WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Solved] Need to remove Trojan.fakealert

Started by Mignonster , Jun 01 2010 08:49 PM

This topic is locked

17 replies to this topic

#1 Mignonster

New Member

Authentic Member
15 posts

Posted 01 June 2010 - 08:49 PM

Yesterday (5/31/10) i was browsing the internet on firefox and I was prompted to download a new version of Adobe Flash Player and clicked the linked that popped up in order to download it. Shortly after downloading the supposed update i immediately noticed that something was wrong because Internet Explorer suddenly popped up and had some error message about not being able to find the advertisement something or other i was looking for..except.I wasn't looking for anything. I ran Malwarebytes right away and it found a few infected files which I told it to remove and then as suggested I restarted the computer. Once it restarted I ran Malwarebytes again just to check everything out and one of the infected files came across on the virus scan yet again one named trojan.fakelaert again I told it to delete the file and it claims that it did but every time i run it it keeps finding that file. Now the internet explorer popping up thing has stopped but now I noticed that when on Firefox (I haven't tested it on any other browsers yet though) if I google something and click on the link it will go to the link in a strange way. Rather than just loading the links wepage it will do something like this (I googled "Six Flags"): http://www.google.co...;cr=1793179e1aA . I clicked on the first link which was for www.sixflags.com and rather than just going to the site it went to the above listed webpage and then a couple of minutes later it will finally go to the right website. I'm not sure of this is related to the trojan.fakealert or not but it is something that didn't start till after the trojan issue.

Thanks for the help!!!

Here is the DDS Log:
DDS (Ver_10-03-17.01) - NTFSx86
Run by remipmc at 21:27:06.55 on Tue 06/01/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3003.1495 [GMT -5:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Users\remipmc\AppData\Roaming\e2dd7fe4.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\SMINST\BLService.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\alg.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox 3.6 Beta 3\firefox.exe
C:\Program Files\Mozilla Firefox 3.6 Beta 3\plugin-container.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\remipmc\AppData\Local\Temp\Nl1.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\remipmc\Downloads\dds(2).scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\5.0.375.62\npchrome_frame.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [M5T8QL3YW3] c:\users\remipmc\appdata\local\temp\Nl1.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\remipmc\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\runnin~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: americanpetspa.com\www
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: NameServer = 93.188.163.6,93.188.166.241
TCP: {08F46703-A7D7-478D-A637-B3B69C52CEBC} = 93.188.163.6,93.188.166.241
TCP: {48B35860-EEB6-4E15-B90A-5264CC4C376B} = 93.188.163.6,93.188.166.241
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\5.0.375.62\npchrome_frame.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\remipmc\appdata\roaming\mozilla\firefox\profiles\x4vqfjcz.default\
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\realarcade\npraclient.dll
FF - plugin: c:\users\remipmc\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\remipmc\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\remipmc\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.6 beta 3\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox 3.6 beta 3\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox 3.6 beta 3\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox 3.6 beta 3\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-18 114768]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-18 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-18 53328]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-10 138680]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 MSSQL$DYNAMICSGPEDU;SQL Server (DYNAMICSGPEDU);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-22 365952]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-10 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-10 352920]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-22 193840]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-30 38224]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-29 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\drivers\BthAvrcp.sys [2009-8-13 22528]
S3 csr_a2dp;Bluetooth AV Profile;c:\windows\system32\drivers\bthav.sys [2009-12-21 61952]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-7-25 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-8 1343400]

=============== Created Last 30 ================

2010-06-02 01:00:52 0 d-----w- c:\users\remipmc\appdata\roaming\WildTangent
2010-06-01 00:11:09 193536 ----a-w- c:\windows\Ndotia.exe
2010-06-01 00:11:01 68608 ----a-w- c:\windows\system32\ernel32.dll
2010-06-01 00:10:56 68608 ----a-w- c:\users\remipmc\appdata\roaming\e2dd7fe4.exe
2010-05-28 00:20:09 0 d-----w- c:\windows\system32\Temp
2010-05-28 00:20:09 0 d-----w- c:\program files\Palm Digital Media
2010-05-27 22:56:40 0 d-----w- c:\programdata\WinZip
2010-05-26 02:06:45 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 03:09:15 0 d-----w- c:\program files\Lost Lagoon - The Trail of Destiny
2010-05-23 06:08:10 0 d-----w- c:\program files\Tiger Eye - Part I - Curse of the Riddle Box
2010-05-21 04:38:40 0 d-----w- c:\program files\AviSynth 2.5
2010-05-21 02:19:26 0 d-----w- c:\users\remipmc\appdata\roaming\NCH Software
2010-05-20 23:24:20 0 d-----w- c:\programdata\NCH Swift Sound
2010-05-20 23:24:12 0 d-----w- c:\program files\NCH Swift Sound
2010-05-20 22:27:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2010-05-18 00:19:31 0 d-----w- c:\users\remipmc\appdata\roaming\Lazy Turtle Games
2010-05-16 23:35:27 0 d-----w- c:\users\remipmc\appdata\roaming\Magic3
2010-05-16 21:27:02 0 d-----w- c:\program files\Eternity
2010-05-16 20:29:16 0 d-----w- c:\users\remipmc\appdata\roaming\VendelGAMES
2010-05-11 23:00:44 740864 ----a-w- c:\windows\system32\inetcomm.dll

==================== Find3M ====================

2010-05-12 16:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-26 02:49:24 4096 ----a-w- c:\windows\d3dx.dat
2010-03-08 21:33:56 427520 ----a-w- c:\windows\system32\vbscript.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-11-23 03:58:14 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-11-23 03:58:14 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-11-23 03:58:14 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-11-23 03:58:14 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-30 08:21:15 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012010013020100131\index.dat
2010-01-28 03:08:56 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-31 04:03:49 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-01-31 04:03:49 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-01-31 04:03:49 16384 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 21:27:34.81 ===============

Advertisements

Register to Remove

#2 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 02 June 2010 - 01:04 AM

Hello Mignonster and :welcome:

My name is JonTom.

Malware Logs can sometimes take a lot of time to research and interpret.
Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
PLEASE NOTE: If you do not reply after 5 days your thread will be closed.
Please be aware that I am still in training, and all of my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advice.
This may cause a delay in response time, but I will do my best to keep it as short as possible.
I will reply back shortly with instructions.

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#3 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 02 June 2010 - 02:36 PM

Hello Mignonster

Thank you for the log. Please work your way through the following steps. If you encounter any difficulties, come back and let me know.

exeHelper
- Please download exeHelper by clicking here and save the file (called exeHelper.com) to your desktop.
- Double click on exeHelper.com to run the fix.
- A black window should pop up. Press any key to close once the fix is completed.
- Post the contents of log.txt (it Will be created in the directory where you ran exeHelper.com).
- NOTE: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Download and run OTL by Oldtimer
- Please download OTL by Oldtimer by clicking here and save the file (called OTL.exe) to your desktop.
- Close all open windows on your computer then Double click on the OTL.exe icon to run the program.
- Check the boxes beside "LOP Check" and "Purity Check".
- Under Custom Scan paste this in:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
CREATERESTOREPOINT
- Click the "Run Scan" button. Do not change any settings unless specifically told to do so. The scan will not take long.
- When the scan completes, it will open two notepad windows: OTL.Txt and Extras.Txt.
- Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
- Please Copy and Paste the contents of both files in your next reply.
Please scan your system with GMER

Download GMER Rootkit Scanner from here or here.
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
- If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  Click the image to enlarge it
- In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

In your next reply please provide the exeHelper log, the OTL logs and the GMER log.

Note: You may need to make more than one post to fit all of the required information in.

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#4 Mignonster

New Member

Authentic Member
15 posts

Posted 02 June 2010 - 06:02 PM

OK here you go:

exeHelper by Raktor
Build 20100414
Run at 18:06:27 on 06/02/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

OTL logfile created on: 6/2/2010 6:09:53 PM - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Users\remipmc\Downloads
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 52.00% Memory free
6.00 Gb Paging File | 4.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 138.13 Gb Total Space | 39.29 Gb Free Space | 28.45% Space Free | Partition Type: NTFS
Drive D: | 10.92 Gb Total Space | 1.83 Gb Free Space | 16.76% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: REMIPMC-PC
Current User Name: remipmc
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/02 18:07:38 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\remipmc\Downloads\OTL.exe
PRC - [2010/05/31 19:11:00 | 000,173,056 | ---- | M] () -- C:\Users\remipmc\AppData\Local\Temp\Nl1.exe
PRC - [2010/05/31 19:10:56 | 000,068,608 | ---- | M] (Microsoft Corporation) -- C:\Users\remipmc\AppData\Roaming\e2dd7fe4.exe
PRC - [2010/05/28 19:16:23 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox 3.6 Beta 3\plugin-container.exe
PRC - [2010/05/28 19:16:20 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox 3.6 Beta 3\firefox.exe
PRC - [2010/01/11 16:21:52 | 000,490,216 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2009/11/24 18:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/10/31 00:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2009/08/18 11:29:22 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/07/24 22:40:30 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/07/24 22:40:28 | 000,122,368 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
PRC - [2009/07/13 20:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/05/27 04:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/02/26 15:24:50 | 000,097,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
PRC - [2008/11/24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 23:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/10/06 11:54:52 | 000,365,952 | ---- | M] () -- C:\Program Files\SMINST\BLService.exe
PRC - [2006/04/19 21:45:34 | 001,073,152 | ---- | M] () -- C:\Program Files\WiFiConnector\NintendoWFCReg.exe

========== Modules (SafeList) ==========

MOD - [2010/06/02 18:07:38 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\remipmc\Downloads\OTL.exe
MOD - [2009/07/13 20:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 20:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 20:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 20:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 20:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 20:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 20:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 20:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 20:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 20:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 20:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009/07/13 20:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/04/08 17:06:52 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/07/13 20:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 20:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 20:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 20:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 20:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 20:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 20:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 20:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 20:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 20:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 20:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 20:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 20:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 20:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 20:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 20:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/05/27 04:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$DYNAMICSGPEDU) SQL Server (DYNAMICSGPEDU)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/04/29 04:21:04 | 000,410,624 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\System32\XAudio32.dll -- (HsfXAudioService)
SRV - [2009/02/06 18:08:58 | 000,533,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2008/11/24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 23:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 23:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/10/06 11:54:52 | 000,365,952 | ---- | M] () [Auto | Running] -- C:\Program Files\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2007/05/31 16:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 16:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)

========== Driver Services (SafeList) ==========

DRV - [2009/12/21 14:14:26 | 000,061,952 | ---- | M] (CSR, plc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\bthav.sys -- (csr_a2dp)
DRV - [2009/12/11 02:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/11/24 18:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/24 18:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/09/15 06:55:30 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/09/15 06:55:19 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/09/15 06:55:09 | 000,053,328 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2009/08/13 22:48:00 | 005,946,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2009/08/13 09:23:02 | 000,022,528 | ---- | M] (CSR, plc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BthAvrcp.sys -- (BthAvrcp)
DRV - [2009/07/13 20:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/13 20:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/13 20:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/13 20:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/13 20:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/13 20:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/13 20:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/13 20:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/13 20:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/13 20:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/13 20:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/13 20:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/13 20:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/13 20:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/13 20:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/13 20:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/13 20:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/13 20:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/13 20:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/13 20:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/13 20:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/13 20:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/13 20:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/13 20:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/13 20:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/13 20:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/13 20:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/13 20:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/13 20:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 20:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/13 20:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/13 20:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/13 20:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/13 20:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/13 20:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/13 20:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/13 20:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/13 20:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/13 19:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/13 19:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\rdpbus.sys -- (rdpbus)
DRV - [2009/07/13 19:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/13 18:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/13 18:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/13 18:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/13 18:52:04 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vwififlt.sys -- (vwififlt)
DRV - [2009/07/13 18:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/13 18:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\1394ohci.sys -- (1394ohci)
DRV - [2009/07/13 18:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/13 18:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WINUSB)
DRV - [2009/07/13 18:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/13 18:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/13 18:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/13 18:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/13 18:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/13 18:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/13 18:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/13 18:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/13 18:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 17:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 17:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 17:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 17:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 17:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 17:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 17:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 17:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 17:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/05/25 06:50:44 | 000,164,864 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2009/04/29 04:20:56 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio32.sys -- (XAudio)
DRV - [2009/02/12 15:00:22 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2009/02/12 14:58:16 | 000,207,360 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2009/02/12 14:57:28 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2009/02/06 18:08:52 | 000,055,280 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\fssfltr.sys -- (fssfltr)
DRV - [2008/12/20 02:01:46 | 001,093,120 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/10/03 03:39:28 | 000,222,208 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/06/29 09:52:26 | 000,112,128 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®
DRV - [2008/04/17 13:05:16 | 000,199,344 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/06/18 19:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2006/04/10 00:02:17 | 000,162,816 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RT25USBAP.SYS -- (RT25USBAP)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...rio&pf=cnnb

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/21 18:21:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/31 20:10:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.4\extensions\\Components: C:\Program Files\Mozilla Firefox 3.6 Beta 3\components [2010/05/28 19:16:29 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.4\extensions\\Plugins: C:\Program Files\Mozilla Firefox 3.6 Beta 3\plugins [2010/05/31 20:10:40 | 000,000,000 | ---D | M]

[2009/11/18 16:42:28 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Mozilla\Extensions
[2009/07/25 00:23:15 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2010/06/01 19:26:21 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Mozilla\Firefox\Profiles\x4vqfjcz.default\extensions
[2009/11/18 16:42:30 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\remipmc\AppData\Roaming\Mozilla\Firefox\Profiles\x4vqfjcz.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/01/30 02:42:28 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/01/30 01:59:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\npmozax@real.com
[2009/03/30 17:13:54 | 000,098,304 | ---- | M] (RealNetworks) -- C:\Program Files\Mozilla Firefox\plugins\npraclient.dll

O1 HOSTS File: ([2010/01/30 14:55:15 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (ChromeFrame BHO) - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome Frame\Application\5.0.375.62\npchrome_frame.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePDIRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKCU..\Run: [M5T8QL3YW3] C:\Users\remipmc\AppData\Local\Temp\Nl1.exe ()
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Users\remipmc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll (Google Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: americanpetspa.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKCU\..Trusted Ranges: Range2 ([http] in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.6,93.188.166.241
O18 - Protocol\Handler\cf - No CLSID value found
O18 - Protocol\Handler\gcf {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files\Google\Chrome Frame\Application\5.0.375.62\npchrome_frame.dll (Google Inc.)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Windows\web\wallpaper\Ripple.jpg
O24 - Desktop BackupWallPaper: C:\Windows\web\wallpaper\Ripple.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (livessp) - C:\Windows\System32\livessp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{3e6ba215-d35a-11de-835f-001f16789a54}\Shell - "" = AutoRun
O33 - MountPoints2\{3e6ba215-d35a-11de-835f-001f16789a54}\Shell\AutoRun\command - "" = F:\iStudio.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/07/13 21:37:08 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2010/06/01 20:00:52 | 000,000,000 | ---D | C] -- C:\Users\remipmc\AppData\Roaming\WildTangent
[2010/05/31 19:11:01 | 000,068,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ernel32.dll
[2010/05/31 19:10:56 | 000,068,608 | ---- | C] (Microsoft Corporation) -- C:\Users\remipmc\AppData\Roaming\e2dd7fe4.exe
[2010/05/28 19:54:06 | 000,000,000 | ---D | C] -- C:\Users\remipmc\Desktop\Cypress Hill - Rise Up (2010) [ResourceRG Music by KloWn]
[2010/05/28 19:07:54 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/05/27 19:20:09 | 000,000,000 | ---D | C] -- C:\Windows\System32\Temp
[2010/05/27 19:20:09 | 000,000,000 | ---D | C] -- C:\Program Files\Palm Digital Media
[2010/05/27 18:40:18 | 000,000,000 | ---D | C] -- C:\Users\remipmc\Desktop\HD2 Apps
[2010/05/27 17:56:59 | 000,000,000 | ---D | C] -- C:\Users\remipmc\AppData\Local\WinZip
[2010/05/27 17:56:40 | 000,000,000 | ---D | C] -- C:\ProgramData\WinZip
[2010/05/27 17:56:36 | 000,000,000 | ---D | C] -- C:\Program Files\WinZip
[2010/05/25 21:06:45 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/05/24 19:47:30 | 000,000,000 | ---D | C] -- C:\Users\remipmc\Documents\Red Kawa
[2010/05/24 19:47:30 | 000,000,000 | ---D | C] -- C:\Users\remipmc\AppData\Local\Geckofx
[2010/05/23 22:09:15 | 000,000,000 | ---D | C] -- C:\Program Files\Lost Lagoon - The Trail of Destiny
[2010/05/23 02:00:25 | 000,000,000 | ---D | C] -- C:\Users\remipmc\Documents\PassionFruit Games
[2010/05/23 01:08:10 | 000,000,000 | ---D | C] -- C:\Program Files\Tiger Eye - Part I - Curse of the Riddle Box
[2010/05/22 15:34:04 | 000,000,000 | ---D | C] -- C:\Users\remipmc\Desktop\music hd2 2
[2010/05/20 23:38:40 | 000,000,000 | ---D | C] -- C:\Program Files\AviSynth 2.5
[2010/05/20 21:19:26 | 000,000,000 | ---D | C] -- C:\Users\remipmc\AppData\Roaming\NCH Software
[2010/05/20 18:40:44 | 000,000,000 | ---D | C] -- C:\Users\remipmc\Desktop\music 3
[2010/05/20 18:24:52 | 000,000,000 | ---D | C] -- C:\Users\remipmc\Desktop\Music hd2
[2010/05/20 18:24:20 | 000,000,000 | ---D | C] -- C:\ProgramData\NCH Swift Sound
[2010/05/20 18:24:12 | 000,000,000 | ---D | C] -- C:\Program Files\NCH Swift Sound
[2010/05/20 18:24:07 | 000,000,000 | ---D | C] -- C:\Users\remipmc\AppData\Roaming\NCH Swift Sound
[2010/05/17 19:19:31 | 000,000,000 | ---D | C] -- C:\Users\remipmc\AppData\Roaming\Lazy Turtle Games
[2010/05/16 18:35:27 | 000,000,000 | ---D | C] -- C:\Users\remipmc\AppData\Roaming\Magic3
[2010/05/16 16:31:03 | 000,000,000 | ---D | C] -- C:\Users\remipmc\AppData\Local\Oberon Games
[2010/05/16 16:27:02 | 000,000,000 | ---D | C] -- C:\Program Files\Eternity
[2010/05/16 15:29:16 | 000,000,000 | ---D | C] -- C:\Users\remipmc\AppData\Roaming\VendelGAMES
[2010/05/09 23:21:22 | 000,000,000 | ---D | C] -- C:\Users\remipmc\Desktop\VIDEO_TS
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/02 18:12:36 | 000,000,000 | -H-- | M] () -- C:\Windows\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
[2010/06/02 18:12:33 | 004,194,304 | -HS- | M] () -- C:\Users\remipmc\NTUSER.DAT
[2010/06/02 18:08:03 | 000,002,853 | ---- | M] () -- C:\Users\remipmc\Desktop\exeHelper - Shortcut.pif
[2010/06/02 17:45:00 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/06/02 17:40:12 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/06/02 17:30:46 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/06/01 21:24:12 | 000,002,039 | ---- | M] () -- C:\Users\remipmc\Desktop\HijackThis.lnk
[2010/05/31 23:30:44 | 000,011,104 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/31 23:30:44 | 000,011,104 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/31 23:24:01 | 000,000,284 | ---- | M] () -- C:\ProgramData\hpqp.ini
[2010/05/31 23:23:22 | 000,000,250 | -H-- | M] () -- C:\Windows\tasks\MSWD-e2dd7fe4.job
[2010/05/31 23:23:20 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/31 23:22:58 | 2361,806,848 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/31 23:22:12 | 001,551,008 | -H-- | M] () -- C:\Users\remipmc\AppData\Local\IconCache.db
[2010/05/31 22:31:28 | 000,146,736 | ---- | M] () -- C:\Users\remipmc\Desktop\elvis.png
[2010/05/31 22:29:55 | 000,133,536 | ---- | M] () -- C:\Users\remipmc\Desktop\elvis_presley_12.jpg
[2010/05/31 22:15:25 | 000,783,886 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/31 22:15:25 | 000,664,972 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/31 22:15:25 | 000,122,368 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/31 19:10:57 | 000,193,536 | ---- | M] () -- C:\Windows\Ndotia.exe
[2010/05/31 19:10:56 | 000,068,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ernel32.dll
[2010/05/31 19:10:56 | 000,068,608 | ---- | M] (Microsoft Corporation) -- C:\Users\remipmc\AppData\Roaming\e2dd7fe4.exe
[2010/05/28 23:01:57 | 000,001,314 | ---- | M] () -- C:\Users\Public\Desktop\More Great Games.lnk
[2010/05/27 17:56:49 | 000,002,205 | ---- | M] () -- C:\Users\Public\Desktop\WinZip.lnk
[2010/05/26 22:24:51 | 000,064,270 | ---- | M] () -- C:\Users\remipmc\Desktop\CKNRS027_LG1.jpg
[2010/05/26 22:24:24 | 000,049,281 | ---- | M] () -- C:\Users\remipmc\Desktop\CKNRS022_LG1.jpg
[2010/05/26 22:17:34 | 000,090,589 | ---- | M] () -- C:\Users\remipmc\Desktop\Chuck_Norris_You_Loose-T.jpg
[2010/05/20 18:24:13 | 000,001,107 | ---- | M] () -- C:\Users\Public\Desktop\Switch Sound File Converter.lnk
[2010/05/20 17:28:03 | 000,001,152 | ---- | M] () -- C:\Users\remipmc\Desktop\Windows Mobile Membership.lnk
[2010/05/20 17:27:45 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
[2010/05/12 11:21:16 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/05/05 21:57:28 | 000,051,131 | ---- | M] () -- C:\Users\remipmc\Desktop\856160521_7pVy7-M.jpg
[2010/05/05 21:51:44 | 000,040,470 | ---- | M] () -- C:\Users\remipmc\Desktop\835794768_ejZru-M.jpg
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/02 18:08:02 | 000,002,853 | ---- | C] () -- C:\Users\remipmc\Desktop\exeHelper - Shortcut.pif
[2010/06/01 21:24:12 | 000,002,039 | ---- | C] () -- C:\Users\remipmc\Desktop\HijackThis.lnk
[2010/05/31 22:31:28 | 000,146,736 | ---- | C] () -- C:\Users\remipmc\Desktop\elvis.png
[2010/05/31 22:29:27 | 000,133,536 | ---- | C] () -- C:\Users\remipmc\Desktop\elvis_presley_12.jpg
[2010/05/31 19:11:09 | 000,193,536 | ---- | C] () -- C:\Windows\Ndotia.exe
[2010/05/31 19:11:04 | 000,000,294 | -H-- | C] () -- C:\Windows\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
[2010/05/31 19:10:56 | 000,000,250 | -H-- | C] () -- C:\Windows\tasks\MSWD-e2dd7fe4.job
[2010/05/28 23:01:57 | 000,001,314 | ---- | C] () -- C:\Users\Public\Desktop\More Great Games.lnk
[2010/05/27 17:56:49 | 000,002,205 | ---- | C] () -- C:\Users\Public\Desktop\WinZip.lnk
[2010/05/26 22:24:51 | 000,064,270 | ---- | C] () -- C:\Users\remipmc\Desktop\CKNRS027_LG1.jpg
[2010/05/26 22:24:22 | 000,049,281 | ---- | C] () -- C:\Users\remipmc\Desktop\CKNRS022_LG1.jpg
[2010/05/26 22:17:32 | 000,090,589 | ---- | C] () -- C:\Users\remipmc\Desktop\Chuck_Norris_You_Loose-T.jpg
[2010/05/20 18:24:13 | 000,001,107 | ---- | C] () -- C:\Users\Public\Desktop\Switch Sound File Converter.lnk
[2010/05/20 17:28:03 | 000,001,152 | ---- | C] () -- C:\Users\remipmc\Desktop\Windows Mobile Membership.lnk
[2010/05/20 17:27:45 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
[2010/05/09 23:15:24 | 141,885,440 | ---- | C] () -- C:\Users\remipmc\Desktop\Mignon.VOB
[2010/05/05 21:57:28 | 000,051,131 | ---- | C] () -- C:\Users\remipmc\Desktop\856160521_7pVy7-M.jpg
[2010/05/05 21:51:43 | 000,040,470 | ---- | C] () -- C:\Users\remipmc\Desktop\835794768_ejZru-M.jpg
[2010/02/02 20:19:50 | 000,000,133 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/12/10 20:15:42 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/25 00:58:55 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/03/05 06:54:58 | 000,073,728 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2008/06/29 09:52:14 | 000,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll
[2006/03/09 04:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

========== LOP Check ==========

[2009/11/18 16:41:58 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Aisle 5 Games, Inc
[2009/11/18 16:42:00 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Anabel
[2010/04/15 21:55:26 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Artogon
[2009/11/18 16:42:00 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Awem
[2010/03/22 22:18:46 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\AzuazGames
[2010/05/21 18:25:26 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Azureus
[2010/01/25 22:53:12 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Big Fish Games
[2010/05/31 19:58:06 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\BitTorrent
[2010/04/15 17:43:13 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Boomzap
[2009/11/18 16:42:02 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Canon
[2009/11/28 22:49:13 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\casanova
[2009/11/18 16:42:02 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\CasualForge
[2009/11/18 16:42:03 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Cat's Eye Games
[2009/11/18 16:42:03 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\CupcakeCafe
[2010/03/29 19:56:03 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\DarkParablesBriarRoseSE_BFG
[2010/03/30 18:38:29 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\DarkParablesBriarRose_BFG
[2010/01/09 21:57:41 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Dekovir
[2010/01/18 23:33:30 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Dragon Altar Games
[2009/11/18 16:42:03 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Enlightenus
[2010/05/28 23:02:32 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\ERS G-Studio
[2010/01/09 23:10:13 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\EscapeTheMuseum2
[2010/04/28 21:57:35 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Facebook
[2009/11/18 16:42:03 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Flood Light Games
[2010/04/25 16:52:43 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\FlyWheelGames
[2010/03/28 21:42:47 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Frogwares
[2009/11/18 16:42:03 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\funkitron
[2010/03/21 22:21:40 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\G-HeadGames
[2010/04/15 21:57:09 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\GameMill Entertainment
[2009/11/18 16:42:03 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Gamers Digital
[2009/11/18 16:42:03 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Games
[2010/01/25 23:01:56 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Green Clover Games
[2009/11/18 16:42:03 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\HdO Adventure
[2009/11/18 16:42:03 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\HiT-MM
[2009/11/18 16:42:03 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\IronCode
[2010/04/04 21:48:17 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Jetdogs Studios
[2010/01/04 23:00:27 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\JoyBits
[2010/05/17 19:19:31 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Lazy Turtle Games
[2010/05/01 22:07:36 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\LimeWire
[2009/11/18 16:42:07 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\MA
[2009/11/18 16:42:20 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Magic Academy 2
[2010/05/16 18:39:00 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Magic3
[2009/11/18 16:42:20 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Meridian93
[2010/04/25 14:51:50 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Merscom
[2009/11/18 16:42:30 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\My Games
[2010/05/20 18:24:07 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\NCH Swift Sound
[2010/01/18 00:10:31 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Orneon
[2010/04/17 19:58:35 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\PlayFirst
[2009/11/18 16:42:31 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Playrix Entertainment
[2009/11/18 16:42:31 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\PoBros
[2009/11/18 16:42:32 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Princess Isabella
[2010/03/21 00:53:01 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\QB9
[2010/01/04 22:24:56 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\SerpentOfIsis
[2010/01/26 21:59:52 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\SevenSails
[2009/11/18 16:42:32 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\she_is_a_shadow
[2010/03/25 21:49:48 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Silverback Productions
[2010/03/26 18:51:30 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Skunk Studios
[2010/04/25 22:09:35 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Specialbit
[2009/11/18 16:42:32 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\SpinTop
[2009/11/18 16:42:32 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\SprillRichiEng
[2010/05/23 00:57:13 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\SulusGames
[2010/01/31 15:08:35 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\TheFixerUpper
[2010/04/17 19:16:28 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Top Evidence
[2009/11/18 16:42:32 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\V-Games
[2010/05/16 15:29:16 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\VendelGAMES
[2010/06/01 20:00:52 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\WildTangent
[2009/11/18 16:42:32 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\Winv1001
[2010/01/04 20:33:59 | 000,000,000 | ---D | M] -- C:\Users\remipmc\AppData\Roaming\YoudaGames
[2010/05/31 23:23:22 | 000,000,250 | -H-- | M] () -- C:\Windows\Tasks\MSWD-e2dd7fe4.job
[2009/07/13 23:53:46 | 000,016,142 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/06/02 18:12:39 | 000,000,246 | -H-- | M] () -- C:\Windows\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2009/07/13 20:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\ERDNT\cache\AGP440.sys
[2009/07/13 20:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys
[2009/07/13 20:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys
[2009/07/13 20:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/13 20:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\ERDNT\cache\atapi.sys
[2010/01/30 17:57:57 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009/07/13 20:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009/07/13 20:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/13 20:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\ERDNT\cache\cngaudit.dll
[2009/07/13 20:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009/07/13 20:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll

< MD5 for: EVENTLOG.DLL >
[2007/05/17 23:34:04 | 000,007,216 | ---- | M] () MD5=C2A279A458A06DE2C83D842AA042B5A8 -- C:\Program Files\CyberLink\PowerDirector\EventLog.dll

< MD5 for: IASTORV.SYS >
[2009/07/13 20:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iaStorV.sys
[2009/07/13 20:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/13 20:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/13 20:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\ERDNT\cache\netlogon.dll
[2009/07/13 20:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll
[2009/07/13 20:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/07/13 20:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys
[2009/07/13 20:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/13 20:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/13 20:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\ERDNT\cache\scecli.dll
[2009/07/13 20:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll
[2009/07/13 20:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %systemroot%\system32\drivers\*.sys /90 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 148 bytes -> C:\ProgramData\Temp:35FAD15D
@Alternate Data Stream - 146 bytes -> C:\ProgramData\Temp:EF0C5444
@Alternate Data Stream - 146 bytes -> C:\ProgramData\Temp:6247E766
@Alternate Data Stream - 145 bytes -> C:\ProgramData\Temp:FB65A4AA
@Alternate Data Stream - 145 bytes -> C:\ProgramData\Temp:0EC7A545
@Alternate Data Stream - 144 bytes -> C:\ProgramData\Temp:F8F070C2
@Alternate Data Stream - 143 bytes -> C:\ProgramData\Temp:BCDC6E07
@Alternate Data Stream - 143 bytes -> C:\ProgramData\Temp:05670151
@Alternate Data Stream - 142 bytes -> C:\ProgramData\Temp:91DEEE71
@Alternate Data Stream - 141 bytes -> C:\ProgramData\Temp:FAB64002
@Alternate Data Stream - 135 bytes -> C:\ProgramData\Temp:D3A89E47
@Alternate Data Stream - 134 bytes -> C:\ProgramData\Temp:E411AA0D
@Alternate Data Stream - 133 bytes -> C:\ProgramData\Temp:AFCB76C3
@Alternate Data Stream - 133 bytes -> C:\ProgramData\Temp:488F7244
@Alternate Data Stream - 131 bytes -> C:\ProgramData\Temp:EA1919C7
@Alternate Data Stream - 131 bytes -> C:\ProgramData\Temp:700B9342
@Alternate Data Stream - 131 bytes -> C:\ProgramData\Temp:5080697C
@Alternate Data Stream - 129 bytes -> C:\ProgramData\Temp:68B61847
@Alternate Data Stream - 129 bytes -> C:\ProgramData\Temp:48977386
@Alternate Data Stream - 128 bytes -> C:\ProgramData\Temp:DD04902E
@Alternate Data Stream - 128 bytes -> C:\ProgramData\Temp:DB77E2C4
@Alternate Data Stream - 128 bytes -> C:\ProgramData\Temp:80F63EC3
@Alternate Data Stream - 128 bytes -> C:\ProgramData\Temp:7A032A04
@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:D8D58038
@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:AC3F52F2
@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:A02025CE
@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:94260FE6
@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:71004506
@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:206470A5
@Alternate Data Stream - 126 bytes -> C:\ProgramData\Temp:50636E35
@Alternate Data Stream - 125 bytes -> C:\ProgramData\Temp:DE9AC04F
@Alternate Data Stream - 125 bytes -> C:\ProgramData\Temp:CF61CE5A
@Alternate Data Stream - 125 bytes -> C:\ProgramData\Temp:5C321E34
@Alternate Data Stream - 124 bytes -> C:\ProgramData\Temp:57B2B96C
@Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:EEB25EAE
@Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:A0CB43B2
@Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:3D6B89CE
@Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:71112705
@Alternate Data Stream - 117 bytes -> C:\ProgramData\Temp:A58B27C9
@Alternate Data Stream - 117 bytes -> C:\ProgramData\Temp:71612023
@Alternate Data Stream - 116 bytes -> C:\ProgramData\Temp:261FEAF9
@Alternate Data Stream - 115 bytes -> C:\ProgramData\Temp:D48500F8
@Alternate Data Stream - 114 bytes -> C:\ProgramData\Temp:569CEE83
@Alternate Data Stream - 114 bytes -> C:\ProgramData\Temp:25249477
@Alternate Data Stream - 112 bytes -> C:\ProgramData\Temp:F41E22A9
@Alternate Data Stream - 112 bytes -> C:\ProgramData\Temp:B8EB1B99
@Alternate Data Stream - 112 bytes -> C:\ProgramData\Temp:A60D0FA6
@Alternate Data Stream - 112 bytes -> C:\ProgramData\Temp:A57500CB
@Alternate Data Stream - 103 bytes -> C:\ProgramData\Temp:1ECED34B

< End of report >

This "Extras" one did not pop up I had to search for it then copy and paste it...just fyi

OTL Extras logfile created on: 6/2/2010 6:09:53 PM - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Users\remipmc\Downloads
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 52.00% Memory free
6.00 Gb Paging File | 4.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 138.13 Gb Total Space | 39.29 Gb Free Space | 28.45% Space Free | Partition Type: NTFS
Drive D: | 10.92 Gb Total Space | 1.83 Gb Free Space | 16.76% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: REMIPMC-PC
Current User Name: remipmc
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0054A0F6-00C9-4498-B821-B5C9578F433E}" = HP Help and Support
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0E7DBD52-B097-4F2B-A7C7-F105B0D20FDB}" = LightScribe System Software 1.14.17.1
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP210_series" = Canon MP210 series
"{154A4184-1A3D-4BF9-A5AE-4FA1660445F3}" = HP Total Care Advisor
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (DYNAMICSGPEDU)
"{2E56775F-12A6-44CB-A969-3C2CEB371313}" = Dexterity Shared Components 10.0
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 H2
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZero Preloader
"{38058455-8C21-4C2F-B2F6-14ED166039CB}" = HP Total Care Setup
"{3877C901-7B90-4727-A639-B6ED2DD59D43}" = ESU for Microsoft Vista
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C52E7DA-C431-4239-B66B-1BF703D5B194}" = Windows Live Photo Gallery
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 3.7
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}" = Junk Mail filter update
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{57A5AEC1-97FC-474D-92C4-908FCC2253D4}" = HP Customer Experience Enhancements
"{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{6423EF83-6E1D-4D22-A36F-689CD19FD4D2}" = Juno Preloader
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{65F79096-EB6C-47DE-9E1F-099861DC057F}" = eReader
"{665CBCA4-5AB0-414B-A288-3F8F99FEFC45}" = HP User Guides 0118
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{690AAD8D-7962-480E-A875-B01C78B883C3}" = Microsoft Dynamics GP-Education 10.0
"{690AAD8D-7962-480E-A875-B01C78B883C3}_Ex" = Microsoft Dynamics GP-Education 10.0
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76CD2979-09C0-493A-84B3-8FD97EF4BCEA}" = Windows Live Family Safety
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7B15D70E-9449-4CFB-B9BC-798465B2BD5C}" = Norton Internet Security
"{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{885F5AC6-4413-4D30-99A9-F4494BFA4923}" = Logitech Harmony Remote Software 7
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile Device Center
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91710409-8000-11D3-8CFE-0150048383C9}" = Microsoft Application Error Reporting
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96384578-C6A2-4EC6-92CD-B62A60713040}" = Microsoft Live Search Toolbar
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}" = HP Wireless Assistant
"{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}" = Windows Live Sync
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AD72CFB4-C2BF-424E-9DF0-C7BAD1F30A11}" = Adobe Shockwave Player
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240BD}" = WinZip 14.5
"{CE7E3BE0-2DD3-4416-A690-F9E4A99A8CFF}" = HP Active Support Library
"{DD35C328-F115-BEDA-6EEE-E00C5AACCCBC}" = muvee Reveal
"{ECEE0279-785F-4CB3-9F28-E69813234BF8}" = SPORE Creature Creator Trial Edition
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"8461-7759-5462-8226" = Vuze
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"avast!" = avast! Antivirus
"AviSynth" = AviSynth 2.5
"BFGC" = Big Fish Games: Game Manager
"BFG-Eternity" = Eternity
"BFG-Lost Lagoon - The Trail of Destiny" = Lost Lagoon: The Trail of Destiny
"BFG-Tiger Eye - Part I - Curse of the Riddle Box" = Tiger Eye - Part I: Curse of the Riddle Box
"CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ENTERPRISER" = Microsoft Office Enterprise 2007
"FLAC" = FLAC 1.2.1b (remove only)
"GameHouse" = GameHouse
"Google Chrome Frame" = Google Chrome Frame
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"LimeWire" = LimeWire 5.5.8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"Mozilla Firefox (3.6.4)" = Mozilla Firefox (3.6.4)
"MP Navigator EX 1.0" = Canon MP Navigator EX 1.0
"SpywareBlaster_is1" = SpywareBlaster 4.2
"Switch" = Switch Sound File Converter
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Treasure Seekers - The Enchanted Canvases1.0" = Treasure Seekers - The Enchanted Canvases
"TVWiz" = Intel® TV Wizard
"WiFiConnector" = Nintendo Wi-Fi USB Connector Registration Tool
"WildTangent hp Master Uninstall" = My HP Games
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"Facebook Plug-In" = Facebook Plug-In
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

Attached Files

GMER.txt 7.2KB 737 downloads

#5 Mignonster

New Member

Authentic Member
15 posts

Posted 03 June 2010 - 03:22 PM

OK NOW WE ARE MAJOR PROBLEMS....I basically cannot use my laptop at all whatsoever now. I am currently typing to you on my HP netbook. I was using the laptop as normal and I was googling something when this green shield suddenly pooped up in the start tray thing followed by a pop up from the green shield saying "windows security alert...application cannot be executed. the file googletoolbaruser_32.exe (sometimes it displays one saying helppane.exe or other files) is infected. do you want to activate your antivirus software now?" that is quickly followed by a mid screen pop up states the same thing. Right after all of this happened then suddenly Internet explorer and firefox both stopped working properly. every time I would try to go to a website by typing in the web address the screen would say "Internet explorer warning - visiting this web site may harm your computer!" it then has some clickables that when i hover the mouse over them they all lead to www.antispywareprog.com. As soon as all of this started happening I also noticed that I was then unable to open anything like control panel or malwarebytes or even the task manager would not open. Everything starts to open but then the pane disappears and one of those "security warning" pop ups pop up. Now it started to open multiple Internet explorer browsers with multiple tabs that go to www.porno.com and www.viagra.com. every time i closed one another browser pops up with the same tabs 4 for the pron and 1 for the Viagra. And now the computer just suddenly started popping up the control panel's action center window but I am afraid to try to move forward with the "Recovery" possibility because I'm not sure if that window is real or not...PLEASE HELP!! I have no idea what to do and the all of the things I am listing above are multiplying by the minute and tons of browsers are pooping up now and a million of those security alerts are popping up...MY LAPTOP IS ABSOLUTELY USELESS NOW...I cannot open anything or do anything at all whatsoever.

#6 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 04 June 2010 - 12:48 AM

Hello Mignonster

I was using the laptop as normal

Please do not use the infected machine at all until we get it cleaned, as doing so will only lead to further infection.

I cannot open anything or do anything at all whatsoever

You can use your HP netbook to download the tools we require and transfer them (either by burning them to disk or by using a flash drive) to the infected machine.

If you choose to use a flash drive, we first need to minimise the risk of cross infection between machines. I do not know what operating system you have on your HP Netbook (XP, Vista, Win7 etc).

If your Netbook runs on XP:

Please download Flash Disinfector
- Click here to download Flash Disinfector and save the file (called Flash_Disinfector.exe) to your desktop.
- Double click on the Flash_Disinfector.exe icon to run the program and follow any prompts that may appear.
- The program may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so if prompted.
- Wait until Flash disinfector has finished scanning and then exit the program.
- Reboot your computer.
If your Netbook runs on Vista or Windows 7:
AutoRun Eater
- Dowlnload Autorun Eater and save it to your desktop.
- Plug all of your removable storage devices into the machine (USB sticks etc) and run the tool.
Now, using your Netbook, please do the following:
Download Combofix and RE-NAME it BEFORE saving
- Download Combofix from either of the links below. You must rename it to mignonster.exe before saving it.
- Save it to your desktop. Change the "save as file type" to "all files".
- Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
- If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
Link 1
Link 2

Once mignonster.exe (the renamed ComboFix) is located on your Netbook desktop, copy it to the flash drive and transfer it to the desktop of the infected machine.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.
- Double click on the renamed ComboFix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt so we can continue cleaning the system.

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#7 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 04 June 2010 - 01:20 AM

Hello Mignonster

If you having trouble getting ComboFix to run, please do the following:

Try running exehelper again (you downloaded it to the infected machine before you encountered your additional problems).

If you are unable to open the copy of exeHelper on the infected machine, please re-download it using your Netbook then copy it onto a flash drive. Plug the flash drive into the infected machine and run exeHelper directly from the drive.

If exeHelper is prevented from running, download rkill using your Netbook and transfer it (all 6 versions) to the infected machine:

rkill
Please download and run rkill (Courtesy of Bleepingcomputer.com).
There are 6 different versions of this tool. If one of them will not run, please try the next one in the list.
Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
Note: You only need to get one of the tools to run, not all of them.

1. rkill.exe
2. rkill.com
3. rkill.scr
4. rkill.pif
5. WiNlOgOn.exe
6. uSeRiNiT.exe

Once exehelper or rkill has been run, please try ComboFix again, and post the log created.

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#8 Mignonster

New Member

Authentic Member
15 posts

Posted 04 June 2010 - 09:19 PM

ComboFix 10-06-03.01 - remipmc 06/04/2010 21:58:48.3.1 - x86 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3003.2134 [GMT -5:00] Running from: F:\mignonster.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\users\remipmc\AppData\Local\gxanstrdd c:\users\remipmc\AppData\Local\gxanstrdd\gcrhgvltssd.exe c:\users\remipmc\AppData\Roaming\Rhianna Ford and the Letter from Davinci.exe c:\windows\Ndotia.exe c:\windows\system32\Temp c:\windows\system32\Temp\eReader_Install\CustomInstaller.exe c:\windows\system32\Temp\eReader_Install\eReader.PocketPC_2003_and_2003SE.CAB c:\windows\system32\Temp\eReader_Install\eReader.PocketPC_2003_and_2003SE.ini c:\windows\system32\Temp\eReader_Install\eReader.PocketPC_WM5_and_WM6.CAB c:\windows\system32\Temp\eReader_Install\eReader.PocketPC_WM5_and_WM6.ini c:\windows\system32\Temp\eReader_Install\reader_2.ico . ((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 ))))))))))))))))))))))))))))))) . 2010-06-05 02:55 . 2010-06-05 02:56 -------- d-----w- C:\32788R22FWJFW 2010-06-05 02:35 . 2010-06-01 00:10 68608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9iQGMY179.dll 2010-06-02 01:00 . 2010-06-02 01:00 -------- d-----w- c:\users\remipmc\AppData\Roaming\WildTangent 2010-06-01 00:10 . 2010-06-01 00:10 68608 ----a-w- c:\users\remipmc\AppData\Roaming\e2dd7fe4.exe 2010-05-28 00:20 . 2010-05-28 00:20 3310 ----a-r- c:\users\remipmc\AppData\Roaming\Microsoft\Installer\{65F79096-EB6C-47DE-9E1F-099861DC057F}\_6FEFF9B68218417F98F549.exe 2010-05-28 00:20 . 2010-05-28 00:20 3310 ----a-r- c:\users\remipmc\AppData\Roaming\Microsoft\Installer\{65F79096-EB6C-47DE-9E1F-099861DC057F}\_400CBAD3BB63FD73E4A5AE.exe 2010-05-28 00:20 . 2010-05-28 00:20 10134 ----a-r- c:\users\remipmc\AppData\Roaming\Microsoft\Installer\{65F79096-EB6C-47DE-9E1F-099861DC057F}\_3541C7F97B142C89BDCDB8.exe 2010-05-28 00:20 . 2010-05-28 00:20 -------- d-----w- c:\program files\Palm Digital Media 2010-05-27 22:56 . 2010-05-27 22:56 -------- d-----w- c:\users\remipmc\AppData\Local\WinZip 2010-05-27 22:56 . 2010-05-27 22:56 -------- d-----w- c:\programdata\WinZip 2010-05-26 23:08 . 2010-05-19 19:00 501872 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb620.tmp.exe 2010-05-26 02:06 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll 2010-05-25 00:47 . 2010-05-25 00:47 -------- d-----w- c:\users\remipmc\AppData\Local\Geckofx 2010-05-24 03:09 . 2010-05-24 03:09 -------- d-----w- c:\program files\Lost Lagoon - The Trail of Destiny 2010-05-23 06:08 . 2010-05-23 06:10 -------- d-----w- c:\program files\Tiger Eye - Part I - Curse of the Riddle Box 2010-05-21 23:24 . 2010-05-21 23:24 8463808 ----a-w- c:\users\remipmc\AppData\Roaming\Azureus\tmp\AZU6679493721407185697.tmp\Vuze_4.4.0.4_win32.exe 2010-05-21 04:38 . 2010-05-21 04:38 -------- d-----w- c:\program files\AviSynth 2.5 2010-05-21 02:19 . 2010-05-21 02:19 -------- d-----w- c:\users\remipmc\AppData\Roaming\NCH Software 2010-05-21 02:19 . 2007-08-29 20:36 110592 ----a-w- c:\users\remipmc\AppData\Roaming\NCH Software\Components\mp3el\mp3enc.exe 2010-05-20 23:24 . 2010-05-20 23:24 -------- d-----w- c:\programdata\NCH Swift Sound 2010-05-20 23:24 . 2010-05-20 23:24 -------- d-----w- c:\program files\NCH Swift Sound 2010-05-20 23:24 . 2010-05-20 23:24 -------- d-----w- c:\users\remipmc\AppData\Roaming\NCH Swift Sound 2010-05-18 00:19 . 2010-05-18 00:19 -------- d-----w- c:\users\remipmc\AppData\Roaming\Lazy Turtle Games 2010-05-16 23:35 . 2010-05-16 23:39 -------- d-----w- c:\users\remipmc\AppData\Roaming\Magic3 2010-05-16 21:31 . 2010-05-16 21:31 -------- d-----w- c:\users\remipmc\AppData\Local\Oberon Games 2010-05-16 21:27 . 2010-05-16 21:27 -------- d-----w- c:\program files\Eternity 2010-05-16 20:29 . 2010-05-16 20:29 -------- d-----w- c:\users\remipmc\AppData\Roaming\VendelGAMES 2010-05-11 23:00 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-02 23:06 . 2009-11-20 04:11 -------- d-----w- c:\program files\Mozilla Firefox 3.6 Beta 3 2010-06-01 01:10 . 2010-01-18 18:26 -------- d-----w- c:\programdata\NOS 2010-06-01 00:58 . 2009-09-11 05:30 -------- d-----w- c:\users\remipmc\AppData\Roaming\BitTorrent 2010-05-29 04:02 . 2009-09-21 21:16 -------- d-----w- c:\users\remipmc\AppData\Roaming\ERS G-Studio 2010-05-29 00:07 . 2009-07-25 16:23 -------- d-----w- c:\program files\Microsoft 2010-05-24 03:34 . 2009-09-15 21:39 -------- d-----w- c:\programdata\Intenium 2010-05-23 05:57 . 2009-08-11 22:24 -------- d-----w- c:\users\remipmc\AppData\Roaming\SulusGames 2010-05-23 05:57 . 2009-08-11 22:24 -------- d-----w- c:\programdata\SulusGames 2010-05-21 23:25 . 2009-10-29 16:32 -------- d-----w- c:\users\remipmc\AppData\Roaming\Azureus 2010-05-20 22:27 . 2010-05-20 22:27 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf 2010-05-17 02:16 . 2010-05-01 20:46 -------- d-----w- c:\programdata\Deadtime Stories 2010-05-13 01:24 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail 2010-05-13 01:23 . 2009-04-22 14:57 -------- d-----w- c:\programdata\Microsoft Help 2010-05-12 16:21 . 2009-10-02 16:32 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-02 03:07 . 2009-07-25 05:22 -------- d-----w- c:\users\remipmc\AppData\Roaming\LimeWire 2010-04-30 02:12 . 2009-07-25 05:22 -------- d-----w- c:\program files\LimeWire 2010-04-29 02:57 . 2010-01-29 05:45 50354 ----a-w- c:\users\remipmc\AppData\Roaming\Facebook\uninstall.exe 2010-04-29 02:57 . 2010-01-29 05:45 -------- d-----w- c:\users\remipmc\AppData\Roaming\Facebook 2010-04-26 03:09 . 2010-04-26 03:09 -------- d-----w- c:\programdata\Particles 2010-04-26 03:09 . 2010-04-26 03:09 -------- d-----w- c:\users\remipmc\AppData\Roaming\Specialbit 2010-04-25 21:52 . 2009-10-01 23:21 -------- d-----w- c:\users\remipmc\AppData\Roaming\FlyWheelGames 2010-04-25 19:51 . 2009-09-21 02:57 -------- d-----w- c:\users\remipmc\AppData\Roaming\Merscom 2010-04-25 19:51 . 2009-09-21 02:57 -------- d-----w- c:\programdata\Merscom 2010-04-18 00:58 . 2009-07-30 01:18 -------- d-----w- c:\users\remipmc\AppData\Roaming\PlayFirst 2010-04-18 00:58 . 2009-07-30 01:18 -------- d-----w- c:\programdata\PlayFirst 2010-04-18 00:16 . 2010-04-18 00:16 -------- d-----w- c:\users\remipmc\AppData\Roaming\Top Evidence 2010-04-18 00:16 . 2010-04-18 00:16 -------- d-----w- c:\programdata\Top Evidence 2010-04-16 02:57 . 2010-04-16 02:57 -------- d-----w- c:\users\remipmc\AppData\Roaming\GameMill Entertainment 2010-04-16 02:55 . 2009-09-09 03:41 -------- d-----w- c:\users\remipmc\AppData\Roaming\Artogon 2010-04-15 23:49 . 2010-03-15 04:38 1335048 ----a-w- c:\windows\Help\OEM\scripts\SamsungHDDFW1HC.exe 2010-04-15 22:43 . 2010-04-15 22:43 -------- d-----w- c:\users\remipmc\AppData\Roaming\Boomzap 2010-04-08 21:48 . 2010-04-25 20:59 18184 ----a-w- c:\windows\Help\OEM\scripts\HPHC_BUY_BATTERY.exe 2010-04-08 21:48 . 2010-03-15 04:38 17160 ----a-w- c:\windows\Help\OEM\scripts\HPHCDisableObject.exe 2010-04-06 22:52 . 2010-04-25 20:59 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_Launch.exe 2010-03-26 02:49 . 2010-03-26 02:49 4096 ----a-w- c:\windows\d3dx.dat 2010-03-08 21:33 . 2010-04-13 20:26 427520 ----a-w- c:\windows\system32\vbscript.dll 2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat 2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384] "HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-25 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896] "Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-25 122368] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752] "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696] "UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216] "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216] "UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216] "UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-14 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-14 167424] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-14 144384] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504] "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000] c:\users\remipmc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2006-4-19 1073152] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp R0 kjiunfb;kjiunfb;c:\windows\System32\drivers\itvpfbb.sys [x] R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 135664] R3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys [2009-08-13 22528] R3 csr_a2dp;Bluetooth AV Profile;c:\windows\system32\drivers\bthav.sys [2009-12-21 61952] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-08 1343400] S1 aswSP;avast! Self Protection; [x] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128] S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560] S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328] S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992] S2 MSSQL$DYNAMICSGPEDU;SQL Server (DYNAMICSGPEDU);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680] S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952] S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840] S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HsfXAudioService REG_MULTI_SZ HsfXAudioService WindowsMobile REG_MULTI_SZ wcescomm rapimgr LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr . Contents of the 'Scheduled Tasks' folder 2010-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 00:16] 2010-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 00:16] 2010-06-05 c:\windows\Tasks\MSWD-e2dd7fe4.job - c:\users\remipmc\AppData\Roaming\e2dd7fe4.exe [2010-06-01 00:10] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html Trusted Zone: americanpetspa.com\www FF - ProfilePath - c:\users\remipmc\AppData\Roaming\Mozilla\Firefox\Profiles\x4vqfjcz.default\ FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - plugin: c:\programdata\RealArcade\npraclient.dll FF - plugin: c:\users\remipmc\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll FF - plugin: c:\users\remipmc\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll FF - plugin: c:\users\remipmc\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox 3.6 Beta 3\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox 3.6 Beta 3\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox 3.6 Beta 3\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox 3.6 Beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox 3.6 Beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox 3.6 Beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox 3.6 Beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox 3.6 Beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file) HKCU-Run-xmxktuob - c:\users\remipmc\AppData\Local\gxanstrdd\gcrhgvltssd.exe . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2010-06-04 22:10:43 ComboFix-quarantined-files.txt 2010-06-05 03:10 Pre-Run: 51,716,308,992 bytes free Post-Run: 56,020,156,416 bytes free - - End Of File - - D7682928F5078B09812432C3C54A1714

#9 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 05 June 2010 - 03:44 PM

Hello Mignonster

Thank you for the log.

If you are still having trouble opening programs on the infected machine, use a flash drive to transfer the following script using your Netbook.

Please work through the following steps
- Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
- NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
- Copy and Paste the text in the codebox below (including the link) into the open Notepad window:
```
http://forums.whatthetech.com/Need_remove_Trojan_fakealert_t112380.html

Collect::
c:\windows\System32\drivers\itvpfbb.sys
c:\windows\Tasks\MSWD-e2dd7fe4.job
c:\users\remipmc\AppData\Roaming\e2dd7fe4.exe
c:\windows\system32\Spool\prtprocs\w32x86\9iQGMY179.dll

Driver::
kjiunfb

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
Trusted Zone: americanpetspa.com\www
```
- Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
- Close any open browsers.
- Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Refering to the picture below, drag CFScript.txt into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
- Once the log is produced, re-engage your resident anti virus.
- Note: When ComboFix finishes running, the ComboFix log will open along with a message box - do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
MalwareBytes AntiMalware:
- I can see that you have MBAM installed.
- Open MBAM, click on the "Update" tab and then on "Check for Updates".
- The program will now install the latest Malware definition files.
- Once complete, click on the "Scanner" tab, select "Perform full scan"and then click on "Scan".
- Once the program has scanned your computer, a log file will be created in Notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
- When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
- The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
- Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
- Come back here to this thread and Paste the log in your next reply.
Please provide the ComboFix log and the MBAM log in your next reply.

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#10 Mignonster

New Member

Authentic Member
15 posts

Posted 06 June 2010 - 03:27 PM

ComboFix 10-06-06.01 - remipmc 06/06/2010 15:04:26.4.1 - x86 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3003.2021 [GMT -5:00] Running from: c:\users\remipmc\Desktop\mignonster.exe Command switches used :: c:\users\remipmc\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\users\remipmc\AppData\Roaming\e2dd7fe4.exe c:\windows\system32\Spool\prtprocs\w32x86\9iQGMY179.dll c:\windows\Tasks\MSWD-e2dd7fe4.job . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_kjiunfb ((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 ))))))))))))))))))))))))))))))) . 2010-06-06 20:13 . 2010-06-06 20:13 -------- d-----w- c:\users\Public\AppData\Local\temp 2010-06-06 20:13 . 2010-06-06 20:13 -------- d-----w- c:\users\Mcx1\AppData\Local\temp 2010-06-06 20:13 . 2010-06-06 20:13 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-06-06 20:00 . 2010-06-06 20:00 -------- d-----w- C:\32788R22FWJFW 2010-06-06 19:55 . 2010-06-01 00:10 68608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\55o5o.dll 2010-06-02 01:00 . 2010-06-02 01:00 -------- d-----w- c:\users\remipmc\AppData\Roaming\WildTangent 2010-05-28 00:20 . 2010-05-28 00:20 -------- d-----w- c:\program files\Palm Digital Media 2010-05-27 22:56 . 2010-05-27 22:56 -------- d-----w- c:\users\remipmc\AppData\Local\WinZip 2010-05-27 22:56 . 2010-05-27 22:56 -------- d-----w- c:\programdata\WinZip 2010-05-26 02:06 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll 2010-05-25 00:47 . 2010-05-25 00:47 -------- d-----w- c:\users\remipmc\AppData\Local\Geckofx 2010-05-24 03:09 . 2010-05-24 03:09 -------- d-----w- c:\program files\Lost Lagoon - The Trail of Destiny 2010-05-23 06:08 . 2010-05-23 06:10 -------- d-----w- c:\program files\Tiger Eye - Part I - Curse of the Riddle Box 2010-05-21 04:38 . 2010-05-21 04:38 -------- d-----w- c:\program files\AviSynth 2.5 2010-05-21 02:19 . 2010-05-21 02:19 -------- d-----w- c:\users\remipmc\AppData\Roaming\NCH Software 2010-05-20 23:24 . 2010-05-20 23:24 -------- d-----w- c:\programdata\NCH Swift Sound 2010-05-20 23:24 . 2010-05-20 23:24 -------- d-----w- c:\program files\NCH Swift Sound 2010-05-20 23:24 . 2010-05-20 23:24 -------- d-----w- c:\users\remipmc\AppData\Roaming\NCH Swift Sound 2010-05-18 00:19 . 2010-05-18 00:19 -------- d-----w- c:\users\remipmc\AppData\Roaming\Lazy Turtle Games 2010-05-16 23:35 . 2010-05-16 23:39 -------- d-----w- c:\users\remipmc\AppData\Roaming\Magic3 2010-05-16 21:31 . 2010-05-16 21:31 -------- d-----w- c:\users\remipmc\AppData\Local\Oberon Games 2010-05-16 21:27 . 2010-05-16 21:27 -------- d-----w- c:\program files\Eternity 2010-05-16 20:29 . 2010-05-16 20:29 -------- d-----w- c:\users\remipmc\AppData\Roaming\VendelGAMES 2010-05-11 23:00 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-06 20:14 . 2010-01-30 07:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-02 23:06 . 2009-11-20 04:11 -------- d-----w- c:\program files\Mozilla Firefox 3.6 Beta 3 2010-06-01 01:10 . 2010-01-18 18:26 -------- d-----w- c:\programdata\NOS 2010-06-01 00:58 . 2009-09-11 05:30 -------- d-----w- c:\users\remipmc\AppData\Roaming\BitTorrent 2010-05-29 04:02 . 2009-09-21 21:16 -------- d-----w- c:\users\remipmc\AppData\Roaming\ERS G-Studio 2010-05-29 00:07 . 2009-07-25 16:23 -------- d-----w- c:\program files\Microsoft 2010-05-28 00:20 . 2010-05-28 00:20 3310 ----a-r- c:\users\remipmc\AppData\Roaming\Microsoft\Installer\{65F79096-EB6C-47DE-9E1F-099861DC057F}\_6FEFF9B68218417F98F549.exe 2010-05-28 00:20 . 2010-05-28 00:20 3310 ----a-r- c:\users\remipmc\AppData\Roaming\Microsoft\Installer\{65F79096-EB6C-47DE-9E1F-099861DC057F}\_400CBAD3BB63FD73E4A5AE.exe 2010-05-28 00:20 . 2010-05-28 00:20 10134 ----a-r- c:\users\remipmc\AppData\Roaming\Microsoft\Installer\{65F79096-EB6C-47DE-9E1F-099861DC057F}\_3541C7F97B142C89BDCDB8.exe 2010-05-24 03:34 . 2009-09-15 21:39 -------- d-----w- c:\programdata\Intenium 2010-05-23 05:57 . 2009-08-11 22:24 -------- d-----w- c:\users\remipmc\AppData\Roaming\SulusGames 2010-05-23 05:57 . 2009-08-11 22:24 -------- d-----w- c:\programdata\SulusGames 2010-05-21 23:25 . 2009-10-29 16:32 -------- d-----w- c:\users\remipmc\AppData\Roaming\Azureus 2010-05-21 23:24 . 2010-05-21 23:24 8463808 ----a-w- c:\users\remipmc\AppData\Roaming\Azureus\tmp\AZU6679493721407185697.tmp\Vuze_4.4.0.4_win32.exe 2010-05-20 22:27 . 2010-05-20 22:27 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf 2010-05-19 19:00 . 2010-05-26 23:08 501872 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb620.tmp.exe 2010-05-17 02:16 . 2010-05-01 20:46 -------- d-----w- c:\programdata\Deadtime Stories 2010-05-13 01:24 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail 2010-05-13 01:23 . 2009-04-22 14:57 -------- d-----w- c:\programdata\Microsoft Help 2010-05-12 16:21 . 2009-10-02 16:32 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-02 03:07 . 2009-07-25 05:22 -------- d-----w- c:\users\remipmc\AppData\Roaming\LimeWire 2010-04-30 02:12 . 2009-07-25 05:22 -------- d-----w- c:\program files\LimeWire 2010-04-29 20:39 . 2010-01-30 07:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 20:39 . 2010-01-30 07:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-29 02:57 . 2010-01-29 05:45 50354 ----a-w- c:\users\remipmc\AppData\Roaming\Facebook\uninstall.exe 2010-04-29 02:57 . 2010-01-29 05:45 -------- d-----w- c:\users\remipmc\AppData\Roaming\Facebook 2010-04-26 03:09 . 2010-04-26 03:09 -------- d-----w- c:\programdata\Particles 2010-04-26 03:09 . 2010-04-26 03:09 -------- d-----w- c:\users\remipmc\AppData\Roaming\Specialbit 2010-04-25 21:52 . 2009-10-01 23:21 -------- d-----w- c:\users\remipmc\AppData\Roaming\FlyWheelGames 2010-04-25 19:51 . 2009-09-21 02:57 -------- d-----w- c:\users\remipmc\AppData\Roaming\Merscom 2010-04-25 19:51 . 2009-09-21 02:57 -------- d-----w- c:\programdata\Merscom 2010-04-18 00:58 . 2009-07-30 01:18 -------- d-----w- c:\users\remipmc\AppData\Roaming\PlayFirst 2010-04-18 00:58 . 2009-07-30 01:18 -------- d-----w- c:\programdata\PlayFirst 2010-04-18 00:16 . 2010-04-18 00:16 -------- d-----w- c:\users\remipmc\AppData\Roaming\Top Evidence 2010-04-18 00:16 . 2010-04-18 00:16 -------- d-----w- c:\programdata\Top Evidence 2010-04-16 02:57 . 2010-04-16 02:57 -------- d-----w- c:\users\remipmc\AppData\Roaming\GameMill Entertainment 2010-04-16 02:55 . 2009-09-09 03:41 -------- d-----w- c:\users\remipmc\AppData\Roaming\Artogon 2010-04-15 23:49 . 2010-03-15 04:38 1335048 ----a-w- c:\windows\Help\OEM\scripts\SamsungHDDFW1HC.exe 2010-04-15 22:43 . 2010-04-15 22:43 -------- d-----w- c:\users\remipmc\AppData\Roaming\Boomzap 2010-04-08 21:48 . 2010-04-25 20:59 18184 ----a-w- c:\windows\Help\OEM\scripts\HPHC_BUY_BATTERY.exe 2010-04-08 21:48 . 2010-03-15 04:38 17160 ----a-w- c:\windows\Help\OEM\scripts\HPHCDisableObject.exe 2010-04-06 22:52 . 2010-04-25 20:59 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_Launch.exe 2010-03-26 02:49 . 2010-03-26 02:49 4096 ----a-w- c:\windows\d3dx.dat 2010-03-08 21:33 . 2010-04-13 20:26 427520 ----a-w- c:\windows\system32\vbscript.dll 2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat 2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384] "HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-25 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896] "Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-25 122368] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752] "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696] "UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216] "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216] "UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216] "UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-14 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-14 167424] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-14 144384] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504] "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952] c:\users\remipmc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2006-4-19 1073152] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 135664] R3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys [2009-08-13 22528] R3 csr_a2dp;Bluetooth AV Profile;c:\windows\system32\drivers\bthav.sys [2009-12-21 61952] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-08 1343400] S1 aswSP;avast! Self Protection; [x] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128] S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560] S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328] S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992] S2 MSSQL$DYNAMICSGPEDU;SQL Server (DYNAMICSGPEDU);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680] S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952] S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840] S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HsfXAudioService REG_MULTI_SZ HsfXAudioService WindowsMobile REG_MULTI_SZ wcescomm rapimgr LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr . Contents of the 'Scheduled Tasks' folder 2010-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 00:16] 2010-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 00:16] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html FF - ProfilePath - c:\users\remipmc\AppData\Roaming\Mozilla\Firefox\Profiles\x4vqfjcz.default\ FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - plugin: c:\programdata\RealArcade\npraclient.dll FF - plugin: c:\users\remipmc\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll FF - plugin: c:\users\remipmc\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll FF - plugin: c:\users\remipmc\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox 3.6 Beta 3\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox 3.6 Beta 3\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox 3.6 Beta 3\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox 3.6 Beta 3\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox 3.6 Beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox 3.6 Beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox 3.6 Beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox 3.6 Beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox 3.6 Beta 3\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\CyberLink\Shared files\RichVideo.exe c:\windows\system32\taskhost.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\windows\servicing\TrustedInstaller.exe c:\windows\system32\conhost.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\program files\Alwil Software\Avast4\ashDisp.exe c:\windows\system32\igfxsrvc.exe c:\program files\Synaptics\SynTP\SynTPHelper.exe c:\windows\ehome\ehmsas.exe c:\program files\Hewlett-Packard\Shared\HpqToaster.exe c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe c:\windows\system32\sppsvc.exe c:\windows\system32\vssvc.exe . ************************************************************************** . Completion time: 2010-06-06 15:22:36 - machine was rebooted ComboFix-quarantined-files.txt 2010-06-06 20:22 ComboFix2.txt 2010-06-05 03:10 Pre-Run: 55,855,628,288 bytes free Post-Run: 56,002,756,608 bytes free - - End Of File - - FF380CCE787CD4E934D24870D72D9538 Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4052 Windows 6.1.7600 Internet Explorer 8.0.7600.16385 6/6/2010 4:24:34 PM mbam-log-2010-06-06 (16-24-34).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 286925 Time elapsed: 57 minute(s), 44 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Your PC Protector (Rogue.YourPCProtector) -> Quarantined and deleted successfully. Files Infected: C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Your PC Protector\Your PC Protector.lnk (Rogue.YourPCProtector) -> Quarantined and deleted successfully. C:\Windows\System32\config\systemprofile\Desktop\Your PC Protector.lnk (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

Advertisements

Register to Remove

#11 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 07 June 2010 - 10:56 AM

Hello Mignonster

Thank you for the logs.

Please run the following command
Hold down the "Windows" key (has the Windows symbol printed on it), and then press the "R" key.
A Run box will open.
Copy the text in the quote box below and paste it into the Run box.

C:\Qoobox\ComboFix-quarantined-files.txt

Click on "OK".
A log report should open.
Please post the contents of the log in your next reply.

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#12 Mignonster

New Member

Authentic Member
15 posts

Posted 07 June 2010 - 04:36 PM

2010-06-06 20:11:41 . 2010-06-06 20:11:41 1,030 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_kjiunfb.reg.dat 2010-06-06 20:04:09 . 2010-06-06 20:04:12 668 ----a-w- C:\Qoobox\Quarantine\catchme.txt 2010-06-05 03:09:17 . 2010-06-05 03:09:17 156 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-xmxktuob.reg.dat 2010-06-05 03:09:15 . 2010-06-05 03:09:15 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}.reg.dat 2010-06-05 03:04:37 . 2010-06-06 20:11:16 11,944 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2010-06-05 02:56:47 . 2010-06-06 20:04:09 124 ----a-w- C:\Qoobox\Quarantine\catchme.log 2010-06-05 02:35:28 . 2010-06-01 00:10:56 68,608 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\9iQGMY179.dll.vir 2010-06-03 18:42:12 . 2010-06-03 18:41:48 282,144 ----a-w- C:\Qoobox\Quarantine\C\Users\remipmc\AppData\Local\gxanstrdd\gcrhgvltssd.exe.vir 2010-06-01 00:11:09 . 2010-06-01 00:10:57 193,536 ----a-w- C:\Qoobox\Quarantine\C\Windows\Ndotia.exe.vir 2010-06-01 00:10:56 . 2010-06-06 19:55:30 250 ----a-w- C:\Qoobox\Quarantine\C\Windows\Tasks\MSWD-e2dd7fe4.job.vir 2010-06-01 00:10:56 . 2010-06-01 00:10:56 68,608 ----a-w- C:\Qoobox\Quarantine\C\Users\remipmc\AppData\Roaming\e2dd7fe4.exe.vir 2010-01-18 15:37:46 . 2010-01-18 15:37:46 191,837,285 ----a-w- C:\Qoobox\Quarantine\C\Users\remipmc\AppData\Roaming\Rhianna Ford and the Letter from Davinci.exe.vir 2007-10-17 19:47:34 . 2007-10-17 19:47:34 1,603,814 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\Temp\eReader_Install\eReader.PocketPC_WM5_and_WM6.CAB.vir 2007-10-17 19:44:26 . 2007-10-17 19:44:26 1,597,158 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\Temp\eReader_Install\eReader.PocketPC_2003_and_2003SE.CAB.vir 2007-10-11 18:28:22 . 2007-10-11 18:28:22 65,536 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\Temp\eReader_Install\CustomInstaller.exe.vir 2007-10-11 17:23:48 . 2007-10-11 17:23:48 147 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\Temp\eReader_Install\eReader.PocketPC_2003_and_2003SE.ini.vir 2007-10-11 17:23:46 . 2007-10-11 17:23:46 143 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\Temp\eReader_Install\eReader.PocketPC_WM5_and_WM6.ini.vir 2007-10-11 17:23:46 . 2007-10-11 17:23:46 3,310 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\Temp\eReader_Install\reader_2.ico.vir

#13 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 08 June 2010 - 12:30 AM

Hello Mignonster

Thank you for the information.

We are making progress but we still have work to do. Please work your way through the following steps:

Please submit the following files for analysis
The CFScript I asked you to run was designed to upload the malware files on your system for analysis. Unfortunately the upload failed so I would like you to upload these files manually. Please do the following:
Open Notepad (Click on "Windows Orb" and type "notepad" (without quotations) into the Search Box, then select Notepad from the Programs menu).
NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
Copy and Paste the text in the code box below into the open Notepad window:

@echo off
for %%g in (
C:\Qoobox\Quarantine\C\Windows\Tasks\MSWD-e2dd7fe4.job.vir
C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\9iQGMY179.dll.vir
C:\Qoobox\Quarantine\C\Users\remipmc\AppData\Roaming\e2dd7fe4.exe.vir
c:\windows\system32\Spool\prtprocs\w32x86\55o5o.dll
) do zip Files_for_submission %%g
del %0

Save this as grab.bat
Choose to "Save type as - All Files".
Save it on your desktop.

It should look like this:

Double click on grab.bat and allow it to run.
A file called "Files_for_submission.zip" will be created on your desktop.
To upload this file for analysis, click on the link provided here ===> http://www.bleepingc...e.php?channel=4
Click the "Browse" button and navigate to the "Files_for_submission.zip" file on your desktop.
Select this file and click "Open".
In the Largest box please put:

File Requested By JonTom
Failed Collect::

Finally click "SendFile".

Please let me know if the file submission was successful.

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#14 Mignonster

New Member

Authentic Member
15 posts

Posted 08 June 2010 - 05:03 PM

The file was submitted successfully

#15 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 09 June 2010 - 11:04 AM

Hello Mignonster

The file was submitted successfully

Thanks for letting me know.

Please work your way through the following steps:

Please delete the following file
Navigate to and delete the following file in bold.
Note: If the file is not present on your system, please let me know in your reply, but continue with the remaining instructions.

c:\windows\system32\Spool\prtprocs\w32x86\55o5o.dll <==== delete this file

Empty your recycle bin.

grab.bat
- You no longer need the grab.bat file, please delete it from your system.
P2P Programs:
- P2P programs are a major source of Malware infections.
- From your log I see you have Limewire, BitTorrent and Azureus. We do not pass judgment on file-sharing, however we must inform you that engaging in this activity and having this kind of software installed on your system will always make you more susceptible to Malware infections.
- The use of P2P programs may be contributing to your current situation, and you would certainly be doing yourself a favour by removing them.
- If you wish to keep the program(s), please do not use them until your computer is cleaned.
- Information regarding the risk of using these programs can be found from here and here.
- It is strongly recommend that you uninstall any P2P programs you have on your system.
- To do this, Click on the "Windows Orb" (bottom left hand corner of your screen), then on "Computer" and then on the "Uninstall or Change a Program" tab.
- A list of currently installed programs will be displayed.
- Find the Limewire, BitTorrent and Azureus programs, click on them once and then click on the "Uninstall" button.
- If you are prompted to re-boot your computer to complete the uninstall please do so.
  
  PLEASE NOTE:
- Even if you are using a P2P program that is deemed safe, it is only the program that is safe. Any files that you receive using a "safe" P2P program may be infected with Malware. The malware writers use P2P file-sharing as a major conduit to spread infected files.
Please update your Java
- Click on "Windows Orb" (bottom left hand corner of your screen), then on "Computer" and then on the "Uninstall or Change a Program" tab.
- Uninstall any previous versions of Java that you find.
- Reboot your computer.
- Next, download the latest version of Java by clicking here
- Click on "Windows 7/XP/Vista/2000/2003/2008 Online".
- Save the file to your desktop (do not run it just yet).
- Once it has saved, double click on the saved file to start the installation process.
- Click the Install button to accept the license terms and to continue with the installation.
- The installer may present you with an option to install additional programs when you install Java. I suggest you decline these additional programs (unless you really want them).
- Follow any prompts you receive and click "Close" to complete the installation.
Please perform the following scan:
- This is a very deep scan that can take many hours. In some instances you may need to let it run overnight. Please be patient.
- It is recommended that you disable your onboard antivirus program and antispyware programs while performing scans to eliminate software conflicts and to speed up scan time.
- DO NOT surf the net while your resident protection is disabled!
- Once the scan is finished remember to re-enable your resident antivirus protection along with whatever antispyware applications you use.
- NOTES:
- Before performing this online scan you must open your Internet Browser as Administrator. To do this, Right Click on your Internet Browser icon and select "Run as Administrator".
- Once the scan is complete and you have saved the log produced, close your browser.
- For all other browsing, open your browser by left clicking in the normal way.
- Please perform a Kaspersky Online Scan of your computer by clicking here or here.
- Click on the Accept button and install any components it needs.
- The program will install and then begin downloading the latest definition files.
- After the files have been downloaded on the left side of the page in the Scan section select My Computer.
- This will start the program and scan your system.
- The scan will take a while, so be patient and let it run (at times it may appear to stall).
- Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
- Once the scan is complete, click on View scan report. To obtain the report:
- Click on: Save Report As
- Next, in the Save as prompt, Save in area, select: Desktop
- In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:Text file [*.txt]
- Then, click: Save
- Please post the Kaspersky Online Scanner Report in your reply.
- If you need help performing the above steps, an animated tutorial can be found here.
Please provide the Kaspersky Online Scan log in your next reply.

Also, please describe how your machine is behaving now. Are you still experiencing problems?

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

Body Background

skin color theme