25 20:29:45 | 000,000,000 | ---- | C] () -- C:\Users\C\defogger_reenable
[2012/01/20 19:17:01 | 000,000,861 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2012/01/20 19:17:01 | 000,000,824 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Secunia PSI.lnk
[2012/01/20 00:27:44 | 000,001,941 | ---- | C] () -- C:\Users\Public\Desktop\PC Tools Spyware Doctor with AntiVirus.lnk
[2012/01/19 21:10:49 | 002,239,098 | ---- | C] () -- C:\Windows\System32\drivers\Cat.DB
[2012/01/19 21:07:51 | 000,001,632 | ---- | C] () -- C:\Users\C\Desktop\sdsetup.exe.lnk
[2012/01/19 19:40:16 | 000,000,916 | ---- | C] () -- C:\Users\C\Desktop\Norton Installation Files.lnk
[2012/01/18 23:32:50 | 000,002,686 | ---- | C] () -- C:\Users\C\Documents\NewDatabase.kdbx
[2012/01/18 21:58:30 | 000,001,795 | ---- | C] () -- C:\Users\C\Desktop\Process Hacker 2.lnk
[2012/01/14 01:21:47 | 000,005,039 | ---- | C] () -- C:\Users\C\AppData\Local\Temp17.html
[2012/01/14 01:08:58 | 000,001,293 | ---- | C] () -- C:\Users\C\AppData\Local\Temp1.html
[2012/01/13 02:43:31 | 000,000,177 | ---- | C] () -- C:\Users\C\Desktop\Comcast Security.url
[2012/01/13 02:43:31 | 000,000,074 | ---- | C] () -- C:\Users\C\Desktop\Ask Comcast.url
[2012/01/13 02:43:31 | 000,000,054 | ---- | C] () -- C:\Users\C\Desktop\Comcast Help.url
[2012/01/13 02:43:30 | 000,002,077 | ---- | C] () -- C:\Users\Public\Desktop\Comcast Desktop Software.lnk
[2012/01/13 02:43:30 | 000,000,171 | ---- | C] () -- C:\Users\C\Desktop\Comcast Email.url
[2012/01/13 02:43:30 | 000,000,081 | ---- | C] () -- C:\Users\C\Desktop\Comcast Account Login.url
[2012/01/07 12:36:35 | 000,000,512 | ---- | C] () -- C:\Users\C\Documents\MBR.dat
[2012/01/02 22:56:58 | 000,000,046 | ---- | C] () -- C:\Windows\wininit.ini
[2012/01/01 20:40:08 | 000,001,051 | ---- | C] () -- C:\Users\C\Application Data\Microsoft\Internet Explorer\Quick Launch\Revo Uninstaller Pro.lnk
[2012/01/01 20:40:08 | 000,001,027 | ---- | C] () -- C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
[2011/12/31 19:01:30 | 000,011,054 | ---- | C] () -- C:\Users\C\Documents\cc registry backup_20111231_190108.reg
[2011/12/31 12:56:49 | 000,001,024 | ---- | C] () -- C:\.rnd
[2011/12/30 20:51:49 | 000,002,024 | ---- | C] () -- C:\Users\C\Desktop\Google Chrome.lnk
[2011/12/30 20:51:49 | 000,001,986 | ---- | C] () -- C:\Users\C\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/12/30 20:51:19 | 000,000,892 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3008658398-1242687141-1261451896-1001UA.job
[2011/12/30 20:51:18 | 000,000,840 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3008658398-1242687141-1261451896-1001Core.job
[2011/12/24 02:42:00 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dll
[2011/12/06 21:21:47 | 006,342,403 | ---- | C] () -- C:\Users\C\AppData\Roaming\SMRBackup210.dat
[2011/12/05 21:13:44 | 000,000,680 | ---- | C] () -- C:\Users\C\AppData\Local\d3d9caps.dat
[2011/11/22 11:28:19 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/03/02 22:13:01 | 000,000,140 | -HS- | C] () -- C:\Windows\WSYS049.SYS
[2010/01/02 22:53:53 | 000,000,012 | ---- | C] () -- C:\Windows\msoffice.ini
[2009/12/17 00:31:13 | 000,000,164 | ---- | C] () -- C:\Windows\install.dat
[2009/10/20 11:19:30 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
[2009/08/09 23:05:32 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/08/09 23:05:31 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/02/14 04:01:07 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009/01/22 07:00:18 | 000,000,335 | ---- | C] () -- C:\Windows\nsreg.dat
[2007/12/16 18:27:09 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2007/03/19 04:04:58 | 000,003,584 | ---- | C] () -- C:\Windows\System32\namResES.dll
[2007/03/19 04:04:58 | 000,003,072 | ---- | C] () -- C:\Windows\System32\namResIT.dll
[2007/03/19 04:04:58 | 000,003,072 | ---- | C] () -- C:\Windows\System32\namResFR.dll
[2007/03/19 04:04:58 | 000,003,072 | ---- | C] () -- C:\Windows\System32\namResENG.dll
[2007/03/19 04:04:58 | 000,003,072 | ---- | C] () -- C:\Windows\System32\namResDE.dll
[2007/03/19 04:04:56 | 000,003,584 | ---- | C] () -- C:\Windows\System32\namResPTB.dll
[2007/03/19 04:04:56 | 000,003,072 | ---- | C] () -- C:\Windows\System32\namResZHC.dll
[2007/03/19 04:04:56 | 000,003,072 | ---- | C] () -- C:\Windows\System32\namResKO.dll
[2007/03/19 04:04:56 | 000,003,072 | ---- | C] () -- C:\Windows\System32\namResJA.dll
[2007/03/19 04:04:54 | 000,022,016 | ---- | C] () -- C:\Windows\System32\nam_page.dll
[2007/03/19 04:04:54 | 000,003,072 | ---- | C] () -- C:\Windows\System32\namResZHT.dll
[2006/11/10 06:26:12 | 000,000,000 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2006/11/02 05:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 05:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:33:01 | 000,604,264 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 03:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 03:33:01 | 000,103,964 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 03:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 03:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 03:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 01:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 01:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 00:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== LOP Check ==========

[2011/12/06 21:25:04 | 000,000,000 | ---D | M] -- C:\Users\C\AppData\Roaming\DataSafeOnline
[2012/01/10 01:28:57 | 000,000,000 | ---D | M] -- C:\Users\C\AppData\Roaming\f-secure
[2012/01/10 02:28:53 | 000,000,000 | ---D | M] -- C:\Users\C\AppData\Roaming\FreeFixer
[2011/12/24 04:13:20 | 000,000,000 | ---D | M] -- C:\Users\C\AppData\Roaming\iolo
[2012/01/18 23:35:32 | 000,000,000 | ---D | M] -- C:\Users\C\AppData\Roaming\KeePass
[2011/12/31 17:25:44 | 000,000,000 | ---D | M] -- C:\Users\C\AppData\Roaming\OpenCandy
[2012/01/21 11:06:59 | 000,000,000 | ---D | M] -- C:\Users\C\AppData\Roaming\PCTools
[2012/01/24 11:45:57 | 000,000,000 | ---D | M] -- C:\Users\C\AppData\Roaming\Process Hacker 2
[2011/12/07 01:29:18 | 000,000,000 | ---D | M] -- C:\Users\C\AppData\Roaming\QFX Software
[2012/01/19 21:07:49 | 000,000,000 | ---D | M] -- C:\Users\C\AppData\Roaming\TestApp
[2011/12/07 01:00:07 | 000,000,000 | ---D | M] -- C:\Users\C\AppData\Roaming\Tific
[2012/01/27 22:58:25 | 000,000,000 | ---D | M] -- C:\Users\C\AppData\Roaming\VS Revo Group
[2011/12/05 18:29:30 | 000,000,000 | ---D | M] -- C:\Users\C\AppData\Roaming\WinPatrol
[2012/01/27 21:40:30 | 000,032,618 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 176 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84

< End of report >

OTL Extras logfile created on: 1/28/2012 9:49:25 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\D\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.94 Gb Total Physical Memory | 0.73 Gb Available Physical Memory | 37.94% Memory free
4.88 Gb Paging File | 3.74 Gb Available in Paging File | 76.71% Paging File free
Paging file location(s): c:\pagefile.sys 3072 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.79 Gb Total Space | 105.58 Gb Free Space | 47.39% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 4.21 Gb Free Space | 42.14% Space Free | Partition Type: NTFS

Computer Name: D-PC | User Name: C | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UpdatesDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{193CFDBF-F449-40DB-AA52-1958F670E288}" = lport=2869 | protocol=6 | dir=in | app=system |
"{62583E62-6BB6-4D8F-951E-F40E24EF82EC}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{009D1368-04A3-4FF2-A3C9-ADE0B3590C0B}" = protocol=17 | dir=in | app=c:\program files\common files\aol\acs\aoldial.exe |
"{07E2AB3B-B723-4589-A551-80B0A6661864}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{0E7E9FF5-6137-4064-8C18-FF44DC3E655D}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{0ED7C111-0E16-43B2-A8AB-F00132EAE383}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{11BAF8F5-E236-460A-BFC1-3E03F5BE7097}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{130AFD94-728B-4FB7-8184-5F061C2D6A91}" = protocol=6 | dir=in | app=c:\program files\common files\aol\system information\sinf.exe |
"{17ECBDDE-0A04-4605-8E80-04B7D20DAB01}" = protocol=6 | dir=in | app=c:\program files\common files\aol\1262709377\ee\aolsoftware.exe |
"{1886F585-95F7-4739-AB4B-1CA649AD9C00}" = protocol=6 | dir=in | app=c:\program files\common files\aol\acs\aoldial.exe |
"{2AC67408-C7A2-4194-9F3C-97F47D4942E2}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{32E63FCC-53BB-4CB5-B59C-285F108255D0}" = protocol=17 | dir=in | app=c:\program files\common files\aol\acs\aolacsd.exe |
"{381CDEEA-BA8F-4CE1-8C10-ABBA1486725A}" = protocol=6 | dir=in | app=c:\program files\common files\aol\system information\sinf.exe |
"{3B18E629-49D7-492B-B085-FA2415C97341}" = protocol=17 | dir=in | app=c:\program files\common files\aol\1262709377\ee\aoldesktop.exe |
"{475D9217-7141-4785-83B9-8ED86369A87D}" = protocol=6 | dir=in | app=c:\program files\common files\aol\topspeed\3.0\aoltpsd3.exe |
"{5151D9D9-AA77-4A75-9B5E-6351A584847C}" = protocol=17 | dir=in | app=c:\program files\common files\aol\topspeed\3.0\aoltpsd3.exe |
"{51E86470-C224-418B-B134-A1613BE69A56}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{5C70CA89-7306-495C-BC2D-10D214167B0B}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{5F405D4E-B5D4-4836-A3AF-790CA78A0B21}" = protocol=17 | dir=in | app=c:\program files\common files\aol\1262709377\ee\aolsoftware.exe |
"{64E51D7C-BB5B-457F-918B-29F35B24AD2F}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{69569454-10B6-4FD7-88E4-ACA84ABA1529}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{702C07C6-D6FD-4259-8B42-D330F484C15E}" = protocol=17 | dir=in | app=c:\program files\common files\aol\acs\aolacsd.exe |
"{74E24672-DAB1-4D3C-AA24-ED0A6339A990}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{7D5824F8-D597-4054-AA86-618FB8D59ED0}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{7F984AA3-9721-431C-A196-BA9F49DFBF56}" = protocol=6 | dir=in | app=c:\program files\common files\aol\acs\aolacsd.exe |
"{844502D6-FBF7-42A5-B72A-63E7EFF2E2F8}" = protocol=6 | dir=in | app=c:\program files\common files\aol\acs\aoldial.exe |
"{88715B67-4869-4DED-8406-558B2C00F88D}" = protocol=6 | dir=in | app=c:\program files\common files\aol\1262709377\ee\aoldesktop.exe |
"{8AD3BA47-69FF-41F5-908A-49A71BE0C6C2}" = protocol=6 | dir=in | app=c:\program files\common files\aol\topspeed\3.0\aoltpsd3.exe |
"{8D817212-138B-4CC5-8CC4-851AF207972F}" = protocol=17 | dir=in | app=c:\program files\common files\aol\system information\sinf.exe |
"{A0810598-528B-4F29-AC61-23D9C6EAF935}" = protocol=17 | dir=in | app=c:\program files\common files\aol\topspeed\3.0\aoltpsd3.exe |
"{B3954FBD-0EB2-403E-84AE-CB92C3F552B0}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{BBD81D95-5CD9-4A7C-9AFC-C71E7278580A}" = protocol=6 | dir=in | app=c:\program files\common files\aol\1262709377\ee\aolsoftware.exe |
"{BC622BCB-A14B-4447-9948-394E00E46044}" = protocol=6 | dir=in | app=c:\program files\aol 9.5\waol.exe |
"{BEA4F7AB-07C8-4359-84D0-6B9361C95EC3}" = protocol=17 | dir=in | app=c:\program files\aol 9.5\waol.exe |
"{BF10753C-CAD0-46E8-9C0D-097270974809}" = protocol=6 | dir=in | app=c:\program files\common files\aol\acs\aolacsd.exe |
"{C2428362-D8B2-488F-9831-C0B2AECFB3B3}" = protocol=17 | dir=in | app=c:\program files\common files\aol\acs\aoldial.exe |
"{C2690C08-8D21-4951-9D20-6F114E07B205}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{C5D283C7-A76B-4235-967E-E57C15A0A3F9}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{E259700B-00B2-4B7D-BF3B-2D1A4AB5248A}" = protocol=17 | dir=in | app=c:\program files\common files\aol\1262709377\ee\aolsoftware.exe |
"{EA0950D1-ACC3-4F99-BA68-F144CF43FBB8}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{F34F4873-4738-46B2-B85F-3F86A115029F}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{FA1519EF-CD90-43F9-8A80-A91ED6D39B27}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{FE1A9E72-9B8F-486B-A85A-1B2880A25B4D}" = protocol=17 | dir=in | app=c:\program files\common files\aol\system information\sinf.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{1CAC7A41-583B-4483-9FA5-3E5465AFF8C2}" = Microsoft Default Manager
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20C53FA2-4307-4671-A93F-9463B29DFCF1}" = Symantec Technical Support Web Controls
"{2357B8BC-88C9-4A72-818C-050CC4EB0778}" = AOL Install
"{26A24AE4-039D-4CA4-87B4-2F83216030FF}" = Java™ 6 Update 30
"{3127F76D-5335-4AC7-BD1E-2F5247A23C24}" = iTunes
"{31B2D73B-4311-4D95-A131-32FB2194D1CB}" = Microsoft UI Engine
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{44CDBD1B-89FB-4E02-8319-2A4C550F664A}" = RTC Client API v1.2
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4D3C9F4B-4B7D-4E5D-99B9-0123AB0D51ED}" = Dell DataSafe Online
"{55FD1D5A-7AEF-4DA3-8FAF-A71B2A52FFC7}_is1" = iolo technologies' System Mechanic
"{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}" = User's Guides
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{61EDBE71-5D3E-4AB7-AD95-E53FEAF68C17}" = Bing Rewards Client Installer
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1" = Revo Uninstaller Pro 2.5.7
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{797EE0CA-8165-405C-B5CE-F11EC20F1BB0}" = Microsoft VC9 runtime libraries
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{89CEAE14-DD0F-448E-9554-15781EC9DB24}" = Product Documentation Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile Device Center
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A5B48A19-F319-6BFB-82DE-A18ED1087221}" = Acrobat.com
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb" = Internet Explorer (Enable DEP)
"{AA027AE9-DD20-4677-AA72-D760A358320B}" = Microsoft VC9 runtime libraries
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B7588D45-AFDC-4C93-9E2E-A100F3554B64}" = Microsoft Fix it Center
"{CCFF1E13-77A2-4032-8B12-7566982A27DF}" = Internet Service Offers Launcher
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEF7211D-CE3A-44C4-B321-D84A2099AE94}" = Comcast Desktop Software (v1.2.0.9)
"{D7769185-9A7C-48D4-8874-5388743A1DE2}" = Music, Photos & Videos Launcher
"{D87149B3-7A1D-4548-9CBF-032B791E5908}" = Desktop Doctor
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E7044E25-3038-4A76-9064-344AC038043E}" = Windows Mobile Device Center Driver Update
"{EFAD4066-CAF3-4B27-9669-12EED352C376}" = NVIDIANetworkDiagnostic
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"AOL Regclient" = AOL Registration
"AOL Toolbar for Firefox" = AOL Toolbar for Firefox
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"Belarc Advisor" = Belarc Advisor 8.2
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 PCI V.92 Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DivX Setup" = DivX Setup
"eMusic Download Manager" = eMusic Download Manager 4.1.3.1
"ESET Online Scanner" = ESET Online Scanner v3
"FreeFixer0.60" = FreeFixer
"Funambol Outlook Sync Client" = Funambol Outlook Sync Client 7.2.2
"HitmanPro35" = Hitman Pro 3.5
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{EFAD4066-CAF3-4B27-9669-12EED352C376}" = NVIDIANetworkDiagnostic
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox 9.0 (x86 en-GB)" = Mozilla Firefox 9.0 (x86 en-GB)
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"N360" = Norton 360
"NVIDIA Drivers" = NVIDIA Drivers
"PhotoStitch" = Canon Utilities PhotoStitch
"Process_Hacker2_is1" = Process Hacker 2.27 (r4957)
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Revo Uninstaller" = Revo Uninstaller 1.93
"SanityCheck_is1" = SanityCheck 2.02
"Secunia PSI" = Secunia PSI (2.0.0.4003)
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Spyware Doctor" = PC Tools Spyware Doctor with AntiVirus
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"WinPcapInst" = WinPcap 4.1.1
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/27/2011 4:41:15 PM | Computer Name = D-PC | Source = System Restore | ID = 8193
Description =

Error - 2/27/2011 5:18:12 PM | Computer Name = D-PC | Source = Perflib | ID = 1010
Description =

Error - 2/27/2011 5:18:15 PM | Computer Name = D-PC | Source = Perflib | ID = 1008
Description =

Error - 2/27/2011 11:23:53 PM | Computer Name = D-PC | Source = Application Hang | ID = 1002
Description = The program waol.exe version 9.6.0.2 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Problem Reports and Solutions control panel. Process
ID: 1440 Start Time: 01cbd6f6b802b860 Termination Time: 47

Error - 3/1/2011 4:56:23 AM | Computer Name = D-PC | Source = Perflib | ID = 1010
Description =

Error - 3/1/2011 4:56:25 AM | Computer Name = D-PC | Source = Perflib | ID = 1008
Description =

Error - 3/2/2011 4:58:57 AM | Computer Name = D-PC | Source = Perflib | ID = 1010
Description =

Error - 3/2/2011 3:26:09 PM | Computer Name = D-PC | Source = Application Hang | ID = 1002
Description = The program EXCEL.EXE version 12.0.6545.5000 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 10f0 Start Time: 01cbd90f990a9ed0 Termination Time: 0

Error - 3/2/2011 4:11:02 PM | Computer Name = D-PC | Source = System Restore | ID = 8209
Description =

Error - 3/2/2011 4:28:02 PM | Computer Name = D-PC | Source = System Restore | ID = 8209
Description =

[ Media Center Events ]
Error - 3/23/2009 5:37:51 AM | Computer Name = D-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ OSession Events ]
Error - 7/28/2009 12:46:25 AM | Computer Name = D-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 207
seconds with 180 seconds of active time. This session ended with a crash.

Error - 8/11/2010 12:28:45 AM | Computer Name = D-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6535.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 4
seconds with 0 seconds of active time. This session ended with a crash.

Error - 2/16/2011 8:40:59 PM | Computer Name = D-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 1/28/2012 1:52:57 AM | Computer Name = D-PC | Source = Ntfs | ID = 262281
Description = The default transaction resource manager on volume RECOVERY encountered
a non-retryable error and could not start. The data contains the error code.

Error - 1/28/2012 1:55:47 AM | Computer Name = D-PC | Source = Ntfs | ID = 262281
Description = The default transaction resource manager on volume RECOVERY encountered
a non-retryable error and could not start. The data contains the error code.

Error - 1/28/2012 2:01:08 AM | Computer Name = D-PC | Source = Ntfs | ID = 262281
Description = The default transaction resource manager on volume RECOVERY encountered
a non-retryable error and could not start. The data contains the error code.

Error - 1/28/2012 12:23:31 PM | Computer Name = D-PC | Source = Ntfs | ID = 262281
Description = The default transaction resource manager on volume D: encountered
a non-retryable error and could not start. The data contains the error code.

Error - 1/28/2012 12:23:36 PM | Computer Name = D-PC | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 1/28/2012 12:23:55 PM | Computer Name = D-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 3:51:45 AM on 1/28/2012 was unexpected.

Error - 1/28/2012 12:23:45 PM | Computer Name = D-PC | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 1/28/2012 12:24:48 PM | Computer Name = D-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 1/28/2012 12:24:48 PM | Computer Name = D-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 1/28/2012 12:32:16 PM | Computer Name = D-PC | Source = Ntfs | ID = 262281
Description = The default transaction resource manager on volume RECOVERY encountered
a non-retryable error and could not start. The data contains the error code.


< End of report >
  • 0

Advertisements


#2
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
Hello and welcome to the Geeks to Go Virus, Spyware & Malware Removal forum. My name is Josh and I will be helping you remove your infection. I am only human not superman - I can make errors but will do my best to help you as best I can so we can solve your problems. Some of the following instructions to begin the malware removal process can be hard to follow - let me know if you have any questions. Please read all of my responses through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. Also please do not attempt any disinfection procedures without my instruction as things can go wrong that way. One more thing - please refrain from using your computer until it is disinfected unless you absolutely have to (unless you are following my disinfection procedures) - when you are using it the current malware infection could propagate further infections - forcing us to do a second or even third round of disinfection after the first. If you do have to use it please disconnect it from the Internet - that way the current malware cannot propagate further infections. I will get back to you soon with further instructions. Expect no more than 24 hours between your post and my response unless World War 3 breaks out and no more than 36 hours between your intial OTL log post and my reponse to that. Good luck!
  • 0

#3
MinuteMouse

MinuteMouse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Ok, great. Whenever you're ready.
  • 0

#4
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
Hello MinuteMouse. I finished analzying your OTL log. I have an important question for you - it appears you ran OTL while logged in as the user C and that OTL was saved to the desktop for the user D. How many accounts are there on your computer and what are they? We will now begin disinfection. Please do the following:

Step 1

We will now run a scan for a nasty infection prevalent these days.

  • Download aswMBR.exe ( 1870KB ) to your desktop.
  • Double click the aswMBR.exe to run it
  • It will ask you if you want to download the latest Avast! virus definitions, answer no
    Posted Image
  • Click the Scan button to start scan
    Posted Image
  • On completion of the scan click Save log, save it to your desktop and post in your next reply

Step 2

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    
    DRV - [2011/12/31 08:31:22 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\19870623.sys -- (19870623)
    
    :Commands
    [purity]
    [resethosts]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Then post the produced log (it will be in C:\_OTL\MovedFiles with a filename beginning with the date)
  • Open OTL again
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    
    C:\Users\*.
  • Select the Scan all users check box
  • Click the Quick Scan button. Post the log it produces in your next reply as well.

Step 3

There are several suspicious files on your machine that might or might not be malware. We will scan them to verify. Let me know if you have any trouble following these instructions. Please do the following:

  • Go to this site
  • Click the browse button on the top of the page
  • Navigate to this file C:\Windows\System32\mfc45.dll and click the open button
  • Click the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button
  • Once the Scan is completed, click on the Copy to Clipboard button at the bottom of the page. This will copy the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Now repeat the previous instructions for the following files:
C:\Windows\System32\EhStorAuthn.dll
C:\Windows\System32\namResES.dll


Things to see in your next post:
OTL fix log (it will be in C:\_OTL\MovedFiles with a filename beginning with the date)
quick scan log (OTL.txt)
virscan upload results
aswMBR log

  • 0

#5
MinuteMouse

MinuteMouse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
This is the only text that could be posted (see below). The scans were run for aswMBR, OTL (rebooted)but this (Moved) OTL file was all that could be located. The Virscan --- i tried to loate/browse and scan for mfc45.dll. When I browsed for it, the OTL text was the only thing that came up (the OTL scan I completed on 1/28/2012 -- not the one I completed today). It also looks like Norton 360 changed and the Google search page.

What to do?



Error: Unable to stop service 19870623!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\19870623 deleted successfully.
C:\Windows\System32\drivers\19870623.sys moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully


OTL by OldTimer - Version 3.2.31.0 log created on 01312012_113025
  • 0

#6
MinuteMouse

MinuteMouse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
HI. Was not able to add these to proevious post:

Nothing is saving to clipboard, text files not being saved (could this be due to having older scans of asw/MBR AND OTL still on computer?

You asked me to scan the foloowing three suspicious files with VIRSCAN: Here are the results ... they did not save to clipboard. Weird behavior when attempting to save texts/logs... attempting to save/open in odd places.


Here is the information re MFC45.DLL FROM VIRSCAN (for results, I selected all and pasted here):



Language


Server load
Server Load
VirSCAN
Suspicious file(s) to scan:

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

File information
File Name : mfc45.dll
File Size : 74703 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : ee4364ded3e5c3b633be0511e5bee27a
SHA1 : 9c59bb3a1929db7580aec78525ffefdb4e5b5626

Scanner results
Scanner results : 11% Scanner(s) (4/36) found malware!
Time : 2012/02/01 07:58:24 (CST)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 5.1.0.4 20120201070132 2012-02-01
-
0.302
AhnLab V3 2012.02.01.00 2012.02.01 2012-02-01
-
2.942
AntiVir 8.2.8.44 7.11.21.234 2012-01-31
-
0.256
Antiy 2.0.18 20120126.15937943 2012-01-26
-
0.016
Arcavir 2011 201201301834 2012-01-30
-
3.420
Authentium 5.1.1 201201312131 2012-01-31
-
1.497
AVAST! 4.7.4 120131-0 2012-01-31
-
0.011
AVG 10.0.1405 2090/4778 2012-01-31
-
0.068
BitDefender 7.90123.7727593 7.40820 2012-02-01
-
4.028
ClamAV 0.97.1 14382 2012-01-31
-
0.020
Comodo 5.1 11386 2012-01-31
Heur.Corrupt.PE
2.122
CP Secure 1.3.0.5 2012.01.31 2012-01-31
-
0.039
Dr.Web 7.0.0.11250 2012.02.01 2012-02-01
-
11.555
F-Prot 4.6.2.117 20120131 2012-01-31
W32/Damaged_File.gen!Eldorado (generic, damaged, not disinfectable)
0.749
F-Secure 7.02.73807 2012.01.10.04 2012-01-10
-
12.471
Fortinet 4.2.257 15.155 2012-01-31
-
0.105
GData 22.3702 20120201 2012-02-01
-
4.530
Ikarus T3.1.32.20.0 2012.01.31.80377 2012-01-31
-
5.243
JiangMin 13.0.900 2012.01.31 2012-01-31
-
1.928
Kaspersky 5.5.10 2012.01.31 2012-01-31
-
0.120
KingSoft 2009.2.5.15 2012.1.31.18 2012-01-31
-
0.837
McAfee 5400.1158 6606 2012-01-31
-
11.047
Microsoft 1.8001 2012.02.01 2012-02-01
-
3.118
NOD32 3.0.21 6840 2012-01-30
-
0.003
nProtect 20120131.01 11673589 2012-01-31
-
1.153
Panda 9.05.01 2012.01.31 2012-01-31
-
3.153
Quick Heal 11.00 2012.01.31 2012-01-31
-
0.920
Rising 20.0 23.93.02.01 2012-01-18
[Suspicious]
2.382
Sophos 3.27.0 4.73 2012-02-01
-
4.715
Sunbelt 3.9.2526.2 11485 2012-01-31
-
1.316
Symantec 1.3.0.24 20120131.003 2012-01-31
-
0.065
The Hacker 6.7.0.1 v00388 2012-01-31
W32/Behav-Heuristic-CorruptFile-EP (Unwanted)
0.512
Trend Micro 9.500-1005 8.746.06 2012-01-31
-
0.327
VBA32 3.12.16.4 20120131.1010 2012-01-31
-
6.498
ViRobot 20120131 2012.01.31 2012-01-31
-
0.381
VirusBuster 5.4.1.7 14.1.194.0/7608028 2012-01-31
-
0.050
■Heuristic/Suspicious ■Exact
NOTICE: Results are not 100% accurate and can be reported as a false positive by some scannerswhen and if malware is found. Please judge these results for yourself.
Copy to clipboard

Main Menu
HOME About VirSCAN Report Help VirSCAN Submit Bugs Contact us

About VirSCAN | Privacy policy | Contact us | Help VirSCAN
Translated by Keith Miller, United States

Powered By CentOS



Here are the Viruscan C:\Windows\System32\EhStorAuthn.dll

Language


Server load
Server Load
VirSCAN
Suspicious file(s) to scan:

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

File information
File Name : ***file name has been blocked***
File Size : 117248 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 358a03a7a47f0ad71e84306ac635a626
SHA1 : 2e9e49af3fc3b721c1036048fb9eb140903a68ae

Scanner results
Scanner results : Scanners did not find malware!
Time : 2012/02/01 08:08:48 (CST)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 5.1.0.4 20120201080702 2012-02-01
-
0.289
AhnLab V3 2012.02.01.00 2012.02.01 2012-02-01
-
3.627
AntiVir 8.2.8.44 7.11.21.234 2012-01-31
-
0.251
Antiy 2.0.18 20120126.15937943 2012-01-26
-
0.016
Arcavir 2011 201201301834 2012-01-30
-
3.456
Authentium 5.1.1 201201312131 2012-01-31
-
1.452
AVAST! 4.7.4 120131-0 2012-01-31
-
0.016
AVG 10.0.1405 2090/4778 2012-01-31
-
0.086
BitDefender 7.90123.7727593 7.40820 2012-02-01
-
4.003
ClamAV 0.97.1 14382 2012-01-31
-
0.031
Comodo 5.1 11386 2012-01-31
-
2.138
CP Secure 1.3.0.5 2012.01.31 2012-01-31
-
0.068
Dr.Web 7.0.0.11250 2012.02.01 2012-02-01
-
11.591
F-Prot 4.6.2.117 20120131 2012-01-31
-
0.768
F-Secure 7.02.73807 2012.01.10.04 2012-01-10
-
0.212
Fortinet 4.2.257 15.155 2012-01-31
-
0.104
GData 22.3702 20120201 2012-02-01
-
4.880
Ikarus T3.1.32.20.0 2012.01.31.80377 2012-01-31
-
5.241
JiangMin 13.0.900 2012.01.31 2012-01-31
-
1.993
Kaspersky 5.5.10 2012.01.31 2012-01-31
-
0.120
KingSoft 2009.2.5.15 2012.2.1.9 2012-02-01
-
0.950
McAfee 5400.1158 6606 2012-01-31
-
10.982
Microsoft 1.8001 2012.02.01 2012-02-01
-
4.577
NOD32 3.0.21 6840 2012-01-30
-
0.002
nProtect 20120131.01 11673589 2012-01-31
-
1.137
Panda 9.05.01 2012.01.31 2012-01-31
-
2.137
Quick Heal 11.00 2012.01.31 2012-01-31
-
1.297
Rising 20.0 23.93.02.01 2012-01-18
-
2.347
Sophos 3.27.0 4.73 2012-02-01
-
4.668
Sunbelt 3.9.2526.2 11485 2012-01-31
-
0.632
Symantec 1.3.0.24 20120131.003 2012-01-31
-
0.067
The Hacker 6.7.0.1 v00388 2012-01-31
-
0.512
Trend Micro 9.500-1005 8.746.06 2012-01-31
-
0.031
VBA32 3.12.16.4 20120131.1010 2012-01-31
-
4.074
ViRobot 20120131 2012.01.31 2012-01-31
-
0.382
VirusBuster 5.4.1.7 14.1.194.0/7608028 2012-01-31
-
0.016
■Heuristic/Suspicious ■Exact
Note: This file has been scanned before. Therefore, this file's scan result will not be stored in the database.
Copy to clipboard

Main Menu
HOME About VirSCAN Report Help VirSCAN Submit Bugs Contact us

About VirSCAN | Privacy policy | Contact us | Help VirSCAN
Translated by Keith Miller, United States

Powered By CentOS



Results re C:\Windows\System32\namResES.dll


The file are namResES.dll uploaded by other users and scanned successfully at 2012/02/01 08:24:27, and 0 softwares update the database from last scan to now.
  • 0

#7
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
Hello MinuteMouse. I think the reason you cannot find the log files is that you are using a different account from the one OTL was downloaded to the desktop for. In the first OTL log you were logged in as C yet OTL was run from C:\Users\D\Desktop. Please navigate to C:\Users\D\Desktop and C:\Users\C\Desktop and see if the OTL and aswMBR logs are there. Also how many accounts are there on your computer and what are they?

One more thing for this post.

There is a suspicious file on your machine that might or might not be malware. We will scan it to verify. Let me know if you have any trouble following these instructions. Please do the following (make sure not to omit step 5):

  • Go to this site
  • Click the browse button on the top of the page
  • Navigate to this file C:\Windows\System32\namResES.dll and click the open button
  • Click the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button
  • Once the Scan is completed, click on the Copy to Clipboard button at the bottom of the page. This will copy the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

  • 0

#8
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
Also in the future make sure to use the same login for everything we do.
  • 0

#9
MinuteMouse

MinuteMouse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
HI, thanks for the help so far.

Well, I searched both c's and d user's desktops for the latest aswMBR and OTL logs. There were logs saved dated for 1/31 (the latest scans) but the actual texts when opened were dated from previous scans (1/28/12, 1/7/12). Perhaps the latsest scans were not saved properly and the prior scans (of aswMBR and OTL) remained. Maybe the other installed versions of aswMBR/OTL should have been deleted?

Sometimes I run anti-virus programs in administrative mode (and then likely the results are saved to whatever user account desktop I'm presently signed on to ....)?

I have two user accounts: Standard and Admin. The user C account seems to be the "administrator" account (however, I do not recall ever naming an account "C"). All the files located in C's file date back only to November/December 2011 so it is obviously new. I have changed the names and passwords of the standard and admin accounts three or four times since November. Prior to that there were no password-protected user accounts (only one regular/non-password protected account named simply "D" -- the name which was given when the computer was brand new).

EXAMPLE: When I boot in safe mode, and want to "Repair my Computer" for example, I am given FOUR user accounts to choose from: D, C, Administrator, and Guest. As I previously mentioned, I named the computer D when prompted to assign a name when the computer was fresh out of the box. I NEVER ADDED ANOTHER USER ACCOUNT UNTIL ABOUT NOVEMBER OF 2011(when I made sure I had both an Administrator's and a Standard password-protected user account). I do not know where user-name C came from.

Should I run new scans of aswMBR and OTL?

Nothing showed as infected for: C:\Windows\System32\namResES.dll[/b]

File Name :namResES.dll
File Size :3584 byte
File Type :PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5:8b8b6c1c4f8ad52cfd075cec5c40fa6b
SHA1:9175e334197cf421ca22d6c6210be12d82d702f8

Scanner results
Scanner results :Scanners did not find malware!
Time :2012/02/02 08:22:30 (CST)

Let me know what's next ...

Thanks again for your time.

Edited by MinuteMouse, 01 February 2012 - 06:53 PM.

  • 0

#10
MinuteMouse

MinuteMouse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
HI ... I think this may be the most recent aswMBR scan you wanted ... I am hoping it's the one you wanted for 1/30/2012 (see the one below 1-7-2012).

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-07 12:19:03
-----------------------------
12:19:03.017 OS Version: Windows 6.0.6002 Service Pack 2
12:19:03.017 Number of processors: 2 586 0x6B01
12:19:03.017 ComputerName: D-PC UserName: C
12:19:03.875 Initialize success
12:19:47.049 AVAST engine defs: 12010701
12:20:03.756 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000065
12:20:03.756 Disk 0 Vendor: ST325031 3.AD Size: 238418MB BusType: 6
12:20:03.772 Disk 0 MBR read successfully
12:20:03.788 Disk 0 MBR scan
12:20:03.803 Disk 0 Windows VISTA default MBR code
12:20:03.819 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
12:20:03.834 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 81920
12:20:03.881 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 228137 MB offset 21053440
12:20:03.928 Disk 0 scanning sectors +488278016
12:20:04.022 Disk 0 scanning C:\Windows\system32\drivers
12:20:25.098 File: C:\Windows\system32\drivers\mbamswissarmy.sys **HIDDEN**
12:20:25.114 Service scanning
12:20:26.377 Modules scanning
12:20:41.604 Disk 0 trace - called modules:
12:20:41.620 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
12:20:41.635 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85ff5ac8]
12:20:41.635 3 CLASSPNP.SYS[885a08b3] -> nt!IofCallDriver -> [0x853deb68]
12:20:41.651 5 acpi.sys[828176bc] -> nt!IofCallDriver -> \Device\00000065[0x85485c90]
12:20:42.587 AVAST engine scan C:\Windows
12:20:47.626 AVAST engine scan C:\Windows\system32
12:24:13.548 AVAST engine scan C:\Windows\system32\drivers
12:24:31.441 AVAST engine scan C:\Users\C
12:25:41.906 AVAST engine scan C:\ProgramData
12:30:05.159 Scan finished successfully
12:36:35.667 Disk 0 MBR has been saved successfully to "C:\Users\C\Documents\MBR.dat"
12:36:35.683 The log file has been saved successfully to "C:\Users\C\Documents\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-31 11:23:21
-----------------------------
11:23:21.053 OS Version: Windows 6.0.6002 Service Pack 2
11:23:21.053 Number of processors: 2 586 0x6B01
11:23:21.053 ComputerName: D-PC UserName: C
11:23:22.005 Initialize success
11:24:21.216 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000006a
11:24:21.231 Disk 0 Vendor: ST325031 3.AD Size: 238418MB BusType: 6
11:24:21.247 Disk 0 MBR read successfully
11:24:21.247 Disk 0 MBR scan
11:24:21.262 Disk 0 Windows VISTA default MBR code
11:24:21.262 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
11:24:21.278 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 81920
11:24:21.309 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 228137 MB offset 21053440
11:24:21.325 Disk 0 scanning sectors +488278016
11:24:21.403 Disk 0 scanning C:\Windows\system32\drivers
11:24:29.874 Service scanning
11:24:31.044 Modules scanning
11:24:38.142 Disk 0 trace - called modules:
11:24:38.157 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll storport.sys nvstor32.sys
11:24:38.173 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85dfa4e0]
11:24:38.173 3 CLASSPNP.SYS[885a98b3] -> nt!IofCallDriver -> [0x85dface0]
11:24:38.188 5 PCTCore.sys[8267e407] -> nt!IofCallDriver -> [0x84812e00]
11:24:38.188 7 acpi.sys[824106bc] -> nt!IofCallDriver -> \Device\0000006a[0x847fe1c8]
11:24:38.188 Scan finished successfully
11:25:48.835 Disk 0 MBR has been saved successfully to "C:\Users\C\Desktop\MBR.dat"
11:25:48.866 The log file has been saved successfully to "C:\Users\C\Desktop\aswMBR.txt"

Edited by MinuteMouse, 01 February 2012 - 11:52 PM.

  • 0

Advertisements


#11
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
That second log is the one! :thumbsup: Now to find the OTL log... perhaps look in the same place?
  • 0

#12
MinuteMouse

MinuteMouse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Nope -- nowhere to be found.
  • 0

#13
MinuteMouse

MinuteMouse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
This? Otherwise I do not know.


# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# This HOSTS file created by Dr.Web Scanner for Windows

127.0.0.1 localhost
::1 localhost
  • 0

#14
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,775 posts
Hello MinuteMouse, let's try a search for the OTL log. Please do the following:

  • Open up the Computer window from the desktop or the start menu
  • Type OTL.txt where it says search in the upper right
  • After a small bit the search will finish
  • Click Advanced Search
  • For Location choose Local Disk (C:)
  • Check Include non-indexed, hidden, and system files
  • The search will start
  • Once the green bar disappears the search is complete
  • Look in the results for the newest OTL.txt (from Jan 31 right?)

If you find it post in your next reply. If you are unable to find it delete all the OTL.txt entries in the search window then do the following:

  • Open OTL again
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    
    C:\Users\*.
  • Select the Scan all users check box
  • Click the Quick Scan button. Post the log it produces in your next reply as well.

  • 0

#15
MinuteMouse

MinuteMouse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi, Yes, I had already tried that. The only one was from 1/28/2012 -- the first one I submitted to you. I will try what you advised and get back to you.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP