dividedbyzero

PCEU Ransom virus aftermath - random popups

21 posts in this topic

Hi

I was recently infected with the Metropolitan Police PCEU ransom virus. I got rid of it easily with MBAM and Hitmanpro, but there seems to be a secondary infection present. I get random popups in Chrome, firefox, opera and IE, something about sleep studies if it matters.

Here's the DDS logs:

DDS.txt

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 7.0.6001.18000

Run by admin at 16:50:34 on 2012-05-12

Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.3326.1900 [GMT 1:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Hi-Rez Studios\HiPatchService.exe

C:\Windows\system32\PnkBstrA.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\System32\mobsync.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\System32\spool\drivers\w32x86\3\E_FATIHJE.EXE

C:\Program Files\Remote Mouse\RemoteMouse.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

E:\Users\admin\AppData\Roaming\Spotify\spotify.exe

C:\Users\admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\Remote Mouse\server\server.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\TEMP\dqolpw\setup.exe

C:\Program Files\iTunes\iTunes.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe

C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe

C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\ATH.exe

C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe

C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\rundll32.exe

C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [Google Update] "c:\users\admin\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [EPSON SX130 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatihje.exe /fu "c:\users\admin\appdata\local\temp\E_S9059.tmp" /EF "HKCU"

uRun: [Remote Mouse] c:\program files\remote mouse\RemoteMouse.exe

uRun: [spotify] "e:\users\admin\appdata\roaming\spotify\spotify.exe" /uri spotify:autostart

uRun: [spotify Web Helper] "c:\users\admin\appdata\roaming\spotify\data\SpotifyWebHelper.exe"

uRun: [phepet] rundll32.exe "c:\users\admin\appdata\local\temp\phepet.dll",GetLastErrors

uRun: [update] c:\users\admin\appdata\roaming\mjt0uikj.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [update] c:\users\admin\appdata\roaming\mjt0uikj.exe

StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{576EB671-6A6D-4BB8-9E39-320819264AF1} : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{9D780C18-48C6-4D7D-8B03-B35F8B1E1EA5} : DhcpNameServer = 192.168.1.254

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\q13sj8sq.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\users\admin\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.http.accept-encoding -

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

P2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files\hi-rez studios\HiPatchService.exe [2012-4-22 8704]

R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-8-26 176128]

R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-8-26 6380032]

R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-8-26 221696]

R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2012-2-12 99344]

R3 RTL85n86;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;c:\windows\system32\drivers\RTL85n86.sys [2006-11-2 311808]

S2 AMService;AMService;c:\windows\temp\dqolpw\setup.exe run --> c:\windows\temp\dqolpw\setup.exe run [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 PEVSystemStart;Npkcsvc;c:\windows\system32\svchost.exe -k netsvcs [2012-5-6 21504]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-10 257696]

S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [2012-5-11 26400]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-28 129976]

S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2009-7-24 30560]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-05-11 17:30:49 26400 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys

2012-05-11 17:14:13 -------- d-----w- c:\programdata\HitmanPro

2012-05-11 16:24:16 -------- d-----w- c:\users\admin\appdata\roaming\Malwarebytes

2012-05-11 16:24:10 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-11 16:24:10 -------- d-----w- c:\programdata\Malwarebytes

2012-05-11 16:24:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-05-09 18:20:05 -------- d-----w- c:\users\admin\appdata\local\{0DD3492F-9936-11E1-826E-B8AC6F996F26}

2012-05-09 17:48:35 -------- d-----w- c:\users\admin\appdata\local\{0DD315EB-9936-11E1-826E-B8AC6F996F26}

2012-05-09 17:48:13 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

2012-05-09 17:48:02 -------- d-----w- c:\users\admin\appdata\local\Spruce

2012-05-09 07:00:05 6734704 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{ae44f2d9-078a-4791-9518-1ab75c388c12}\mpengine.dll

2012-05-08 21:04:01 231936 ----a-w- c:\windows\system32\msshsq.dll

2012-05-08 16:51:47 281032 ----a-w- c:\windows\system32\PnkBstrB.xtr

2012-05-08 16:13:26 -------- d-----w- c:\users\admin\appdata\local\PunkBuster

2012-05-08 16:13:26 -------- d-----w- c:\users\admin\appdata\local\CrashRpt

2012-05-08 16:08:42 140304 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2012-05-08 16:08:42 138056 ----a-w- c:\users\admin\appdata\roaming\PnkBstrK.sys

2012-05-08 16:08:27 281032 ----a-w- c:\windows\system32\PnkBstrB.exe

2012-05-08 16:08:27 281032 ----a-w- c:\windows\system32\PnkBstrB.ex0

2012-05-08 16:08:26 76888 ----a-w- c:\windows\system32\PnkBstrA.exe

2012-05-08 16:05:45 -------- d-----w- c:\program files\Microsoft Chart Controls

2012-05-08 02:01:09 2048 ----a-w- c:\windows\system32\winrsmgr.dll

2012-05-07 09:33:47 69632 ----a-w- c:\windows\system32\drivers\bowser.sys

2012-05-07 09:32:58 2042368 ----a-w- c:\windows\system32\win32k.sys

2012-05-07 09:31:26 866816 ----a-w- c:\windows\system32\wmpmde.dll

2012-05-07 09:29:47 1257472 ----a-w- c:\windows\system32\msxml3.dll

2012-05-07 09:24:31 531968 ----a-w- c:\windows\system32\comctl32.dll

2012-05-07 09:21:57 276992 ----a-w- c:\windows\system32\schannel.dll

2012-05-06 17:03:42 -------- d-----w- c:\users\admin\appdata\local\Paint.NET

2012-05-06 16:49:17 -------- d-----w- C:\PerfLogs

2012-05-06 16:49:15 4140192 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2012-05-06 16:28:52 47560 ----a-w- c:\windows\system32\SPReview.exe

2012-05-06 16:28:52 152576 ----a-w- c:\windows\system32\SPWizUI.dll

2012-05-06 16:20:51 193024 ----a-w- c:\windows\system32\recdisc.exe

2012-05-06 16:20:50 6656 ----a-w- c:\windows\system32\sdspres.dll

2012-05-06 16:20:30 599552 ----a-w- c:\windows\system32\vsp1cln.exe

2012-05-06 16:20:19 28160 ----a-w- c:\windows\system32\sxproxy.dll

2012-05-06 16:20:18 142336 ----a-w- c:\windows\system32\spp.dll

2012-05-06 16:18:59 45568 ----a-w- c:\windows\system32\mshta.exe

2012-05-06 16:17:59 93696 ----a-w- c:\windows\system32\eappgnui.dll

2012-05-06 16:16:59 98304 ----a-w- c:\windows\system32\TapiMigPlugin.dll

2012-05-06 16:13:53 44032 ----a-w- c:\windows\system32\cbsra.exe

2012-05-06 15:49:56 -------- d-----w- c:\users\admin\appdata\roaming\System

2012-05-06 15:49:55 -------- d-----w- c:\users\admin\appdata\local\Universe Sandbox

2012-05-06 15:49:54 -------- d-sh--w- c:\users\admin\appdata\roaming\wyUpdate AU

2012-04-26 15:31:24 -------- d-sh--w- c:\programdata\SecuROM

2012-04-24 15:39:14 -------- d-----w- c:\users\admin\appdata\local\Chromium

2012-04-23 19:25:27 447752 ----a-r- c:\windows\system32\vp6vfw.dll

2012-04-23 19:25:24 -------- d-----w- c:\program files\Microsoft WSE

2012-04-23 17:11:53 -------- d-----w- c:\program files\ISUnp

2012-04-22 12:30:16 -------- d-----w- C:\FreeFalcon6

2012-04-22 11:09:57 -------- d-----w- c:\programdata\Hi-Rez Studios

2012-04-22 11:09:50 -------- d-----w- c:\program files\Hi-Rez Studios

2012-04-17 16:13:36 -------- d-----w- c:\users\admin\appdata\roaming\Seeing Machines

2012-04-17 16:13:36 -------- d-----w- c:\programdata\Seeing Machines

.

==================== Find3M ====================

.

2012-05-09 17:48:25 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-05-09 17:48:25 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-05-06 16:38:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll

2012-05-06 16:38:16 82432 ----a-w- c:\windows\system32\axaltocm.dll

2012-03-29 17:27:57 98304 ----a-w- c:\windows\system32CmdLineExt.dll

2012-02-23 22:15:43 378368 ----a-w- c:\windows\system32\winhttp.dll

2012-02-23 22:14:44 269312 ----a-w- c:\windows\system32\es.dll

2012-02-23 22:14:05 36864 ----a-w- c:\windows\system32\drivers\en-us\http.sys.mui

2012-02-23 22:14:04 411136 ----a-w- c:\windows\system32\drivers\http.sys

2012-02-23 22:14:04 31232 ----a-w- c:\windows\system32\httpapi.dll

2012-02-23 22:14:04 24064 ----a-w- c:\windows\system32\nshhttp.dll

2012-02-23 09:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-02-22 22:33:21 23552 ----a-w- c:\windows\system32\lpk.dll

2012-02-22 22:33:21 10240 ----a-w- c:\windows\system32\dciman32.dll

2012-02-22 22:32:08 72704 ----a-w- c:\windows\system32\admparse.dll

2012-02-22 22:32:04 48128 ----a-w- c:\windows\system32\mshtmler.dll

2012-02-22 22:31:04 61440 ----a-w- c:\windows\system32\winipsec.dll

2012-02-22 22:31:04 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL

2012-02-22 22:31:04 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll

2012-02-22 22:31:04 272896 ----a-w- c:\windows\system32\polstore.dll

2012-02-22 22:29:04 94720 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll

2012-02-22 22:29:04 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll

2012-02-22 22:29:03 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll

2012-02-22 22:27:32 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE

2012-02-22 22:27:32 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE

2012-02-22 22:27:32 27136 ----a-w- c:\windows\system32\NETSTAT.EXE

2012-02-22 22:27:32 19968 ----a-w- c:\windows\system32\ARP.EXE

2012-02-22 22:27:32 17920 ----a-w- c:\windows\system32\ROUTE.EXE

2012-02-22 22:27:32 11264 ----a-w- c:\windows\system32\MRINFO.EXE

2012-02-22 22:27:32 104960 ----a-w- c:\windows\system32\netiohlp.dll

2012-02-22 22:27:32 10240 ----a-w- c:\windows\system32\finger.exe

2012-02-22 22:25:22 68096 ----a-w- c:\windows\system32\wlanhlp.dll

2012-02-22 22:25:22 64512 ----a-w- c:\windows\system32\wlanapi.dll

2012-02-22 22:25:22 293376 ----a-w- c:\windows\system32\wlanmsm.dll

2012-02-22 22:25:22 127488 ----a-w- c:\windows\system32\L2SecHC.dll

2012-02-22 22:25:21 513024 ----a-w- c:\windows\system32\wlansvc.dll

2012-02-22 22:25:21 302592 ----a-w- c:\windows\system32\wlansec.dll

2012-02-22 22:25:21 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs

2012-02-22 22:24:39 2048 ----a-w- c:\windows\system32\msxml6r.dll

2012-02-22 22:24:39 2048 ----a-w- c:\windows\system32\msxml3r.dll

2012-02-22 22:24:39 1399296 ----a-w- c:\windows\system32\msxml6.dll

2012-02-22 22:23:58 213504 ----a-w- c:\windows\system32\msv1_0.dll

2012-02-22 22:22:04 98816 ----a-w- c:\windows\system32\mfps.dll

2012-02-22 22:22:04 53248 ----a-w- c:\windows\system32\rrinstaller.exe

2012-02-22 22:22:04 2868224 ----a-w- c:\windows\system32\mf.dll

2012-02-22 22:22:03 24576 ----a-w- c:\windows\system32\mfpmp.exe

2012-02-22 22:22:03 2048 ----a-w- c:\windows\system32\mferror.dll

2012-02-22 22:18:18 71680 ----a-w- c:\windows\system32\atl.dll

2012-02-22 22:17:09 296960 ----a-w- c:\windows\system32\gdi32.dll

2012-02-22 22:14:22 562176 ----a-w- c:\windows\system32\msdtcprx.dll

2012-02-22 22:14:22 38912 ----a-w- c:\windows\system32\xolehlp.dll

2012-02-22 22:13:47 160256 ----a-w- c:\windows\system32\wkssvc.dll

2012-02-22 22:13:08 53248 ----a-w- c:\windows\system32\tsgqec.dll

2012-02-22 22:13:08 136192 ----a-w- c:\windows\system32\aaclient.dll

2012-02-22 22:12:30 303616 ----a-w- c:\windows\system32\wmpeffects.dll

2012-02-22 22:10:46 714240 ----a-w- c:\windows\system32\timedate.cpl

2012-02-22 22:05:30 636928 ----a-w- c:\windows\system32\localspl.dll

2012-02-22 22:03:58 2927104 ----a-w- c:\windows\explorer.exe

2012-02-22 22:02:20 499712 ----a-w- c:\windows\system32\kerberos.dll

2012-02-22 22:02:19 9728 ----a-w- c:\windows\system32\lsass.exe

2012-02-22 22:02:19 72704 ----a-w- c:\windows\system32\secur32.dll

2012-02-22 22:02:19 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-02-22 22:02:19 175104 ----a-w- c:\windows\system32\wdigest.dll

2012-02-22 22:02:19 1256448 ----a-w- c:\windows\system32\lsasrv.dll

2012-02-22 21:59:59 4164096 ----a-w- c:\windows\system32\NlsLexicons0002.dll

2012-02-22 21:57:36 6656 ----a-w- c:\windows\system32\kbd106n.dll

2012-02-22 21:57:33 988216 ----a-w- c:\windows\system32\winload.exe

2012-02-22 21:57:33 927288 ----a-w- c:\windows\system32\winresume.exe

2012-02-22 21:57:32 40960 ----a-w- c:\windows\system32\srclient.dll

2012-02-22 21:57:32 378368 ----a-w- c:\windows\system32\srcore.dll

2012-02-22 21:57:32 318464 ----a-w- c:\windows\system32\rstrui.exe

2012-02-22 21:57:32 14848 ----a-w- c:\windows\system32\srdelayed.exe

2012-02-22 21:57:31 615992 ----a-w- c:\windows\system32\ci.dll

2012-02-22 21:57:31 46592 ----a-w- c:\windows\system32\setbcdlocale.dll

2012-02-22 21:57:31 19000 ----a-w- c:\windows\system32\kd1394.dll

2012-02-22 21:55:00 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys

2012-02-22 21:55:00 190464 ----a-w- c:\windows\system32\iphlpsvc.dll

2012-02-22 21:55:00 15360 ----a-w- c:\windows\system32\drivers\TUNMP.SYS

2012-02-22 21:53:08 293376 ----a-w- c:\windows\system32\browserchoice.exe

2012-02-22 21:52:32 40960 ----a-w- c:\windows\apppatch\apihex86.dll

2012-02-22 21:52:32 24064 ----a-w- c:\windows\system32\amxread.dll

2012-02-22 21:52:32 13824 ----a-w- c:\windows\system32\apilogen.dll

2012-02-22 21:51:29 712704 ----a-w- c:\windows\system32\WindowsCodecs.dll

2012-02-22 21:51:29 425472 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll

2012-02-22 21:51:28 347136 ----a-w- c:\windows\system32\WindowsCodecsExt.dll

2012-02-22 21:49:44 443392 ----a-w- c:\windows\system32\win32spl.dll

2012-02-22 21:49:44 37888 ----a-w- c:\windows\system32\printcom.dll

2012-02-22 21:48:52 14848 ----a-w- c:\windows\system32\wshrm.dll

2012-02-22 21:48:52 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys

2012-02-22 21:48:11 43520 ----a-w- c:\windows\system32\msdxm.tlb

2012-02-22 21:48:11 313344 ----a-w- c:\windows\system32\wmpdxm.dll

2012-02-22 21:48:11 18432 ----a-w- c:\windows\system32\amcompat.tlb

2012-02-22 21:47:39 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe

2012-02-22 21:47:39 511488 ----a-w- c:\windows\system32\RMActivate.exe

2012-02-22 21:47:39 472576 ----a-w- c:\windows\system32\secproc_isv.dll

2012-02-22 21:47:39 472064 ----a-w- c:\windows\system32\secproc.dll

2012-02-22 21:47:39 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe

2012-02-22 21:47:39 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe

2012-02-22 21:47:39 329216 ----a-w- c:\windows\system32\msdrm.dll

2012-02-22 21:47:39 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll

.

============= FINISH: 16:51:21.86 ===============

Attach.txt

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft® Windows Vista™ Home Basic

Boot Device: \Device\HarddiskVolume1

Install Date: 11/02/2012 23:29:53

System Uptime: 12/05/2012 16:28:13 (0 hours ago)

.

Motherboard: ASRock | | 760GM-GS3

Processor: AMD Phenom II X4 955 Processor | CPUSocket | 3600/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 149 GiB total, 43.167 GiB free.

D: is CDROM (UDF)

E: is FIXED (NTFS) - 932 GiB total, 317.254 GiB free.

F: is Removable

G: is Removable

H: is Removable

I: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

.

==== Installed Programs ======================

.

7-Zip 9.20

ABBYY FineReader 9.0 Sprint

Adobe After Effects CS4

Adobe After Effects CS4 Presets

Adobe After Effects CS4 Third Party Content

Adobe Anchor Service CS4

Adobe Bridge CS4

Adobe CMaps CS4

Adobe Color Video Profiles AE CS4

Adobe Default Language CS4

Adobe Dynamiclink Support

Adobe ExtendScript Toolkit CS4

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Fonts All

Adobe Media Encoder CS4 Exporter

Adobe Media Encoder CS4 Importer

Adobe MotionPicture Color Files CS4

Adobe Output Module

Adobe PDF Library Files CS4

Adobe Reader X (10.1.2)

Adobe Setup

Adobe Type Support CS4

Adobe Update Manager CS4

Adobe XMP Panels CS4

AdobeColorCommonSetRGB

Age of Empires III

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ARMA 2 Operation Arrowhead Uninstall

ArmA 2 Uninstall

ATI AVIVO Codecs

ATI Catalyst Install Manager

BattlEye for OA Uninstall

BattlEye Uninstall

Bonjour

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center Graphics Previews Vista

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

ccc-core-static

ccc-utility

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

Celtx (2.9.5)

EPSON Scan

EPSON SX130 Series Printer Uninstall

FaceTrackNoIR

Free YouTube Downloader 3.5.124

FreeFalcon6

Google Chrome

Hi-Rez Studios Authenticate and Update Service

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HydraVision

IL-2 Sturmovik 1946

Inno Setup Unpacker Explorer 1.0

Intel® IPP Run-Time Installer 5.3 Update 4 for Windows* on IA-32

iTunes

Java Auto Updater

Java 6 Update 22

Java 6 Update 30

JDownloader 0.9

Malwarebytes Anti-Malware version 1.61.0.1400

Mass Effect™ 3

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Chart Controls for Microsoft .NET Framework 3.5

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

Microsoft WSE 3.0 Runtime

Mozilla Firefox 12.0 (x86 en-US)

Mozilla Maintenance Service

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

NVIDIA PhysX

OpenOffice.org 3.3

Opera 11.62

Origin

Paint.NET v3.5.10

Photoshop Camera Raw

PunkBuster Services

QuickTime

Realtek Ethernet Controller Driver For Windows Vista

Red Orchestra 2: Heroes of Stalingrad

Remote Mouse version 1.12

RollerCoaster Tycoon 3

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Spotify

Stranded II 1.0.0.1

Suite Shared Configuration CS4

The Sims™ 3

Tribes Ascend

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

.

==== Event Viewer Messages From Past Week ========

.

12/05/2012 16:38:58, Error: Service Control Manager [7030] - The AMService service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

11/05/2012 19:40:51, Error: EventLog [6008] - The previous system shutdown at 19:39:02 on 11/05/2012 was unexpected.

11/05/2012 19:24:46, Error: EventLog [6008] - The previous system shutdown at 19:22:42 on 11/05/2012 was unexpected.

11/05/2012 19:07:16, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: sfdrv01 spldr Wanarpv6

11/05/2012 19:04:14, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

11/05/2012 19:04:05, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss sfdrv01 Smb spldr tdx Wanarpv6

11/05/2012 19:04:05, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

11/05/2012 19:04:05, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

11/05/2012 19:04:05, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.

11/05/2012 19:04:05, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

11/05/2012 19:04:05, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

11/05/2012 19:04:05, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

11/05/2012 19:04:05, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

11/05/2012 19:04:05, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.

11/05/2012 19:04:05, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

11/05/2012 19:04:05, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

11/05/2012 19:04:05, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

11/05/2012 19:04:05, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

11/05/2012 19:04:05, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

11/05/2012 19:03:55, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

11/05/2012 19:03:17, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

11/05/2012 19:03:17, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

11/05/2012 19:03:13, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

11/05/2012 19:03:04, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

11/05/2012 19:02:55, Error: EventLog [6008] - The previous system shutdown at 19:00:33 on 11/05/2012 was unexpected.

11/05/2012 18:32:08, Error: Service Control Manager [7024] - The HitmanPro 3.6 Crusader (Boot) service terminated with service-specific error 0 (0x0).

11/05/2012 18:28:56, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for DeleteFlag with the following error: Access is denied.

11/05/2012 17:54:19, Error: Service Control Manager [7023] - The Snapman service terminated with the following error: The specified module could not be found.

11/05/2012 17:39:47, Error: Service Control Manager [7023] - The Npkcsvc service terminated with the following error: The specified module could not be found.

10/05/2012 19:13:56, Error: EventLog [6008] - The previous system shutdown at 19:12:15 on 10/05/2012 was unexpected.

10/05/2012 18:02:20, Error: EventLog [6008] - The previous system shutdown at 17:55:24 on 10/05/2012 was unexpected.

09/05/2012 19:20:34, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

09/05/2012 19:20:34, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

09/05/2012 19:20:34, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

09/05/2012 19:19:35, Error: EventLog [6008] - The previous system shutdown at 19:17:17 on 09/05/2012 was unexpected.

09/05/2012 16:23:20, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by -86387 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->65.55.21.15:123) is working properly.

08/05/2012 03:45:18, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WSearch service.

07/05/2012 22:45:19, Error: EventLog [6008] - The previous system shutdown at 22:43:40 on 07/05/2012 was unexpected.

07/05/2012 18:36:40, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{9D780C18-48C6-4D7D-8B03-B35F8B1E1EA5} because another computer on the network has the same name. The server could not start.

07/05/2012 10:01:57, Error: disk [11] - The driver detected a controller error on \Device\Harddisk3\DR3.

07/05/2012 09:58:22, Error: disk [11] - The driver detected a controller error on \Device\Harddisk5\DR5.

07/05/2012 09:53:52, Error: disk [11] - The driver detected a controller error on \Device\Harddisk4\DR4.

07/05/2012 09:50:56, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the stisvc service.

07/05/2012 09:50:37, Error: disk [11] - The driver detected a controller error on \Device\Harddisk2\DR2.

06/05/2012 21:37:46, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.

06/05/2012 21:37:46, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

06/05/2012 17:58:23, Error: Microsoft-Windows-Eventlog [30] - The event logging service encountered an error (5) while enabling publisher {DBE9B383-7CF3-4331-91CC-A3CB16A3B538} to channel Microsoft-Windows-Winlogon/Operational. This doesn't affect operation of the channel, but does affect the ability for the publisher to raise events to the channel. One common reason for this error is that Provider is using ETW Provider Security and has not granted enable permissions to the Eventlog service identity.

06/05/2012 17:54:28, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: sfdrv01

06/05/2012 17:47:22, Error: Microsoft-Windows-LanguagePackSetup [1001] - Application initialization failed. Last error: 0x80004005

06/05/2012 16:47:07, Error: Application Popup [875] - Driver sfdrv01.sys has been blocked from loading.

05/05/2012 08:13:39, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x8000ffff: Update for Windows Vista (KB929777).

05/05/2012 08:13:39, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 929777-2_RTM_GDR from package KB929777(Update) into Staged(Staged) state

05/05/2012 08:13:39, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 929777-1_RTM_LDR from package KB929777(Update) into Install Requested(Install Requested) state

05/05/2012 08:13:39, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 929777-1_RTM_LDR from package KB929777(Hotfix) into Installed(Installed) state

05/05/2012 08:13:39, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB929777 (Update) into Install Requested(Install Requested) state

05/05/2012 08:13:39, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB929777 (Hotfix) into Uninstall Requested(Uninstall Requested) state

.

==== End Of File ===========================

Share this post


Link to post
Share on other sites

Hello and :welcome:

Unfortunately you are infected with a nasty rootkit. Before continuing with the cleanup, please read the following information.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites

Sorry about the rather long wait, I've been away from home so the computer hasn't been used by me since my last post. It has been used by others despite my best efforts, disconnected from the internet of course. Anyway, here's the combofix.

ComboFix 12-06-24.02 - admin 24/06/2012 18:58:16.1.4 - x86

Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.3326.2468 [GMT 1:00]

Running from: c:\users\admin\Desktop\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\admin\AppData\Local\{cf8fd16f-783c-26dc-651a-0397072aa4ba}\@

c:\users\admin\AppData\Local\{cf8fd16f-783c-26dc-651a-0397072aa4ba}\n

c:\users\admin\AppData\Local\TempDIR

c:\windows\$NtUninstallKB24005$

c:\windows\$NtUninstallKB24005$\3304364337\L\ogejidap

c:\windows\Installer\{cf8fd16f-783c-26dc-651a-0397072aa4ba}\@

c:\windows\Installer\{cf8fd16f-783c-26dc-651a-0397072aa4ba}\L\00000004.@

c:\windows\Installer\{cf8fd16f-783c-26dc-651a-0397072aa4ba}\L\201d3dde

c:\windows\Installer\{cf8fd16f-783c-26dc-651a-0397072aa4ba}\U\00000004.@

c:\windows\Installer\{cf8fd16f-783c-26dc-651a-0397072aa4ba}\U\000000cb.@

c:\windows\system32\dds_trash_log.cmd

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_AMService

.

.

((((((((((((((((((((((((( Files Created from 2012-05-24 to 2012-06-24 )))))))))))))))))))))))))))))))

.

.

2012-06-24 18:06 . 2012-06-24 18:08 -------- d-----w- c:\users\admin\AppData\Local\temp

2012-06-24 18:06 . 2012-06-24 18:06 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-06-22 20:39 . 2012-06-22 20:39 -------- d-----w- c:\users\admin\AppData\Local\Macromedia

2012-06-22 13:29 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{525041C2-5794-4C0C-8AB6-EB434C844A51}\mpengine.dll

2012-06-20 16:49 . 2012-06-20 16:49 -------- d-----w- c:\windows\CheckSur

2012-06-20 16:46 . 2012-06-20 16:46 -------- d-----w- c:\users\admin\AppData\Local\LooksBuilder

2012-06-19 21:14 . 2012-06-19 21:23 -------- d-----w- c:\users\admin\AppData\Local\SniperV2

2012-06-19 21:03 . 2012-06-19 21:03 -------- d-----w- c:\users\admin\AppData\Local\Nem's Tools

2012-06-19 17:12 . 2012-06-19 17:12 -------- d-----w- c:\windows\system32\EventProviders

2012-06-17 20:10 . 2012-06-17 20:10 -------- d-----w- c:\programdata\Ironclad Games

2012-06-17 20:03 . 2012-06-17 20:03 -------- d-----w- c:\program files\Common Files\Stardock

2012-06-17 20:01 . 2012-06-17 20:01 -------- d-----w- c:\programdata\Gibraltar

2012-06-16 14:48 . 2012-06-16 14:48 -------- d-----w- c:\users\admin\AppData\Local\Stardock

2012-06-16 14:28 . 2012-06-16 14:28 -------- d-----w- c:\programdata\GameStop

2012-06-15 21:52 . 2012-06-15 21:52 -------- d-----w- c:\users\admin\AppData\Local\Ironclad Games

2012-06-15 20:14 . 2012-06-16 14:14 -------- d-----w- c:\users\admin\AppData\Roaming\Stardock

2012-06-15 20:14 . 2012-06-15 20:14 -------- dc-h--w- c:\programdata\{AF1FD256-44CB-4653-A3B3-0C950EDF38A0}

2012-06-15 20:14 . 2012-06-15 20:14 -------- d-----w- c:\programdata\Stardock

2012-06-15 20:14 . 2012-06-15 20:14 -------- d-----w- c:\program files\Stardock

2012-06-15 20:13 . 2012-06-15 20:13 -------- d-----w- c:\users\admin\AppData\Local\PackageAware

2012-06-15 20:11 . 2012-06-15 20:11 -------- dc-h--w- c:\users\admin\AppData\Local\{83E7940D-E416-4041-9E77-0CB423D258BE}

2012-06-15 14:24 . 2008-01-18 22:36 615424 ----a-w- c:\windows\system32\themeui.dll.backup

2012-06-15 14:24 . 2009-07-10 12:21 247808 ----a-w- c:\windows\system32\shsvcs.dll.backup

2012-06-15 14:24 . 2008-01-18 22:36 240128 ----a-w- c:\windows\system32\uxtheme.dll.backup

2012-06-13 16:44 . 2012-06-24 17:07 -------- d-----w- c:\program files\SpeedFan

2012-06-13 15:49 . 2012-06-13 17:34 -------- d-----w- c:\users\admin\AppData\Roaming\Rainmeter

2012-06-13 15:47 . 2012-06-13 16:02 -------- d-----w- c:\program files\Rainmeter

2012-06-12 20:13 . 2012-06-12 20:13 -------- d-----w- c:\program files\Microsoft LifeCam

2012-06-11 10:37 . 2012-06-11 10:37 -------- d-----w- c:\program files\THQ

2012-06-06 21:24 . 2012-06-15 14:56 -------- d-----w- c:\program files\TightVNC

2012-06-06 21:12 . 2012-06-06 21:12 -------- d-----w- c:\program files\Wyse

2012-06-06 21:12 . 2012-06-06 21:12 -------- d-----w- c:\users\admin\AppData\Local\Downloaded Installations

2012-06-06 13:49 . 2012-06-06 13:49 -------- d-----w- c:\users\admin\AppData\Local\Criterion Games

2012-06-05 13:25 . 2012-06-19 16:36 -------- d-----w- c:\users\admin\AppData\Roaming\ReGet Software

2012-06-05 13:24 . 2012-06-05 13:24 -------- d-----w- c:\users\admin\AppData\Roaming\Thinstall

2012-06-05 13:24 . 2012-06-05 13:24 -------- d-----w- c:\users\admin\AppData\Local\Thinstall

2012-06-05 12:38 . 2012-06-05 12:38 107888 ----a-w- c:\windows\system32\CmdLineExt.dll

2012-06-04 14:24 . 2012-06-04 14:24 -------- d-----w- c:\users\admin\.swt

2012-06-04 14:24 . 2012-06-19 17:08 -------- d-----w- c:\users\admin\AppData\Roaming\Azureus

2012-06-04 14:23 . 2012-06-04 14:23 -------- d-----w- c:\program files\Vuze

2012-06-03 14:59 . 2012-06-03 14:59 -------- d-----w- c:\users\admin\AppData\Local\UCL

2012-06-03 13:36 . 2012-06-03 13:36 -------- d-----w- C:\Games

2012-06-01 17:05 . 2012-06-01 17:05 -------- d-----w- c:\windows\system32\URTTEMP

2012-05-28 15:24 . 2012-06-09 18:30 -------- d-----w- c:\programdata\TrackMania

2012-05-28 13:03 . 2012-06-06 15:23 -------- d-----w- c:\users\admin\AppData\Roaming\The Creative Assembly

2012-05-27 13:06 . 2012-05-27 13:06 -------- d-----w- c:\users\admin\AppData\Roaming\InstallShield

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-22 15:56 . 2012-04-10 08:53 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-22 15:56 . 2012-02-12 21:06 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-05-21 13:56 . 2012-05-21 13:56 152576 ----a-w- c:\windows\system32\drivers\BazisPortableCDBus.sys

2012-05-13 15:37 . 2012-05-08 16:08 140304 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2012-05-13 15:37 . 2012-05-08 16:51 281032 ----a-w- c:\windows\system32\PnkBstrB.xtr

2012-05-13 15:37 . 2012-05-08 16:08 281032 ----a-w- c:\windows\system32\PnkBstrB.exe

2012-05-12 19:57 . 2012-05-07 09:32 273408 ----a-w- c:\windows\system32\drivers\afd.sys

2012-05-11 17:30 . 2012-05-11 17:30 26400 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys

2012-05-10 18:58 . 2012-05-08 16:08 281032 ----a-w- c:\windows\system32\PnkBstrB.ex0

2012-05-08 16:08 . 2012-05-08 16:08 138056 ----a-w- c:\users\admin\AppData\Roaming\PnkBstrK.sys

2012-05-08 16:08 . 2012-05-08 16:08 76888 ----a-w- c:\windows\system32\PnkBstrA.exe

2012-05-06 16:49 . 2012-05-06 16:49 4140192 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2012-05-06 16:38 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll

2012-05-06 16:38 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll

2012-05-06 16:10 . 2012-05-06 16:28 47560 ----a-w- c:\windows\system32\SPReview.exe

2012-05-06 16:10 . 2012-05-06 16:28 152576 ----a-w- c:\windows\system32\SPWizUI.dll

2012-04-18 19:56 . 2012-04-18 19:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2012-04-18 19:56 . 2012-04-18 19:56 69632 ----a-w- c:\windows\system32\QuickTime.qts

2012-04-04 14:56 . 2012-05-11 16:24 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-29 17:27 . 2012-03-29 17:27 98304 ----a-w- c:\windows\system32CmdLineExt.dll

2012-04-21 01:19 . 2012-04-28 21:14 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-25 98304]

.

c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2012-6-12 40136]

Sins of a Solar Empire Launcher.lnk - e:\program files\Stardock Games\Sins of a Solar Empire\SINS_Launcher.exe [2012-6-15 587992]

speedfan.exe - Shortcut.lnk - c:\program files\SpeedFan\speedfan.exe [2012-3-26 4656632]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

"SoftwareSASGeneration"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKLM\~\startupfolder\C:^Users^admin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]

path=c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk

backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-01-03 13:10 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]

2012-02-20 20:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON SX130 Series]

2010-12-07 16:01 208384 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIHJE.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2012-02-12 08:53 136176 ----atw- c:\users\admin\AppData\Local\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2012-03-27 04:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]

2010-05-20 14:27 119152 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetFxUpdate_v1.1.4322]

2004-08-10 15:20 106496 ----a-w- c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PocketCloud Location]

2012-05-11 14:09 883104 ----a-w- c:\program files\Wyse\PocketCloud Windows Companion\WyseBrowser.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2012-04-18 19:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sbitunesagent]

2012-01-19 11:21 266240 ----a-w- c:\program files\Songbird\songbirditunesagent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]

2008-01-18 22:33 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify]

2012-02-10 20:31 4027056 ----a-w- e:\users\admin\AppData\Roaming\Spotify\spotify.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]

2012-05-19 20:05 932528 ----a-w- c:\users\admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-06-09 13:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-22 250056]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

PEVSystemStart

BASFND

CAM1210

RIOUNIV

BlueSoleilCS

wdica

ati

iastor

arp1394

.

Contents of the 'Scheduled Tasks' folder

.

2012-06-24 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 15:56]

.

2012-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1631720249-2444561240-318218109-1000Core.job

- c:\users\admin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-12 08:53]

.

2012-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1631720249-2444561240-318218109-1000UA.job

- c:\users\admin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-12 08:53]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\q13sj8sq.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - user.js: network.http.accept-encoding -

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-27122021.sys

MSConfigStartUp-phepet - c:\users\admin\AppData\Local\Temp\phepet.dll

MSConfigStartUp-Remote Mouse - c:\program files\Remote Mouse\RemoteMouse.exe

MSConfigStartUp-tvncontrol - c:\program files\TightVNC\tvnserver.exe

MSConfigStartUp-Update - c:\users\admin\AppData\Roaming\mjt0uikj.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-06-24 19:10

Windows 6.0.6001 Service Pack 1 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1631720249-2444561240-318218109-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:7c,69,ac,5b,9e,31,fa,00,2e,e5,a1,a6,5d,53,f5,17,20,6a,a0,00,bd,85,84,

31,99,26,85,9f,e4,3e,4b,9b,76,ea,bf,82,05,80,1c,70,d4,b5,f3,00,3d,66,04,71,\

"??"=hex:09,e8,77,b3,f1,52,0e,b2,ed,b3,2c,d2,5c,3c,4f,6e

.

[HKEY_USERS\S-1-5-21-1631720249-2444561240-318218109-1000\Software\SecuROM\License information*]

"datasecu"=hex:58,68,23,db,37,cf,03,00,0a,48,ce,60,d8,b0,57,37,fe,d0,ff,44,5d,

f6,b8,92,2c,bf,7e,8a,0f,ba,ac,55,46,97,8c,8c,22,a0,80,b3,4d,4f,c7,23,ea,ba,\

"rkeysecu"=hex:b0,bc,c1,28,be,09,b7,ef,b1,9f,e6,cc,1a,9c,88,61

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\atiesrxx.exe

c:\windows\system32\atieclxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Hi-Rez Studios\HiPatchService.exe

c:\program files\Microsoft LifeCam\MSCamS32.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\Wyse\PocketCloud Windows Companion\PocketCloudService.exe

c:\windows\system32\WUDFHost.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

.

**************************************************************************

.

Completion time: 2012-06-24 19:18:00 - machine was rebooted

ComboFix-quarantined-files.txt 2012-06-24 18:17

.

Pre-Run: 32,473,100,288 bytes free

Post-Run: 41,926,660,096 bytes free

.

- - End Of File - - EC601028F891711B2A5B9A5DC7A27697

Share this post


Link to post
Share on other sites

And also, if worst comes to worst and i have to reformat, will I just have to format my main C:\ drive, which is windows and not much else, or my E: drive (important stuff) as well.

Share this post


Link to post
Share on other sites

Hi again,

How are things running at this point, what problems do you still have left?

Share this post


Link to post
Share on other sites

Exactly the same as how I left you. Random popups in Chrome, Firefox, Opera and IE. I have also noticed that I cannot turn on Windows Firewall, even by directly starting the service from the management console. I also cannot install any windows updates. I get an error stating something like "0x800707e module can not be found".

Share this post


Link to post
Share on other sites

I see I forgot to answer your earlier question: a reformat of C might be enough, although it depends a bit what you ahve on your other partitions.

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlicon.png icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Copy and Paste the following code into the customscanfix.png textbox.

netsvcs

[*]Push runscan.png

[*]A report will open. Copy and Paste that report in your next reply.

Share this post


Link to post
Share on other sites

Here you go.

OTL.txt

OTL logfile created on: 25/06/2012 16:21:25 - Run 1

OTL by OldTimer - Version 3.2.53.0 Folder = C:\Users\admin\Desktop

Windows Vista Home Basic Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.25 Gb Total Physical Memory | 2.32 Gb Available Physical Memory | 71.51% Memory free

6.73 Gb Paging File | 5.79 Gb Available in Paging File | 85.97% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 149.05 Gb Total Space | 38.18 Gb Free Space | 25.62% Space Free | Partition Type: NTFS

Drive E: | 931.51 Gb Total Space | 423.15 Gb Free Space | 45.43% Space Free | Partition Type: NTFS

Drive F: | 14.42 Gb Total Space | 8.40 Gb Free Space | 58.24% Space Free | Partition Type: FAT32

Computer Name: ADMIN-PC | User Name: admin | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/25 16:20:21 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL.exe

PRC - [2012/06/15 23:15:30 | 000,874,384 | ---- | M] (Opera Software) -- C:\Program Files\Opera\opera.exe

PRC - [2012/06/12 13:37:24 | 000,040,136 | ---- | M] () -- C:\Program Files\Rainmeter\Rainmeter.exe

PRC - [2012/05/11 15:09:52 | 000,177,056 | ---- | M] () -- C:\Program Files\Wyse\PocketCloud Windows Companion\PocketCloudService.exe

PRC - [2012/04/05 15:50:08 | 000,008,704 | ---- | M] (Hi-Rez Studios) -- C:\Program Files\Hi-Rez Studios\HiPatchService.exe

PRC - [2012/02/22 23:03:58 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2012/01/03 14:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

PRC - [2011/04/20 02:04:38 | 000,393,216 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe

PRC - [2011/04/20 02:04:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe

PRC - [2010/05/20 15:27:24 | 000,139,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe

========== Modules (No Company Name) ==========

MOD - [2012/06/12 13:37:24 | 000,040,136 | ---- | M] () -- C:\Program Files\Rainmeter\Rainmeter.exe

MOD - [2012/06/12 13:37:22 | 000,625,864 | ---- | M] () -- C:\Program Files\Rainmeter\Rainmeter.dll

MOD - [2012/06/12 13:33:28 | 000,023,040 | ---- | M] () -- C:\Program Files\Rainmeter\Plugins\iTunesPlugin.dll

MOD - [2012/06/12 13:33:22 | 000,046,592 | ---- | M] () -- C:\Program Files\Rainmeter\Plugins\WebParser.dll

MOD - [2012/06/12 13:33:20 | 000,008,704 | ---- | M] () -- C:\Program Files\Rainmeter\Plugins\SpeedFanPlugin.dll

MOD - [2012/05/08 03:48:08 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\1ba19f8efcff8ad7f972aa38ab9a15f5\System.Runtime.Remoting.ni.dll

MOD - [2012/05/08 03:48:04 | 011,800,576 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\0a1195c6b5fab213527364c9e8b26ef0\System.Web.ni.dll

MOD - [2012/05/08 03:47:53 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\aa3e053d433c48e1e8c3f436b4de1ed3\System.Configuration.ni.dll

MOD - [2012/05/08 03:47:52 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\cfb60f99da570cc494e27e0e8ee747e2\System.Xml.ni.dll

MOD - [2012/05/08 03:47:41 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\381fb23cb39e1a61e13b8770eb9800ba\System.Windows.Forms.ni.dll

MOD - [2012/05/08 03:47:36 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\f1aa2385c0109f3059e0e6ba8b58ff68\System.Drawing.ni.dll

MOD - [2012/05/08 03:46:45 | 007,950,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9dff86a62a525ec8dc827fe9f50298b7\System.ni.dll

MOD - [2012/05/08 03:45:55 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll

MOD - [2011/04/20 01:21:02 | 000,037,376 | ---- | M] () -- C:\Windows\System32\atitmpxx.dll

MOD - [2010/08/25 22:44:50 | 000,270,336 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll

MOD - [2010/08/04 16:58:06 | 000,016,384 | R--- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\epson_pm_rpcv2_01.dll -- (iastor)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\agrsrvce.dll -- (arp1394)

SRV - [2012/06/22 16:56:06 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)

SRV - [2012/05/27 14:02:38 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)

SRV - [2012/05/11 15:09:52 | 000,177,056 | ---- | M] () [Auto | Running] -- C:\Program Files\Wyse\PocketCloud Windows Companion\PocketCloudService.exe -- (WysePocketCloud)

SRV - [2012/04/21 02:19:00 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)

SRV - [2012/04/05 15:50:08 | 000,008,704 | ---- | M] (Hi-Rez Studios) [Auto | Paused] -- C:\Program Files\Hi-Rez Studios\HiPatchService.exe -- (HiPatchService)

SRV - [2012/03/04 14:57:37 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2012/01/03 14:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)

SRV - [2011/04/20 02:04:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)

SRV - [2010/05/20 15:27:24 | 000,139,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)

SRV - [2008/01/18 23:38:26 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

========== Driver Services (SafeList) ==========

DRV - File not found [File_System | System | Stopped] -- C:\Users\admin\Desktop\VCdRom.sys -- (vcdrom)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)

DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)

DRV - [2012/05/21 14:56:04 | 000,152,576 | ---- | M] (SysProgs.org) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BazisPortableCDBus.sys -- (BazisPortableCDBus)

DRV - [2012/05/11 18:30:49 | 000,026,400 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hitmanpro36.sys -- (hitmanpro35)

DRV - [2011/04/20 02:43:42 | 007,772,160 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)

DRV - [2011/04/20 01:22:10 | 000,243,712 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)

DRV - [2011/03/18 17:08:54 | 000,025,240 | ---- | M] (Almico Software) [Kernel | Boot | Running] -- C:\Windows\System32\speedfan.sys -- (speedfan)

DRV - [2010/07/15 13:47:24 | 000,099,344 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AtihdLH3.sys -- (AtiHDAudioService)

DRV - [2010/06/23 10:21:32 | 000,259,176 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)

DRV - [2010/05/20 15:27:24 | 000,030,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nx6000.sys -- (MSHUSBVideo)

DRV - [2006/11/02 08:30:56 | 000,311,808 | ---- | M] (Realtek) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTL85n86.sys -- (RTL85n86)

DRV - [2005/08/10 13:44:04 | 000,050,688 | ---- | M] (Protection Technology) [Kernel | Boot | Stopped] -- C:\Windows\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)

DRV - [2005/05/16 14:20:39 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)

DRV - [1996/04/03 20:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\giveio.sys -- (giveio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1631720249-2444561240-318218109-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 2

IE - HKU\S-1-5-21-1631720249-2444561240-318218109-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKU\S-1-5-21-1631720249-2444561240-318218109-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\S-1-5-21-1631720249-2444561240-318218109-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1631720249-2444561240-318218109-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: calendar-timezones@mozilla.org:0.1.2008d

FF - prefs.js..extensions.enabledItems: default-palette@celtx.com:1.0

FF - prefs.js..extensions.enabledItems: inspector@mozilla.org:2.0.0

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_262.dll ()

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\admin\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\admin\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/05/21 11:10:37 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{0DD315EB-9936-11E1-826E-B8AC6F996F26}: C:\Users\admin\AppData\Local\{0DD315EB-9936-11E1-826E-B8AC6F996F26}\ [2012/05/09 18:48:35 | 000,000,000 | ---D | M]

[2012/05/17 19:43:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admin\AppData\Roaming\Mozilla\Extensions

[2012/03/05 12:26:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admin\AppData\Roaming\Mozilla\Extensions\celtx@celtx.com

[2012/05/17 19:43:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admin\AppData\Roaming\Mozilla\Extensions\songbird@songbirdnest.com

[2012/05/03 21:02:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\q13sj8sq.default\extensions

[2012/04/28 22:14:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2012/03/05 12:25:28 | 000,000,000 | ---D | M] (Timezone Definitions for Mozilla Calendar) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\CALENDAR-TIMEZONES@MOZILLA.ORG

[2012/03/05 12:25:28 | 000,000,000 | ---D | M] (Default Shot Palette) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\DEFAULT-PALETTE@CELTX.COM

[2012/03/05 12:25:28 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\INSPECTOR@MOZILLA.ORG

[2012/04/21 02:19:34 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2012/04/21 02:18:25 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2012/04/21 02:18:25 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)

CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}

CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms},

CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer

CHR - plugin: Native Client (Enabled) = C:\Users\admin\AppData\Local\Google\Chrome\Application\19.0.1084.46\ppGoogleNaClPluginChrome.dll

CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\admin\AppData\Local\Google\Chrome\Application\19.0.1084.46\pdf.dll

CHR - plugin: Shockwave Flash (Enabled) = C:\Users\admin\AppData\Local\Google\Chrome\Application\19.0.1084.46\gcswf32.dll

CHR - plugin: Shockwave Flash (Disabled) = C:\Users\admin\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll

CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll

CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll

CHR - plugin: Java Deployment Toolkit 6.0.300.12 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll

CHR - plugin: Java Platform SE 6 U30 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll

CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll

CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll

CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll

CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll

CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll

CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll

CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll

CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll

CHR - plugin: Unity Player (Enabled) = C:\Users\admin\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll

CHR - plugin: Google Update (Enabled) = C:\Users\admin\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll

CHR - plugin: Windows Presentation Foundation (Enabled) = C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

CHR - Extension: YouTube = C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\

CHR - Extension: Google Search = C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\

CHR - Extension: Gmail = C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/06/24 19:08:46 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)

O4 - Startup: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe ()

O4 - Startup: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sins of a Solar Empire Launcher.lnk = E:\Program Files\Stardock Games\Sins of a Solar Empire\SINS_Launcher.exe (Stardock Entertainment, Inc.)

O4 - Startup: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\speedfan.exe - Shortcut.lnk = C:\Program Files\SpeedFan\speedfan.exe (Almico Software (www.almico.com))

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SoftwareSASGeneration = 1

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-1631720249-2444561240-318218109-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-1631720249-2444561240-318218109-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)

O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)

O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{576EB671-6A6D-4BB8-9E39-320819264AF1}: DhcpNameServer = 192.168.1.254

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9D780C18-48C6-4D7D-8B03-B35F8B1E1EA5}: DhcpNameServer = 192.168.1.254

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg

O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - E:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: FastUserSwitchingCompatibility - File not found

NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)

NetSvcs: Nla - File not found

NetSvcs: Ntmssvc - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: SRService - File not found

NetSvcs: PEVSystemStart - File not found

NetSvcs: BASFND - File not found

NetSvcs: CAM1210 - File not found

NetSvcs: RIOUNIV - File not found

NetSvcs: BlueSoleilCS - File not found

NetSvcs: wdica - File not found

NetSvcs: ati - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ATI.ACE.snk ()

NetSvcs: iastor - %systemroot%\system32\epson_pm_rpcv2_01.dll File not found

NetSvcs: arp1394 - %systemroot%\system32\agrsrvce.dll File not found

NetSvcs: WmdmPmSp - File not found

NetSvcs: LogonHours - File not found

NetSvcs: PCAudit - File not found

NetSvcs: helpsvc - File not found

NetSvcs: uploadmgr - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/06/25 16:20:47 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL.exe

[2012/06/24 19:18:03 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\temp

[2012/06/24 19:17:34 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2012/06/24 19:06:57 | 000,000,000 | ---D | C] -- C:\Windows\temp

[2012/06/24 18:49:36 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2012/06/24 18:49:36 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2012/06/24 18:49:36 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2012/06/24 18:49:34 | 000,000,000 | ---D | C] -- C:\ComboFix

[2012/06/24 18:48:53 | 000,000,000 | ---D | C] -- C:\Qoobox

[2012/06/24 18:48:46 | 000,000,000 | ---D | C] -- C:\Windows\erdnt

[2012/06/24 18:02:04 | 004,567,064 | R--- | C] (Swearware) -- C:\Users\admin\Desktop\ComboFix.exe

[2012/06/22 21:39:14 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Macromedia

[2012/06/22 16:50:09 | 000,000,000 | ---D | C] -- C:\Windows\Minidump

[2012/06/20 21:11:20 | 002,128,472 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\admin\Desktop\TDSSKiller.exe

[2012/06/20 17:49:13 | 000,000,000 | ---D | C] -- C:\Windows\CheckSur

[2012/06/20 17:46:04 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\LooksBuilder

[2012/06/19 22:14:15 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\SniperV2

[2012/06/19 22:03:29 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Nem's Tools

[2012/06/19 18:12:07 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders

[2012/06/17 21:10:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Ironclad Games

[2012/06/17 21:03:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stardock Games

[2012/06/17 21:03:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Stardock

[2012/06/17 21:01:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Gibraltar

[2012/06/16 15:48:45 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Stardock

[2012/06/16 15:28:14 | 000,000,000 | ---D | C] -- C:\ProgramData\GameStop

[2012/06/16 14:34:12 | 000,000,000 | ---D | C] -- C:\Users\admin\Documents\Security

[2012/06/15 22:52:05 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Ironclad Games

[2012/06/15 21:14:47 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Stardock

[2012/06/15 21:14:17 | 000,000,000 | -H-D | C] -- C:\ProgramData\{AF1FD256-44CB-4653-A3B3-0C950EDF38A0}

[2012/06/15 21:14:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Stardock

[2012/06/15 21:14:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stardock

[2012/06/15 21:14:04 | 000,000,000 | ---D | C] -- C:\Program Files\Stardock

[2012/06/15 21:13:49 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\PackageAware

[2012/06/15 21:11:57 | 000,000,000 | -H-D | C] -- C:\Users\admin\AppData\Local\{83E7940D-E416-4041-9E77-0CB423D258BE}

[2012/06/13 17:44:02 | 000,000,000 | ---D | C] -- C:\Program Files\SpeedFan

[2012/06/13 16:49:05 | 000,000,000 | ---D | C] -- C:\Users\admin\Documents\Rainmeter

[2012/06/13 16:49:05 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Rainmeter

[2012/06/13 16:47:14 | 000,000,000 | ---D | C] -- C:\Program Files\Rainmeter

[2012/06/12 21:23:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft LifeCam

[2012/06/12 21:13:41 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft LifeCam

[2012/06/11 16:38:36 | 000,000,000 | ---D | C] -- C:\Users\admin\Documents\Stalker_Complete_2009_v1.4.4_Setup

[2012/06/11 11:37:45 | 000,000,000 | ---D | C] -- C:\Program Files\THQ

[2012/06/07 15:19:05 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DarthMod Ultimate Commander

[2012/06/07 15:19:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DarthMod Ultimate Commander

[2012/06/06 22:24:53 | 000,000,000 | ---D | C] -- C:\Program Files\TightVNC

[2012/06/06 22:12:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wyse

[2012/06/06 22:12:47 | 000,000,000 | ---D | C] -- C:\Program Files\Wyse

[2012/06/06 22:12:07 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Downloaded Installations

[2012/06/06 14:49:35 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Criterion Games

[2012/06/05 14:25:01 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\ReGet Software

[2012/06/05 14:24:33 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Thinstall

[2012/06/05 14:24:33 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Thinstall

[2012/06/05 14:24:28 | 003,722,527 | ---- | C] (ReGet Software) -- C:\Users\admin\Desktop\ReGet Deluxe.exe

[2012/06/05 13:38:46 | 000,107,888 | ---- | C] (Sony DADC Austria AG.) -- C:\Windows\System32\CmdLineExt.dll

[2012/06/04 19:19:31 | 000,000,000 | ---D | C] -- C:\Users\admin\Documents\RhinoSoft

[2012/06/04 15:26:21 | 000,000,000 | ---D | C] -- C:\Users\admin\Documents\Vuze Downloads

[2012/06/04 15:24:28 | 000,000,000 | ---D | C] -- C:\Users\admin\.swt

[2012/06/04 15:24:26 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Azureus

[2012/06/04 15:23:14 | 000,000,000 | ---D | C] -- C:\Program Files\Vuze

[2012/06/03 15:59:10 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\UCL

[2012/06/03 14:36:19 | 000,000,000 | ---D | C] -- C:\Games

[2012/06/03 14:36:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ArtMoney SE

[2012/06/01 18:10:25 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Darth Mod M2TW 1.4D

[2012/06/01 18:05:40 | 000,000,000 | ---D | C] -- C:\Windows\System32\URTTEMP

[2012/05/28 16:24:14 | 000,000,000 | ---D | C] -- C:\ProgramData\TrackMania

[2012/05/28 16:24:02 | 000,000,000 | ---D | C] -- C:\Users\admin\Documents\TrackMania

[2012/05/28 14:03:06 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\The Creative Assembly

[2012/05/27 14:06:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SEGA

[2012/05/27 14:06:04 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\InstallShield

========== Files - Modified Within 30 Days ==========

[2012/06/25 16:20:21 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL.exe

[2012/06/25 16:16:39 | 000,663,844 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2012/06/25 16:16:39 | 000,130,490 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2012/06/25 16:15:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job

[2012/06/25 16:10:15 | 000,004,768 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2012/06/25 16:10:15 | 000,004,768 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2012/06/25 16:10:13 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2012/06/25 16:09:59 | 3488,866,304 | -HS- | M] () -- C:\hiberfil.sys

[2012/06/24 19:08:46 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2012/06/24 18:08:15 | 004,567,064 | R--- | M] (Swearware) -- C:\Users\admin\Desktop\ComboFix.exe

[2012/06/22 21:21:58 | 000,020,480 | ---- | M] () -- C:\Users\admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2012/06/22 16:56:06 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe

[2012/06/22 16:56:06 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl

[2012/06/22 16:50:09 | 282,185,304 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2012/06/21 17:41:51 | 002,128,472 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\admin\Desktop\TDSSKiller.exe

[2012/06/19 22:32:38 | 000,458,752 | ---- | M] () -- C:\Windows\SPInstall.etl

[2012/06/19 17:36:24 | 000,014,420 | ---- | M] () -- C:\Users\admin\Documents\French.odt

[2012/06/16 15:49:04 | 000,000,750 | ---- | M] () -- C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sins of a Solar Empire Launcher.lnk

[2012/06/16 15:03:15 | 000,000,804 | ---- | M] () -- C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\speedfan.exe - Shortcut.lnk

[2012/06/16 14:58:02 | 000,000,136 | ---- | M] () -- C:\Users\admin\Desktop\Sins of a Solar Empire.lnk

[2012/06/15 16:41:51 | 000,528,884 | ---- | M] () -- C:\Users\admin\Documents\Gun.rtf

[2012/06/13 17:44:02 | 000,000,045 | ---- | M] () -- C:\Windows\System32\initdebug.nfo

[2012/06/13 17:02:15 | 000,001,722 | ---- | M] () -- C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk

[2012/06/13 16:47:15 | 000,001,686 | ---- | M] () -- C:\Users\Public\Desktop\Rainmeter.lnk

[2012/06/12 21:23:50 | 000,001,910 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft LifeCam.lnk

[2012/06/11 13:07:27 | 737,252,976 | ---- | M] ( ) -- C:\Users\admin\Documents\Stalker_Complete_2009_v1.4.4_Setup.exe

[2012/06/11 11:58:02 | 000,000,799 | ---- | M] () -- C:\Users\admin\Desktop\S.T.A.L.K.E.R. Shadow of Chernobyl.lnk

[2012/06/10 13:36:49 | 000,012,038 | ---- | M] () -- C:\Users\admin\Documents\cc_20120610_133643.reg

[2012/06/07 15:19:06 | 000,001,133 | ---- | M] () -- C:\Users\admin\Desktop\DarthMod Ultimate Commander.lnk

[2012/06/06 16:37:28 | 000,000,969 | ---- | M] () -- C:\Users\admin\Desktop\Empire.exe - Shortcut.lnk

[2012/06/06 14:51:26 | 000,001,281 | ---- | M] () -- C:\Users\admin\Desktop\Burnout Paradise.lnk

[2012/06/05 13:38:46 | 000,107,888 | ---- | M] (Sony DADC Austria AG.) -- C:\Windows\System32\CmdLineExt.dll

[2012/06/04 19:29:47 | 000,001,332 | ---- | M] () -- C:\Users\admin\Documents\FTP Voyager JV on a12.net.ru.jnlp

[2012/06/04 19:16:01 | 000,000,600 | ---- | M] () -- C:\Users\admin\AppData\Roaming\winscp.rnd

[2012/06/04 15:23:20 | 000,001,633 | ---- | M] () -- C:\Users\Public\Desktop\Vuze.lnk

[2012/06/03 21:34:33 | 000,000,705 | ---- | M] () -- C:\Users\admin\Desktop\Gratuitous Tank Battles.lnk

[2012/06/01 18:10:25 | 000,000,915 | ---- | M] () -- C:\Users\admin\Desktop\Attack Darth Mod.lnk

[2012/06/01 18:08:21 | 000,000,900 | ---- | M] () -- C:\Users\Public\Desktop\Medieval II Total War.lnk

[2012/05/31 18:44:16 | 643,090,122 | ---- | M] () -- C:\Users\admin\Documents\MIITW_UPDATE2_EFIGS_RC_Final.zip

[2012/05/29 17:36:14 | 000,001,988 | ---- | M] () -- C:\Users\admin\Documents\cc_20120529_173610.reg

[2012/05/27 13:41:49 | 000,000,215 | ---- | M] () -- C:\Users\admin\Desktop\Total War SHOGUN 2.url

========== Files Created - No Company Name ==========

[2012/06/24 18:49:36 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe

[2012/06/24 18:49:36 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe

[2012/06/24 18:49:36 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2012/06/24 18:49:36 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2012/06/24 18:49:36 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2012/06/22 16:56:07 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job

[2012/06/22 16:49:13 | 282,185,304 | ---- | C] () -- C:\Windows\MEMORY.DMP

[2012/06/16 15:49:04 | 000,000,750 | ---- | C] () -- C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sins of a Solar Empire Launcher.lnk

[2012/06/16 15:03:15 | 000,000,804 | ---- | C] () -- C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\speedfan.exe - Shortcut.lnk

[2012/06/16 14:58:02 | 000,000,136 | ---- | C] () -- C:\Users\admin\Desktop\Sins of a Solar Empire.lnk

[2012/06/15 16:41:51 | 000,528,884 | ---- | C] () -- C:\Users\admin\Documents\Gun.rtf

[2012/06/15 14:47:23 | 000,014,420 | ---- | C] () -- C:\Users\admin\Documents\French.odt

[2012/06/13 17:43:44 | 000,000,045 | ---- | C] () -- C:\Windows\System32\initdebug.nfo

[2012/06/13 17:02:15 | 000,001,722 | ---- | C] () -- C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk

[2012/06/13 17:02:15 | 000,001,698 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rainmeter.lnk

[2012/06/13 16:47:15 | 000,001,686 | ---- | C] () -- C:\Users\Public\Desktop\Rainmeter.lnk

[2012/06/12 21:23:50 | 000,001,910 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft LifeCam.lnk

[2012/06/11 12:00:22 | 737,252,976 | ---- | C] ( ) -- C:\Users\admin\Documents\Stalker_Complete_2009_v1.4.4_Setup.exe

[2012/06/11 11:58:02 | 000,000,799 | ---- | C] () -- C:\Users\admin\Desktop\S.T.A.L.K.E.R. Shadow of Chernobyl.lnk

[2012/06/10 13:36:45 | 000,012,038 | ---- | C] () -- C:\Users\admin\Documents\cc_20120610_133643.reg

[2012/06/07 15:19:06 | 000,001,133 | ---- | C] () -- C:\Users\admin\Desktop\DarthMod Ultimate Commander.lnk

[2012/06/06 16:37:28 | 000,000,969 | ---- | C] () -- C:\Users\admin\Desktop\Empire.exe - Shortcut.lnk

[2012/06/06 14:50:46 | 000,001,281 | ---- | C] () -- C:\Users\admin\Desktop\Burnout Paradise.lnk

[2012/06/04 19:29:47 | 000,001,332 | ---- | C] () -- C:\Users\admin\Documents\FTP Voyager JV on a12.net.ru.jnlp

[2012/06/04 18:44:33 | 000,000,600 | ---- | C] () -- C:\Users\admin\AppData\Roaming\winscp.rnd

[2012/06/04 15:23:20 | 000,001,633 | ---- | C] () -- C:\Users\Public\Desktop\Vuze.lnk

[2012/06/04 15:23:20 | 000,001,633 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vuze.lnk

[2012/06/03 21:34:33 | 000,000,705 | ---- | C] () -- C:\Users\admin\Desktop\Gratuitous Tank Battles.lnk

[2012/06/01 18:10:25 | 000,000,915 | ---- | C] () -- C:\Users\admin\Desktop\Attack Darth Mod.lnk

[2012/05/31 17:10:30 | 643,090,122 | ---- | C] () -- C:\Users\admin\Documents\MIITW_UPDATE2_EFIGS_RC_Final.zip

[2012/05/29 17:36:11 | 000,001,988 | ---- | C] () -- C:\Users\admin\Documents\cc_20120529_173610.reg

[2012/05/27 14:18:38 | 000,000,900 | ---- | C] () -- C:\Users\Public\Desktop\Medieval II Total War.lnk

[2012/05/27 13:41:49 | 000,000,215 | ---- | C] () -- C:\Users\admin\Desktop\Total War SHOGUN 2.url

[2012/05/11 18:30:49 | 000,026,400 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro36.sys

[2012/05/08 17:08:42 | 000,140,304 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys

[2012/05/08 17:08:42 | 000,138,056 | ---- | C] () -- C:\Users\admin\AppData\Roaming\PnkBstrK.sys

[2012/05/08 17:08:27 | 000,281,032 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe

[2012/05/08 17:08:26 | 000,076,888 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe

[2012/05/08 03:16:56 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin

[2012/05/08 03:16:56 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

[2012/02/15 18:25:24 | 000,197,120 | ---- | C] () -- C:\Windows\patchw32.dll

[2012/02/14 15:46:03 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll

[2012/02/12 10:51:50 | 000,020,480 | ---- | C] () -- C:\Users\admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2012/02/12 10:30:55 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin

[2012/02/12 00:35:46 | 000,000,680 | ---- | C] () -- C:\Users\admin\AppData\Local\d3d9caps.dat

[2011/03/17 17:51:46 | 000,003,929 | ---- | C] () -- C:\Windows\System32\atipblag.dat

[2011/02/28 21:30:06 | 000,233,012 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat

[2010/08/26 02:19:36 | 000,037,376 | ---- | C] () -- C:\Windows\System32\atitmpxx.dll

< End of report >

Extra.txt

OTL Extras logfile created on: 25/06/2012 16:21:25 - Run 1

OTL by OldTimer - Version 3.2.53.0 Folder = C:\Users\admin\Desktop

Windows Vista Home Basic Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.25 Gb Total Physical Memory | 2.32 Gb Available Physical Memory | 71.51% Memory free

6.73 Gb Paging File | 5.79 Gb Available in Paging File | 85.97% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 149.05 Gb Total Space | 38.18 Gb Free Space | 25.62% Space Free | Partition Type: NTFS

Drive E: | 931.51 Gb Total Space | 423.15 Gb Free Space | 45.43% Space Free | Partition Type: NTFS

Drive F: | 14.42 Gb Total Space | 8.40 Gb Free Space | 58.24% Space Free | Partition Type: FAT32

Computer Name: ADMIN-PC | User Name: admin | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

.html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software)

.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

htmlfile [edit] -- Reg Error: Key error.

https [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software)

InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"oobe_av" = 1

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |

"{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |

"{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |

"{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |

"{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |

"{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |

"{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |

"{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |

"{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |

"{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |

"{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |

"{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |

"{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |

"{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |

"{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |

"{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |

"{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |

"{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |

"{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |

"{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |

"{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |

"{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4

"{06092909-8851-C581-F990-7195076FDAEF}" = CCC Help Czech

"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended

"{0CA04779-346C-30FD-EB9B-8EEA2CE094B3}" = CCC Help Thai

"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime

"{14574B7F-75D1-4718-B7F2-EBF6E2862A35}" = Company of Heroes - FAKEMSI

"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4

"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB

"{199E6632-EB28-4F73-AECB-3E192EB92D18}" = Company of Heroes - FAKEMSI

"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1

"{1B3B5C60-70B8-F022-5497-03FD2772586C}" = CCC Help Greek

"{1C160168-BF5B-72FE-BAFA-6DD5F737404C}" = CCC Help Chinese Standard

"{1ED3EBF6-A130-4B3B-B01A-C29B067798B3}" = CCC Help Finnish

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{23B8A91D-680B-462B-87AD-3D70F7341731}" = iTunes

"{25724802-CC14-4B90-9F3B-3D6955EE27B1}" = Company of Heroes - FAKEMSI

"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java 6 Update 22

"{26A24AE4-039D-4CA4-87B4-2F83216030FF}" = Java 6 Update 30

"{278AD90C-D27D-AA89-58DF-AD13852D51CA}" = CCC Help Spanish

"{2CDBFF1A-6433-E94D-CA25-831FDB9775E9}" = CCC Help Italian

"{31DED885-1124-0E58-97FB-73E4EF692E8D}" = CCC Help Hungarian

"{32C4A4EB-C97D-414E-99C5-38F8DFD31D5D}" = Company of Heroes - FAKEMSI

"{33B670D7-8A06-DA5B-0341-5630D1E12007}" = ccc-core-static

"{38D65ABC-A00B-6E13-2EF3-826CFC8CFC14}" = CCC Help French

"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4

"{3B4325A0-43CD-10D1-64F6-BD2F90DCB756}" = Catalyst Control Center Graphics Previews Vista

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF010}" = Tribes Ascend

"{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF1FC}" = Hi-Rez Studios Authenticate and Update Service

"{3EEBD42E-4DC7-A874-645B-28B63907E930}" = ATI AVIVO Codecs

"{3F8B39A4-B7CE-B036-941C-A8DB57676B04}" = CCC Help Norwegian

"{411F3ABA-2AB5-4799-AA19-6ADF0A8F7424}" = Adobe Setup

"{41785C66-90F2-40CE-8CB5-1C94BFC97280}" = Microsoft Chart Controls for Microsoft .NET Framework 3.5

"{44E240EC-2224-4078-A88B-2CEE0D3016EF}" = Adobe After Effects CS4 Presets

"{45EC816C-0771-4C14-AE6D-72D1B578F4C8}" = Adobe After Effects CS4

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4ACF9BBA-E137-7309-7BF9-567ADAB6B4E6}" = CCC Help Turkish

"{50193078-F553-4EBA-AA77-64C9FAA12F98}" = Company of Heroes - FAKEMSI

"{51AD839D-CE11-B9E3-227D-03BC89F227C8}" = CCC Help Danish

"{51D718D1-DA81-4FAD-919F-5C1CE3C33379}" = Company of Heroes - FAKEMSI

"{529125EF-E3AC-4B74-97E6-F688A7C0F1BF}" = Paint.NET v3.5.10

"{55043DDE-D718-C7F7-9B4C-2B3D818D8A1F}" = Catalyst Control Center InstallProxy

"{561968FD-56A1-49FD-9ED0-F55482C7C5BC}" = Adobe Media Encoder CS4 Exporter

"{5774B4C1-8579-D5D9-8D38-A0CE32B6736C}" = CCC Help German

"{5D19BB0D-9B04-5B85-9295-4E11BCB1C2C3}" = CCC Help Polish

"{5D8A076D-F75E-A149-10D8-87338721AA3A}" = ATI Catalyst Install Manager

"{5FC7AB5C-61FC-42DF-A923-5139BCF10D42}" = Microsoft LifeCam

"{60341104-FC8E-EF26-12CB-93B17DF55976}" = CCC Help Japanese

"{60DB5894-B5A1-4B62-B0F3-669A22C0EE5D}" = Adobe Dynamiclink Support

"{62161867-51F1-9FB8-0E6E-FE49D89CBB71}" = CCC Help Dutch

"{6494E146-418F-85E1-142E-D2F122C75274}" = ccc-utility

"{65589581-920C-CAE1-58C2-2149D3AA3F39}" = HydraVision

"{66F78C51-D108-4F0C-A93C-1CBE74CE338F}" = Company of Heroes - FAKEMSI

"{67A9747A-E1F5-4E9A-81CC-12B5D5B81B6E}" = Adobe After Effects CS4 Third Party Content

"{6A7E9B60-4698-F505-CAD3-05F8AB22FB61}" = CCC Help Russian

"{6A9D1594-7791-48f5-9CAA-DE9BCB968320}" = Mass Effect™ 3

"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{75794DD1-5D69-4E33-A141-C3D4B0724C71}" = Catalyst Control Center Graphics Previews Common

"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update

"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour

"{79438F1E-DEC3-443D-9DCD-FECE2D68C605}" = IL-2 Sturmovik 1946

"{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III

"{7CE47764-9A8F-380D-FB9E-FCFC37B9F727}" = CCC Help Korean

"{7F4B1592-222F-4E5F-A100-E5AFD61A0BB3}" = Company of Heroes - FAKEMSI

"{80D03817-7943-4839-8E96-B9F924C5E67D}" = Company of Heroes - FAKEMSI

"{8186FF34-D389-4B7E-9A2F-C197585BCFBD}" = Adobe Media Encoder CS4 Importer

"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4

"{82AF3E91-57E1-4754-84D0-40A46E2479AB}" = OpenOffice.org 3.3

"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4

"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4

"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver For Windows Vista

"{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = Yontoo 1.10.02

"{907B4640-266B-4A21-92FB-CD1A86CD0F63}" = RollerCoaster Tycoon 3

"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4

"{9530AE42-DAE1-4619-9594-B23487285D17}" = NVIDIA PhysX

"{97E5205F-EA4F-438F-B211-F1846419F1C1}" = Company of Heroes - FAKEMSI

"{99A7722D-9ACB-43F3-A222-ABC7133F159E}" = Company of Heroes - FAKEMSI

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9ED77550-AF66-2B7E-97E1-34B3BFDEAC6D}" = CCC Help Swedish

"{A7E19604-93AF-4611-8C9F-CE509C2B286F}_is1" = Free YouTube Downloader 3.5.124

"{A8EC542E-309E-46D9-BA70-5E84BCFAEA20}_is1" = Inno Setup Unpacker Explorer 1.0

"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)

"{B05DE7B7-0B40-4411-BD4B-222CAE2D8F15}" = Adobe MotionPicture Color Files CS4

"{B15381DD-FF97-4FCD-A881-ED4DB0975500}" = Adobe Color Video Profiles AE CS4

"{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation

"{BA801B94-C28D-46EE-B806-E1E021A3D519}" = Company of Heroes - FAKEMSI

"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module

"{BD8F867A-0ACB-427D-A4F2-9AEE29FBF98B}" = PocketCloud Windows Companion

"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3

"{C0698BDA-0D29-40EE-8570-A31106DF9AB1}" = Medieval II Total War

"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw

"{CE0900ED-C76A-40C0-8DB4-0F68D825B283}_is1" = Stranded II 1.0.0.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D4D244D1-05E0-4D24-86A2-B2433C435671}" = Company of Heroes - FAKEMSI

"{D689A337-E824-4AE5-828B-6E529BDF609A}" = FaceTrackNoIR

"{DDA34038-89BD-4804-B0B8-DC48D5DFB463}" = Catalyst Control Center - Branding

"{E0F2612B-0A80-40E7-AA35-BC7977C82150}" = Sins of a Solar Empire

"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime

"{E8454B5F-4122-864C-002D-31F878D2CBF4}" = CCC Help English

"{EA450D5D-95EA-4FD0-B8B0-6D8E68FBE2C7}" = Impulse

"{EAF636A9-F664-4703-A659-85A894DA264F}" = Company of Heroes - FAKEMSI

"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support

"{EFC04D3F-A152-47E7-8517-EE0F6201AFEF}" = Apple Mobile Device Support

"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

"{F0E6252F-8DC2-B508-D412-1C427CDB3448}" = CCC Help Portuguese

"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4

"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4

"{FCB6F9DC-A0FF-621E-DE53-877E63864DD1}" = CCC Help Chinese Traditional

"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All

"{FE4466A3-76B3-A9F4-9B22-150D6F8B4647}" = Catalyst Control Center Localization All

"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

"{Stalker Complete 2009 v1.4.4}}_is1" = Stalker Complete 2009 v1.4.4

"5513-1208-7298-9440" = JDownloader 0.9

"7-Zip" = 7-Zip 9.20

"8461-7759-5462-8226" = Vuze

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin

"Adobe_3dcb365ab9e01871fb8c6f27b0ea079" = Adobe After Effects CS4

"ArmA 2" = ArmA 2 Uninstall

"ARMA 2 Operation Arrowhead" = ARMA 2 Operation Arrowhead Uninstall

"ArtMoney SE_is1" = ArtMoney SE v7.39.2

"Celtx (2.9.5)" = Celtx (2.9.5)

"Company of Heroes" = Company of Heroes

"DarthMod Ultimate Commander Edition" = DarthMod Ultimate Commander Edition

"Eastern Front" = Eastern Front

"EPSON Scanner" = EPSON Scan

"EPSON SX130 Series" = EPSON SX130 Series Printer Uninstall

"FreeFalcon6" = FreeFalcon6

"Impulse" = Impulse

"InstallShield_{79438F1E-DEC3-443D-9DCD-FECE2D68C605}" = IL-2 Sturmovik 1946

"InstallShield_{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended

"Mozilla Firefox 12.0 (x86 en-US)" = Mozilla Firefox 12.0 (x86 en-US)

"MozillaMaintenanceService" = Mozilla Maintenance Service

"Opera 12.00.1467" = Opera 12.00

"Origin" = Origin

"Postal 2_is1" = Portal 2

"PunkBusterSvc" = PunkBuster Services

"Rainmeter" = Rainmeter

"Songbird-release-2199" = Songbird 1.10.2 (Build 2199)

"SpeedFan" = SpeedFan (remove only)

"Steam App 34330" = Total War: SHOGUN 2

"Steam App 35450" = Red Orchestra 2: Heroes of Stalingrad

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1631720249-2444561240-318218109-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Darth Mod M2TW 1.4D" = Darth Mod M2TW 1.4D

"DarthMod Ultimate Commander Edition " = DarthMod Ultimate Commander Edition

"Google Chrome" = Google Chrome

"Sins of a Solar Empire" = Sins of a Solar Empire

"Spotify" = Spotify

========== Last 20 Event Log Errors ==========

[ Application Events ]

Error - 23/06/2012 06:52:24 | Computer Name = admin-PC | Source = Perflib | ID = 1008

Description =

Error - 23/06/2012 06:52:24 | Computer Name = admin-PC | Source = Perflib | ID = 1008

Description =

Error - 23/06/2012 06:52:25 | Computer Name = admin-PC | Source = Perflib | ID = 1008

Description =

Error - 23/06/2012 06:52:25 | Computer Name = admin-PC | Source = Perflib | ID = 1008

Description =

Error - 23/06/2012 08:10:10 | Computer Name = admin-PC | Source = System Restore | ID = 8193

Description =

Error - 23/06/2012 08:10:10 | Computer Name = admin-PC | Source = System Restore | ID = 8210

Description =

Error - 24/06/2012 04:50:39 | Computer Name = admin-PC | Source = WinMgmt | ID = 28

Description =

Error - 24/06/2012 04:52:42 | Computer Name = admin-PC | Source = SecurityCenter | ID = 3

Description = The Windows Security Center Service was unable to establish event

queries with WMI to monitor third party AntiVirus, AntiSpyware and Firewall.

Error - 24/06/2012 07:17:39 | Computer Name = admin-PC | Source = System Restore | ID = 8193

Description =

Error - 24/06/2012 07:17:39 | Computer Name = admin-PC | Source = System Restore | ID = 8210

Description =

[ System Events ]

Error - 25/06/2012 02:51:29 | Computer Name = admin-PC | Source = HTTP | ID = 15016

Description =

Error - 25/06/2012 02:52:57 | Computer Name = admin-PC | Source = Service Control Manager | ID = 7023

Description =

Error - 25/06/2012 02:52:57 | Computer Name = admin-PC | Source = Service Control Manager | ID = 7023

Description =

Error - 25/06/2012 02:52:57 | Computer Name = admin-PC | Source = Service Control Manager | ID = 7026

Description =

Error - 25/06/2012 03:10:22 | Computer Name = admin-PC | Source = DCOM | ID = 10010

Description =

Error - 25/06/2012 11:09:39 | Computer Name = admin-PC | Source = Application Popup | ID = 875

Description = Driver sfdrv01.sys has been blocked from loading.

Error - 25/06/2012 11:10:20 | Computer Name = admin-PC | Source = HTTP | ID = 15016

Description =

Error - 25/06/2012 11:11:37 | Computer Name = admin-PC | Source = Service Control Manager | ID = 7023

Description =

Error - 25/06/2012 11:11:37 | Computer Name = admin-PC | Source = Service Control Manager | ID = 7023

Description =

Error - 25/06/2012 11:11:37 | Computer Name = admin-PC | Source = Service Control Manager | ID = 7026

Description =

< End of report >

Share this post


Link to post
Share on other sites

Do you have other computers connected to the same router and if so, do they have the same issues or only this computer?

Share this post


Link to post
Share on other sites

That looks good. I wanted to verify this file because it was recently modified whereas other files belonging to this product were not.

Can you please restart your computer in safe mode with networking and see if the same pop ups occur there as well?

Share this post


Link to post
Share on other sites

Please do a clean boot and see if the pop ups stop after that? http://support.microsoft.com/kb/331796

If they stop, re-enable one program/application at a time and see which one is responsible for the pop-ups. This may be a tedious process, but is the best way to determine which program is causing the problems.

Share this post


Link to post
Share on other sites

I did as you asked and managed to find the culprit.

C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe

It was launching on startup. When i enabled it, the popups started again.

Share this post


Link to post
Share on other sites

That is not known as a malicious file, but to be sure you may want to uninstall Apple Application support.

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 7u4.
  • Look for "JDK 7u4 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Share this post


Link to post
Share on other sites

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.