Window Vista Recovery Malware

Musicallyhopeless

Newbie

Posts: 7

« on: May 28, 2011, 03:18:09 PM »

This is the log I created using hijackthis.exe If the problem cannot be found here, I can re-scan using your instructions that I found in the posts. Thank you for your assistance.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:56:58 PM, on 5/28/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\Volume Panel\VolPanlu.exe
C:\Windows\System32\Ctxfihlp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
c:\program files\avira\antivir desktop\avgnt.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\ehome\ehshell.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe
C:\Users\MXR\Downloads\HijackThis.exe
C:\Windows\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
O3 - Toolbar: (no name) - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min /nosplash
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL2 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL2 (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Palo Alto Software Update Manager 9.0.lnk = C:\Program Files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Download with Xilisoft Download YouTube Video - C:\Program Files\Xilisoft\Download YouTube Video\upod_link.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8118 bytes


	Logged

Jintan

Administrator
Hero Member

Posts: 3879

Re: Window Vista Recovery Malware

« Reply #1 on: May 28, 2011, 05:07:33 PM »

Welcome to Malware Crypt Musicallyhopeless ,

Out of curiosity, what brought you to the Malware Crypt forums? I would like to know, to encourage others to get the free help here (which I like to do).

I don't see any malware in this log. What problems are you having that you sense are malware related? Post back on that, and let's get a more detailed look at things.

The system is Vista, so when running any of the scan files we use, be sure to right click the file, then select "Run as administrator" to start the scan/tool.

And To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

------------------

Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top click "Scan All Users", then click "Run Scan". Make no other changes at this time.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are also saved in the same location as OTL.exe. Post the contents of those back here please.

-----------

Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.

Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

Note - If Gmer shows it has located infection once it's opening scan completes, do not click the Scan button. We don't want hidden malware settings to cause any problems. Instead, just click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-----------

Download aswMBR ( 511KB ) to your desktop.

Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


	Logged

Jintan

Administrator
Hero Member

Posts: 3879

Re: Window Vista Recovery Malware

« Reply #2 on: May 28, 2011, 05:09:14 PM »

Mozilla Firefox 4.0 Beta 10

Beta's are really just that = experimental. And so can bring on unexpected issues with them. You may want to uninstall this beta version, and reinstall the stable, Firefox 4.0 (I believe that is the latest).


	Logged

Musicallyhopeless

Newbie

Posts: 7

Re: Window Vista Recovery Malware

« Reply #3 on: May 28, 2011, 05:57:27 PM »

Thank you for the quick response Jintan. I wish I could remember the exact sequence that got me to the forum but I do not. I think it was through bleepingcomputer.com

Well, I ran the restore function from my Vista install disc because the fake malware software was too insidious to get rid of. This restored my desktop and system to normality. The lingering problem is that I think I am being redirected when I do Google searches. I must still have the Google redirect problem but I did find your sight after a search on the term "Windows Vista Recovery Virus"

I'll follow your instructions after I hear back from you in case something changes.


	Logged

Musicallyhopeless

Newbie

Posts: 7

Re: Window Vista Recovery Malware

« Reply #4 on: May 28, 2011, 06:13:30 PM »

I went ahead and did the scans. Here's the Extras.txt

OTL Extras logfile created on: 5/28/2011 6:05:21 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Users\MXR\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.99 Gb Available Physical Memory | 49.44% Memory free
4.24 Gb Paging File | 3.06 Gb Available in Paging File | 72.34% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 279.48 Gb Total Space | 117.39 Gb Free Space | 42.00% Space Free | Partition Type: NTFS
Drive H: | 300.00 Gb Total Space | 106.36 Gb Free Space | 35.45% Space Free | Partition Type: NTFS

Computer Name: MXR-PC | User Name: MXR | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02ACE8C9-8E20-49ED-B0DC-DDD8ACC3611B}" = lport=443 | protocol=6 | dir=in | name=forex2 |
"{2A86F0B9-3006-4EB5-AF6B-EFF1C65E84DE}" = rport=445 | protocol=6 | dir=out | app=system |
"{35DCBF5D-BC02-45DC-B540-750C36D67320}" = lport=445 | protocol=6 | dir=in | app=system |
"{3A69D75B-3CFD-4BEA-A8FD-5F8FCD07CB4B}" = lport=80 | protocol=6 | dir=in | name=forex1 |
"{4759904D-3D65-413C-B7F3-AC3E42CA5882}" = lport=3020 | protocol=6 | dir=in | name=forex4 |
"{50ADCCFC-624D-4F97-A8C2-B056E2DDE5CE}" = lport=49161 | protocol=6 | dir=in | name=akamai netsession interface |
"{5C5C6B46-1D09-4878-AEA2-51EA054F5BCC}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{5CB92708-60CF-4BC9-926E-E238363C6548}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{5EEA49FC-D638-4635-B63D-7D039F696C2F}" = lport=49162 | protocol=6 | dir=in | name=akamai netsession interface |
"{6380A8A0-ED13-4CA2-B2B5-15B60B8303A5}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{7571B825-074D-45A1-B4A7-155A0EC61F16}" = rport=139 | protocol=6 | dir=out | app=system |
"{785D29A2-180E-48FE-B32A-AF9E8A0D06F3}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{847A7C3E-353F-4B81-ADB4-122C2D3CCDBB}" = lport=1000 | protocol=6 | dir=in | name=forex3 |
"{84B65005-978A-42F5-A92D-155E41AF523A}" = lport=5000 | protocol=17 | dir=in | name=akamai netsession interface |
"{8E9DF257-E273-4D57-AA56-114F244EC94E}" = lport=138 | protocol=17 | dir=in | app=system |
"{933B6874-E08B-4BCC-AB73-FDC1173A646B}" = lport=139 | protocol=6 | dir=in | app=system |
"{9CC91E76-8AF8-43B2-8B3B-707C4158C705}" = rport=138 | protocol=17 | dir=out | app=system |
"{A133E354-B637-405C-887F-A5E007D52016}" = lport=5000 | protocol=17 | dir=in | name=akamai netsession interface |
"{A183E654-093D-41E2-8D5C-5D745AF26CB2}" = rport=137 | protocol=17 | dir=out | app=system |
"{B5C332FC-D564-41DA-B0BF-3EE30D7234F2}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{D033A727-BA48-4C69-AAF7-8361D985E837}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{D923ED4B-7917-4333-AE32-E24476D700E4}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{DA5C6D43-2A04-44BB-91C5-D87705AF8B1F}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{E1D0078A-2B62-48C5-8A5F-43123314EBCB}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{F5E410A8-E985-40A8-9861-DCED0711373C}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{FAB7BA9A-746C-4729-9C73-857F9987D3D2}" = lport=137 | protocol=17 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{131D1C8D-E653-4D6C-90AB-E6554EB61177}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{39FB7B33-E496-437C-8F4E-0201A1432C8E}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{5ED454A8-B5B5-460F-86C1-35EDE85AFF6A}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{71712498-ADA6-407E-B5E9-7E360AF8603A}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{8E8BA75F-1647-4E5F-9448-A945C3C15530}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{919FFB47-EB61-4F4E-BDFE-846EFB965AC6}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{AC19BE9D-4E13-4A3E-B678-B70E9428DFE3}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{B239804D-F435-4809-969D-EB89150846DB}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{BF0CB770-616A-4003-A906-6D92D67FAFD2}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{C09EBC07-AD9D-48B2-BBFE-7FBA47F1D40A}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{D0087B57-2A0E-484A-A64D-44B35AFFC432}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{DFD94022-BEAC-4952-AAC9-78C42E533595}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{FD12A244-47AF-4424-B7DD-18DA87D0B5BD}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"TCP Query User{16898C3E-F0EF-455A-9A3F-80604CF387E0}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{18AEEA20-C137-407B-AEDA-5D9EDBD1097F}C:\program files\participatory culture foundation\miro\miro_downloader.exe" = protocol=6 | dir=in | app=c:\program files\participatory culture foundation\miro\miro_downloader.exe |
"TCP Query User{29FEC7CC-3C10-45F4-A78A-3361E4B6084F}C:\program files\winamp\winamp.exe" = protocol=6 | dir=in | app=c:\program files\winamp\winamp.exe |
"TCP Query User{6AF9D0C9-20CD-4C75-B069-67F56FFBE423}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"TCP Query User{AB406E09-1F27-4079-BD0E-7B415A792995}C:\program files\participatory culture foundation\miro\xulrunner\python\miro_downloader.exe" = protocol=6 | dir=in | app=c:\program files\participatory culture foundation\miro\xulrunner\python\miro_downloader.exe |
"TCP Query User{F05798BB-D289-41B9-9CE2-8E51EE1C7DA8}C:\program files\participatory culture foundation\miro\miro_downloader.exe" = protocol=6 | dir=in | app=c:\program files\participatory culture foundation\miro\miro_downloader.exe |
"TCP Query User{F1D81A89-E2B1-47C9-9F07-3CF9D1D09F85}C:\program files\mozilla firefox 4.0 beta 10\plugin-container.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox 4.0 beta 10\plugin-container.exe |
"UDP Query User{1F926D58-FC5A-420E-9BFB-955263BC0024}C:\program files\participatory culture foundation\miro\xulrunner\python\miro_downloader.exe" = protocol=17 | dir=in | app=c:\program files\participatory culture foundation\miro\xulrunner\python\miro_downloader.exe |
"UDP Query User{2B5AE7E5-CFB6-4FC1-A957-80BC9BA6F10C}C:\program files\winamp\winamp.exe" = protocol=17 | dir=in | app=c:\program files\winamp\winamp.exe |
"UDP Query User{3A83BDA1-CA7B-4128-A9E9-13296585CBF2}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"UDP Query User{3E8FEE34-C17F-4B47-9DE8-EBDC0A14260E}C:\program files\participatory culture foundation\miro\miro_downloader.exe" = protocol=17 | dir=in | app=c:\program files\participatory culture foundation\miro\miro_downloader.exe |
"UDP Query User{49D83BBD-463C-4C38-8366-07D827247B16}C:\program files\participatory culture foundation\miro\miro_downloader.exe" = protocol=17 | dir=in | app=c:\program files\participatory culture foundation\miro\miro_downloader.exe |
"UDP Query User{A8FDFAD6-C70C-4688-BE77-66B62314409D}C:\program files\mozilla firefox 4.0 beta 10\plugin-container.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox 4.0 beta 10\plugin-container.exe |
"UDP Query User{CB3542EB-AF40-4BA2-A239-DEF58D54020C}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20585CDC-114E-4372-986A-0686B1A37A30}" = Business Plan Pro 2007
"{2227E1FA-01F5-483C-AB0E-2A308E900B3D}" = InterVideo FilterSDK for Hauppauge
"{2956585F-DB2F-45C2-9363-F8CB0BB4F2A7}" = Sony ACID Pro 6.0
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3B45D262-3BEE-477F-8652-EC24950D3F65}" = Adobe Director 11
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{58762801-BA53-42B3-890B-C6B9CC8CFE26}" = QuickConnect
"{5A0C892E-FD1C-4203-941E-0956AED20A6A}" = APC PowerChute Personal Edition
"{64E72FB1-2343-4977-B4A8-262CD53D0BD3}" = Corel Paint Shop Pro Photo X2
"{67A339E5-D8AA-4E88-9278-A571B397F798}" = Babylon Toolbar
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6CDE6C4F-6FD7-4F24-A116-F0D173432FFC}" = Adobe Setup
"{7148F0A8-6813-11D6-A77B-00B0D0142130}" = Java 2 Runtime Environment, SE v1.4.2_13
"{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1" = Auslogics BoostSpeed
"{76C24F39-B161-498F-BD8B-C64789812D13}_is1" = ConvertXtoDVD 3.0.0.9
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{9692FD03-6662-4E62-B08C-30DFF51651E1}" = Actiontec Gateway
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9F6CFB0-806D-11E0-8EA1-B8AC6F97B88E}" = Google Earth Plug-in
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{C2C2101F-0538-4548-B5AF-39E0D3B3CB50}" = Adobe Lightroom 2 Beta
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D627784F-B3EE-44E8-96B1-9509B991EA34}_is1" = AusLogics Registry Defrag
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = AusLogics Disk Defrag
"{E5343B27-55DF-40BD-9FCF-A643C1331E8A}" = Acronis True Image Home
"{F4A4E6B2-D45F-4EB1-8C3A-6EB8D45A31C9}" = ClientTools
"{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}" = Vista Codec Package
"{FB4F9000-04FC-11E0-85D2-001AA037B01E}" = Google Earth Plug-in
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_2755fefb5e3352ee2921713793bdbf8" = Adobe Director 11
"Akamai" = Akamai NetSession Interface
"AudioCS" = Creative Audio Control Panel
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner
"Console Launcher" = Creative Console Launcher
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"Creative Sound Blaster Properties" = Creative Sound Blaster Properties
"Creative Volume Panel" = Volume Panel
"DVDFab Platinum 4_is1" = DVDFab Platinum 4.1.2.0
"FLAC" = FLAC 1.2.1b (remove only)
"Guitar Pro 5_is1" = Guitar Pro 5.0
"Hauppauge WinTV" = Hauppauge WinTV
"Hauppauge WinTV Radio" = Hauppauge WinTV Radio
"Hauppauge WinTV Scheduler" = Hauppauge WinTV Scheduler
"Hauppauge WinTV TV Services" = Hauppauge WinTV TV Services
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"Live 7.0.3" = Live 7.0.3
"MagicDisc 2.7.97" = MagicDisc 2.7.97
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Miro" = Miro
"Mozilla Firefox 5.0 (x86 en-US)" = Mozilla Firefox 5.0 (x86 en-US)
"nanoPEG-Editor 2.6.0 for WinTV_is1" = nanoPEG-Editor 2.6.0 for WinTV
"OpenAL" = OpenAL
"PowerISO" = PowerISO
"Stellarium_is1" = Stellarium 0.9.1
"TeraCopy_is1" = TeraCopy 2.12
"Winamp" = Winamp
"Winamp Toolbar" = Winamp Toolbar
"WinRAR archiver" = WinRAR archiver
"Xilisoft Download YouTube Video" = Xilisoft Download YouTube Video
"Xilisoft DVD Creator" = Xilisoft DVD Creator
"Xilisoft DVD Ripper Platinum 5" = Xilisoft DVD Ripper Platinum 5
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"1df0cdb088182ccc" = FOREXTraderPro
"Winamp Detect" = Winamp Detector Plug-in
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/22/2010 7:08:27 PM | Computer Name = MXR-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 2/22/2010 7:08:27 PM | Computer Name = MXR-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 2/23/2010 4:23:27 AM | Computer Name = MXR-PC | Source = EventSystem | ID = 4621
Description =

Error - 2/23/2010 2:26:29 PM | Computer Name = MXR-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 2/23/2010 2:26:29 PM | Computer Name = MXR-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 2/24/2010 3:58:53 AM | Computer Name = MXR-PC | Source = EventSystem | ID = 4621
Description =

Error - 2/24/2010 2:47:46 PM | Computer Name = MXR-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 2/24/2010 2:47:46 PM | Computer Name = MXR-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 2/25/2010 5:56:12 AM | Computer Name = MXR-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 2/25/2010 5:56:12 AM | Computer Name = MXR-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

[ Media Center Events ]
Error - 2/3/2009 4:35:24 PM | Computer Name = MXR-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 2/25/2009 4:53:12 AM | Computer Name = MXR-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 3/23/2009 5:30:54 PM | Computer Name = MXR-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 5/31/2009 3:38:04 PM | Computer Name = MXR-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 2/10/2010 2:43:22 AM | Computer Name = MXR-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ System Events ]
Error - 5/26/2011 1:35:17 PM | Computer Name = MXR-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 5/26/2011 1:35:47 PM | Computer Name = MXR-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 5/26/2011 1:36:17 PM | Computer Name = MXR-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 5/26/2011 1:37:01 PM | Computer Name = MXR-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 5/28/2011 10:24:01 AM | Computer Name = MXR-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 5/28/2011 10:41:26 AM | Computer Name = MXR-PC | Source = sptd | ID = 262148
Description = Driver detected an internal error in its data structures for .

Error - 5/28/2011 10:43:29 AM | Computer Name = MXR-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 5/28/2011 5:21:55 PM | Computer Name = MXR-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 5/28/2011 5:25:18 PM | Computer Name = MXR-PC | Source = WinDefend | ID = 2004
Description = %%827 has encountered an error trying to load signatures and will
attempt reverting back to a known-good set of signatures. Signatures Attempted: %%824

Error
Code: 0x8050a001 Error description: The program can't find definition files that
help detect unwanted software. Check for updates to the definition files, and then
try again. For information on installing updates, see Help and Support. Signatures
loading: %%825 Loading signature version: 1.105.365.0 Loading engine version: 1.1.6903.0

Error - 5/28/2011 7:17:12 PM | Computer Name = MXR-PC | Source = Microsoft-Windows-Kernel-General | ID = 5
Description =

< End of report >


	Logged

Musicallyhopeless

Newbie

Posts: 7

Re: Window Vista Recovery Malware

« Reply #5 on: May 28, 2011, 06:31:51 PM »

I did the first scan with the antivirus software turned on, so I turned it off and repeated. Here are the results.

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02ACE8C9-8E20-49ED-B0DC-DDD8ACC3611B}" = lport=443 | protocol=6 | dir=in | name=forex2 |
"{2A86F0B9-3006-4EB5-AF6B-EFF1C65E84DE}" = rport=445 | protocol=6 | dir=out | app=system |
"{35DCBF5D-BC02-45DC-B540-750C36D67320}" = lport=445 | protocol=6 | dir=in | app=system |
"{3A69D75B-3CFD-4BEA-A8FD-5F8FCD07CB4B}" = lport=80 | protocol=6 | dir=in | name=forex1 |
"{4759904D-3D65-413C-B7F3-AC3E42CA5882}" = lport=3020 | protocol=6 | dir=in | name=forex4 |
"{50ADCCFC-624D-4F97-A8C2-B056E2DDE5CE}" = lport=49161 | protocol=6 | dir=in | name=akamai netsession interface |
"{5C5C6B46-1D09-4878-AEA2-51EA054F5BCC}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{5CB92708-60CF-4BC9-926E-E238363C6548}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{5EEA49FC-D638-4635-B63D-7D039F696C2F}" = lport=49162 | protocol=6 | dir=in | name=akamai netsession interface |
"{6380A8A0-ED13-4CA2-B2B5-15B60B8303A5}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{7571B825-074D-45A1-B4A7-155A0EC61F16}" = rport=139 | protocol=6 | dir=out | app=system |
"{785D29A2-180E-48FE-B32A-AF9E8A0D06F3}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{847A7C3E-353F-4B81-ADB4-122C2D3CCDBB}" = lport=1000 | protocol=6 | dir=in | name=forex3 |
"{84B65005-978A-42F5-A92D-155E41AF523A}" = lport=5000 | protocol=17 | dir=in | name=akamai netsession interface |
"{8E9DF257-E273-4D57-AA56-114F244EC94E}" = lport=138 | protocol=17 | dir=in | app=system |
"{933B6874-E08B-4BCC-AB73-FDC1173A646B}" = lport=139 | protocol=6 | dir=in | app=system |
"{9CC91E76-8AF8-43B2-8B3B-707C4158C705}" = rport=138 | protocol=17 | dir=out | app=system |
"{A133E354-B637-405C-887F-A5E007D52016}" = lport=5000 | protocol=17 | dir=in | name=akamai netsession interface |
"{A183E654-093D-41E2-8D5C-5D745AF26CB2}" = rport=137 | protocol=17 | dir=out | app=system |
"{B5C332FC-D564-41DA-B0BF-3EE30D7234F2}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{D033A727-BA48-4C69-AAF7-8361D985E837}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{D923ED4B-7917-4333-AE32-E24476D700E4}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{DA5C6D43-2A04-44BB-91C5-D87705AF8B1F}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{E1D0078A-2B62-48C5-8A5F-43123314EBCB}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{F5E410A8-E985-40A8-9861-DCED0711373C}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{FAB7BA9A-746C-4729-9C73-857F9987D3D2}" = lport=137 | protocol=17 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{131D1C8D-E653-4D6C-90AB-E6554EB61177}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{39FB7B33-E496-437C-8F4E-0201A1432C8E}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{5ED454A8-B5B5-460F-86C1-35EDE85AFF6A}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{71712498-ADA6-407E-B5E9-7E360AF8603A}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{8E8BA75F-1647-4E5F-9448-A945C3C15530}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{919FFB47-EB61-4F4E-BDFE-846EFB965AC6}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{AC19BE9D-4E13-4A3E-B678-B70E9428DFE3}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{B239804D-F435-4809-969D-EB89150846DB}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{BF0CB770-616A-4003-A906-6D92D67FAFD2}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{C09EBC07-AD9D-48B2-BBFE-7FBA47F1D40A}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{D0087B57-2A0E-484A-A64D-44B35AFFC432}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{DFD94022-BEAC-4952-AAC9-78C42E533595}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{FD12A244-47AF-4424-B7DD-18DA87D0B5BD}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"TCP Query User{16898C3E-F0EF-455A-9A3F-80604CF387E0}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{18AEEA20-C137-407B-AEDA-5D9EDBD1097F}C:\program files\participatory culture foundation\miro\miro_downloader.exe" = protocol=6 | dir=in | app=c:\program files\participatory culture foundation\miro\miro_downloader.exe |
"TCP Query User{29FEC7CC-3C10-45F4-A78A-3361E4B6084F}C:\program files\winamp\winamp.exe" = protocol=6 | dir=in | app=c:\program files\winamp\winamp.exe |
"TCP Query User{6AF9D0C9-20CD-4C75-B069-67F56FFBE423}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"TCP Query User{AB406E09-1F27-4079-BD0E-7B415A792995}C:\program files\participatory culture foundation\miro\xulrunner\python\miro_downloader.exe" = protocol=6 | dir=in | app=c:\program files\participatory culture foundation\miro\xulrunner\python\miro_downloader.exe |
"TCP Query User{F05798BB-D289-41B9-9CE2-8E51EE1C7DA8}C:\program files\participatory culture foundation\miro\miro_downloader.exe" = protocol=6 | dir=in | app=c:\program files\participatory culture foundation\miro\miro_downloader.exe |
"TCP Query User{F1D81A89-E2B1-47C9-9F07-3CF9D1D09F85}C:\program files\mozilla firefox 4.0 beta 10\plugin-container.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox 4.0 beta 10\plugin-container.exe |
"UDP Query User{1F926D58-FC5A-420E-9BFB-955263BC0024}C:\program files\participatory culture foundation\miro\xulrunner\python\miro_downloader.exe" = protocol=17 | dir=in | app=c:\program files\participatory culture foundation\miro\xulrunner\python\miro_downloader.exe |
"UDP Query User{2B5AE7E5-CFB6-4FC1-A957-80BC9BA6F10C}C:\program files\winamp\winamp.exe" = protocol=17 | dir=in | app=c:\program files\winamp\winamp.exe |
"UDP Query User{3A83BDA1-CA7B-4128-A9E9-13296585CBF2}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"UDP Query User{3E8FEE34-C17F-4B47-9DE8-EBDC0A14260E}C:\program files\participatory culture foundation\miro\miro_downloader.exe" = protocol=17 | dir=in | app=c:\program files\participatory culture foundation\miro\miro_downloader.exe |
"UDP Query User{49D83BBD-463C-4C38-8366-07D827247B16}C:\program files\participatory culture foundation\miro\miro_downloader.exe" = protocol=17 | dir=in | app=c:\program files\participatory culture foundation\miro\miro_downloader.exe |
"UDP Query User{A8FDFAD6-C70C-4688-BE77-66B62314409D}C:\program files\mozilla firefox 4.0 beta 10\plugin-container.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox 4.0 beta 10\plugin-container.exe |
"UDP Query User{CB3542EB-AF40-4BA2-A239-DEF58D54020C}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20585CDC-114E-4372-986A-0686B1A37A30}" = Business Plan Pro 2007
"{2227E1FA-01F5-483C-AB0E-2A308E900B3D}" = InterVideo FilterSDK for Hauppauge
"{2956585F-DB2F-45C2-9363-F8CB0BB4F2A7}" = Sony ACID Pro 6.0
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3B45D262-3BEE-477F-8652-EC24950D3F65}" = Adobe Director 11
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{58762801-BA53-42B3-890B-C6B9CC8CFE26}" = QuickConnect
"{5A0C892E-FD1C-4203-941E-0956AED20A6A}" = APC PowerChute Personal Edition
"{64E72FB1-2343-4977-B4A8-262CD53D0BD3}" = Corel Paint Shop Pro Photo X2
"{67A339E5-D8AA-4E88-9278-A571B397F798}" = Babylon Toolbar
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6CDE6C4F-6FD7-4F24-A116-F0D173432FFC}" = Adobe Setup
"{7148F0A8-6813-11D6-A77B-00B0D0142130}" = Java 2 Runtime Environment, SE v1.4.2_13
"{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1" = Auslogics BoostSpeed
"{76C24F39-B161-498F-BD8B-C64789812D13}_is1" = ConvertXtoDVD 3.0.0.9
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{9692FD03-6662-4E62-B08C-30DFF51651E1}" = Actiontec Gateway
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9F6CFB0-806D-11E0-8EA1-B8AC6F97B88E}" = Google Earth Plug-in
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{C2C2101F-0538-4548-B5AF-39E0D3B3CB50}" = Adobe Lightroom 2 Beta
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D627784F-B3EE-44E8-96B1-9509B991EA34}_is1" = AusLogics Registry Defrag
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = AusLogics Disk Defrag
"{E5343B27-55DF-40BD-9FCF-A643C1331E8A}" = Acronis True Image Home
"{F4A4E6B2-D45F-4EB1-8C3A-6EB8D45A31C9}" = ClientTools
"{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}" = Vista Codec Package
"{FB4F9000-04FC-11E0-85D2-001AA037B01E}" = Google Earth Plug-in
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_2755fefb5e3352ee2921713793bdbf8" = Adobe Director 11
"Akamai" = Akamai NetSession Interface
"AudioCS" = Creative Audio Control Panel
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner
"Console Launcher" = Creative Console Launcher
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"Creative Sound Blaster Properties" = Creative Sound Blaster Properties
"Creative Volume Panel" = Volume Panel
"DVDFab Platinum 4_is1" = DVDFab Platinum 4.1.2.0
"FLAC" = FLAC 1.2.1b (remove only)
"Guitar Pro 5_is1" = Guitar Pro 5.0
"Hauppauge WinTV" = Hauppauge WinTV
"Hauppauge WinTV Radio" = Hauppauge WinTV Radio
"Hauppauge WinTV Scheduler" = Hauppauge WinTV Scheduler
"Hauppauge WinTV TV Services" = Hauppauge WinTV TV Services
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"Live 7.0.3" = Live 7.0.3
"MagicDisc 2.7.97" = MagicDisc 2.7.97
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Miro" = Miro
"Mozilla Firefox 5.0 (x86 en-US)" = Mozilla Firefox 5.0 (x86 en-US)
"nanoPEG-Editor 2.6.0 for WinTV_is1" = nanoPEG-Editor 2.6.0 for WinTV
"OpenAL" = OpenAL
"PowerISO" = PowerISO
"Stellarium_is1" = Stellarium 0.9.1
"TeraCopy_is1" = TeraCopy 2.12
"Winamp" = Winamp
"Winamp Toolbar" = Winamp Toolbar
"WinRAR archiver" = WinRAR archiver
"Xilisoft Download YouTube Video" = Xilisoft Download YouTube Video
"Xilisoft DVD Creator" = Xilisoft DVD Creator
"Xilisoft DVD Ripper Platinum 5" = Xilisoft DVD Ripper Platinum 5
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"1df0cdb088182ccc" = FOREXTraderPro
"Winamp Detect" = Winamp Detector Plug-in
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/22/2010 7:08:27 PM | Computer Name = MXR-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 2/22/2010 7:08:27 PM | Computer Name = MXR-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 2/23/2010 4:23:27 AM | Computer Name = MXR-PC | Source = EventSystem | ID = 4621
Description =

Error - 2/23/2010 2:26:29 PM | Computer Name = MXR-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 2/23/2010 2:26:29 PM | Computer Name = MXR-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 2/24/2010 3:58:53 AM | Computer Name = MXR-PC | Source = EventSystem | ID = 4621
Description =

Error - 2/24/2010 2:47:46 PM | Computer Name = MXR-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 2/24/2010 2:47:46 PM | Computer Name = MXR-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 2/25/2010 5:56:12 AM | Computer Name = MXR-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 2/25/2010 5:56:12 AM | Computer Name = MXR-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

[ Media Center Events ]
Error - 2/3/2009 4:35:24 PM | Computer Name = MXR-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 2/25/2009 4:53:12 AM | Computer Name = MXR-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 3/23/2009 5:30:54 PM | Computer Name = MXR-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 5/31/2009 3:38:04 PM | Computer Name = MXR-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 2/10/2010 2:43:22 AM | Computer Name = MXR-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ System Events ]
Error - 5/26/2011 1:35:17 PM | Computer Name = MXR-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 5/26/2011 1:35:47 PM | Computer Name = MXR-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 5/26/2011 1:36:17 PM | Computer Name = MXR-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 5/26/2011 1:37:01 PM | Computer Name = MXR-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 5/28/2011 10:24:01 AM | Computer Name = MXR-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 5/28/2011 10:41:26 AM | Computer Name = MXR-PC | Source = sptd | ID = 262148
Description = Driver detected an internal error in its data structures for .

Error - 5/28/2011 10:43:29 AM | Computer Name = MXR-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 5/28/2011 5:21:55 PM | Computer Name = MXR-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 5/28/2011 5:25:18 PM | Computer Name = MXR-PC | Source = WinDefend | ID = 2004
Description = %%827 has encountered an error trying to load signatures and will
attempt reverting back to a known-good set of signatures. Signatures Attempted: %%824

Error
Code: 0x8050a001 Error description: The program can't find definition files that
help detect unwanted software. Check for updates to the definition files, and then
try again. For information on installing updates, see Help and Support. Signatures
loading: %%825 Loading signature version: 1.105.365.0 Loading engine version: 1.1.6903.0

Error - 5/28/2011 7:17:12 PM | Computer Name = MXR-PC | Source = Microsoft-Windows-Kernel-General | ID = 5
Description =

< End of report >


	Logged

Musicallyhopeless

Newbie

Posts: 7

Re: Window Vista Recovery Malware

« Reply #6 on: May 28, 2011, 06:32:58 PM »

========== Processes (SafeList) ==========

PRC - [2011/05/28 18:03:29 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\MXR\Downloads\OTL.exe
PRC - [2011/05/25 10:04:10 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe
PRC - [2011/05/25 10:04:07 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe
PRC - [2011/04/28 12:09:01 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/03/28 16:15:32 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/08/02 17:09:56 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/01/14 23:11:02 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/04/10 23:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/19 15:07:56 | 001,213,728 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
PRC - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/10/31 21:04:40 | 000,307,200 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
PRC - [2008/10/08 00:41:36 | 000,023,552 | ---- | M] (Creative Technology Ltd) -- C:\Windows\System32\Ctxfihlp.exe
PRC - [2008/10/08 00:37:38 | 001,212,928 | ---- | M] (Creative Technology Ltd) -- C:\Windows\System32\CTxfispi.exe
PRC - [2008/08/06 16:31:44 | 000,233,576 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Volume Panel\VolPanlu.exe
PRC - [2008/01/19 00:38:38 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2007/09/07 22:46:28 | 000,492,600 | ---- | M] () -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
PRC - [2007/09/07 22:00:50 | 000,427,288 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2007/07/19 18:54:48 | 000,689,408 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
PRC - [2007/07/19 18:54:40 | 000,656,640 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
PRC - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () -- C:\Windows\System32\PSIService.exe
PRC - [2007/05/28 09:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

========== Modules (SafeList) ==========

MOD - [2011/05/28 18:03:29 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\MXR\Downloads\OTL.exe
MOD - [2010/08/31 08:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (gusvc)
SRV - [2011/05/16 13:18:35 | 003,275,864 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_8832f4b.dll -- (Akamai)
SRV - [2011/04/28 12:09:01 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/03/28 16:15:32 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/03/19 15:07:56 | 001,213,728 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe -- (sprtlisten)
SRV - [2009/03/19 15:07:54 | 000,382,320 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\supportsoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)
SRV - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/31 21:04:40 | 000,307,200 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2008/10/08 10:53:03 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
SRV - [2008/06/24 10:13:16 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/01/19 00:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/09/07 22:46:28 | 000,492,600 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe -- (TryAndDecideService)
SRV - [2007/09/07 22:00:50 | 000,427,288 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2007/07/19 18:54:48 | 000,689,408 | ---- | M] (American Power Conversion Corporation) [Auto | Running] -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe -- (APC UPS Service)
SRV - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () [Auto | Running] -- C:\Windows\System32\PSIService.exe -- (ProtexisLicensing)
SRV - [2007/05/28 09:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)
SRV - [2007/02/20 16:11:28 | 000,815,104 | ---- | M] (Hauppauge Computer Works) [On_Demand | Stopped] -- C:\Program Files\WinTV\HCWTVServer.exe -- (HauppaugeTVServer)

========== Driver Services (SafeList) ==========

DRV - [2011/03/16 19:20:10 | 000,137,656 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/12/03 23:31:45 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 16:27:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/19 21:50:50 | 000,391,168 | ---- | M] (Hauppauge Computer Works, Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\hcw18bda.sys -- (hcw18bda)
DRV - [2009/02/13 12:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/10/08 02:22:04 | 001,177,624 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ha20x2k.sys -- (ha20x2k)
DRV - [2008/10/08 02:22:02 | 000,095,768 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\emupia2k.sys -- (emupia)
DRV - [2008/10/08 02:22:00 | 000,158,744 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2008/10/08 02:21:58 | 000,014,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2008/10/08 02:21:56 | 000,130,072 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2008/10/08 02:21:54 | 000,347,080 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2008/10/08 02:21:50 | 000,526,232 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2008/10/08 02:21:46 | 000,511,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2008/10/08 02:21:44 | 001,324,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CTEXFIFX.SYS -- (CTEXFIFX.SYS)
DRV - [2008/10/08 02:21:44 | 001,324,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CTEXFIFX.sys -- (CTEXFIFX)
DRV - [2008/10/08 02:21:40 | 000,072,728 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CTHWIUT.SYS -- (CTHWIUT.SYS)
DRV - [2008/10/08 02:21:40 | 000,072,728 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CTHWIUT.sys -- (CTHWIUT)
DRV - [2008/10/08 02:21:38 | 000,171,032 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CT20XUT.SYS -- (CT20XUT.SYS)
DRV - [2008/10/08 02:21:38 | 000,171,032 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CT20XUT.sys -- (CT20XUT)
DRV - [2008/06/20 09:44:21 | 000,716,272 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008/05/27 12:11:54 | 000,096,896 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2008/03/13 23:04:29 | 000,046,652 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2008/03/02 00:40:14 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2008/03/02 00:40:14 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\Windows\System32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2008/03/02 00:40:03 | 000,129,248 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2008/03/02 00:39:51 | 000,368,736 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tdrpman.sys -- (tdrpman)
DRV - [2008/01/18 22:55:21 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\irsir.sys -- (irsir)
DRV - [2007/10/26 00:32:52 | 000,329,240 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
DRV - [2007/10/26 00:32:52 | 000,134,680 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
DRV - [2007/10/26 00:32:46 | 000,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CTERFXFX.DLL -- (CTERFXFX.DLL)
DRV - [2007/10/26 00:32:44 | 000,286,232 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
DRV - [2007/10/26 00:32:42 | 000,174,104 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CTEAPSFX.DLL -- (CTEAPSFX.DLL)
DRV - [2007/10/26 00:32:40 | 000,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CTSBLFX.DLL -- (CTSBLFX.DLL)
DRV - [2007/10/26 00:32:36 | 000,551,960 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CTAUDFX.DLL -- (CTAUDFX.DLL)
DRV - [2007/10/26 00:32:34 | 000,098,328 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\COMMONFX.DLL -- (COMMONFX.DLL)
DRV - [2007/09/20 14:12:34 | 000,012,800 | ---- | M] (EldoS Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\elrawdsk.sys -- (ElRawDisk)
DRV - [2007/06/27 02:00:42 | 002,770,432 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2007/06/27 02:00:42 | 002,770,432 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2007/05/03 18:29:10 | 001,065,384 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2006/08/15 16:18:10 | 000,177,152 | ---- | M] (Hauppauge Computer Works, Inc.) [23|25|26]xxx) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hcwPP2.sys -- (hcwPP2)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox 4.0 Beta 10\components [2011/05/25 10:04:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugins [2011/04/30 14:51:06 | 000,000,000 | ---D | M]

[2009/11/02 14:20:23 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\MXR\AppData\Roaming\Mozilla\Extensions
[2008/06/09 09:32:29 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\MXR\AppData\Roaming\Mozilla\Extensions\{6334D996-EA3E-4a0e-AA8D-15BA56B37241}
[2009/11/02 14:20:23 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\MXR\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2011/05/03 21:32:13 | 000,000,000 | ---D | M] (No name found) -- C:\Users\MXR\AppData\Roaming\Mozilla\Firefox\Profiles\dg90b44u.default\extensions
[2011/05/28 14:10:59 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\MXR\AppData\Roaming\Mozilla\Firefox\Profiles\dg90b44u.default\extensions\firefox@ghostery.com
[2011/02/06 15:11:52 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\MXR\AppData\Roaming\Mozilla\Firefox\Profiles\qp6hiuan.default\extensions
File not found (No name found) --
() (No name found) -- C:\USERS\MXR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\DG90B44U.DEFAULT\EXTENSIONS\{C0C9A2C7-2E5C-4447-BC53-97718BC91E1B}.XPI
[2009/06/24 11:26:58 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION

O1 HOSTS File: ([2008/06/25 22:28:57 | 000,001,083 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Winamp Toolbar Loader) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (no name) - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Winamp Toolbar) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CTxfiHlp] C:\Windows\System32\Ctxfihlp.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [VolPanel] C:\Program Files\Creative\Volume Panel\VolPanlu.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html ()
O8 - Extra context menu item: Download with Xilisoft Download YouTube Video - C:\Program Files\Xilisoft\Download YouTube Video\upod_link.HTM ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Ranges: Range1 ([https] in Trusted sites)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.3 205.171.3.25
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\MXR\Pictures\Hubble_Spiral\Whirpool_full_jpg.jpg
O24 - Desktop BackupWallPaper: C:\Users\MXR\Pictures\Hubble_Spiral\Whirpool_full_jpg.jpg
O30 - LSA: Authentication Packages - (relog_ap) - C:\Windows\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - H:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{31941ff4-824c-11e0-aea1-00016cb7efa1}\Shell - "" = AutoRun
O33 - MountPoints2\{31941ff4-824c-11e0-aea1-00016cb7efa1}\Shell\AutoRun\command - "" = F:\GSLoader.exe
O33 - MountPoints2\{4a4e2fb0-ddbb-11dc-b5da-001558137ae4}\Shell - "" = AutoRun
O33 - MountPoints2\{4a4e2fb0-ddbb-11dc-b5da-001558137ae4}\Shell\AutoRun\command - "" = G:\LaunchU3.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/19 18:39:45 | 000,000,000 | -H-D | C] -- C:\Users\MXR\AppData\Roaming\FolderSync
[2011/05/19 18:39:44 | 000,000,000 | -H-D | C] -- C:\Users\MXR\AppData\Roaming\OutlookSync
[2011/05/19 18:39:25 | 000,000,000 | ---D | C] -- C:\Users\MXR\AppData\Roaming\PLAux
[2011/05/19 18:39:22 | 000,000,000 | ---D | C] -- C:\Users\MXR\AppData\Roaming\OTi
[2011/05/19 12:15:56 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/05/15 18:04:03 | 000,000,000 | -H-D | C] -- C:\Users\MXR\Documents\Manuals
[2011/04/30 15:12:54 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/04/30 15:12:54 | 000,162,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msrating.dll
[2011/04/30 15:12:54 | 000,161,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msls31.dll
[2011/04/30 15:12:54 | 000,086,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2011/04/30 15:12:54 | 000,076,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetIEInstalledDate.exe
[2011/04/30 15:12:54 | 000,074,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2011/04/30 15:12:54 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/04/30 15:12:54 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll
[2011/04/30 15:12:53 | 003,695,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat
[2011/04/30 15:12:53 | 000,434,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2011/04/30 15:12:53 | 000,367,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011/04/30 15:12:53 | 000,353,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll
[2011/04/30 15:12:53 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011/04/30 15:12:53 | 000,223,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll
[2011/04/30 15:12:53 | 000,074,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2011/04/30 15:12:53 | 000,074,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2011/04/30 15:12:53 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2011/04/30 15:12:52 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/04/30 15:12:52 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2011/04/30 15:12:52 | 000,580,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/04/30 15:12:52 | 000,420,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2011/04/30 15:12:52 | 000,353,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011/04/30 15:12:52 | 000,152,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wextract.exe
[2011/04/30 15:12:52 | 000,150,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iexpress.exe
[2011/04/30 15:12:52 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2011/04/30 15:12:52 | 000,101,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll
[2011/04/30 15:12:52 | 000,078,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inseng.dll
[2011/04/30 15:12:52 | 000,054,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll
[2011/04/30 15:12:52 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2011/04/30 15:12:51 | 001,797,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/04/30 15:12:51 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/04/30 15:12:51 | 000,227,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2011/04/30 15:12:51 | 000,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll
[2011/04/30 15:12:51 | 000,130,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakeng.dll
[2011/04/30 15:12:51 | 000,118,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011/04/30 15:12:51 | 000,110,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\IEAdvpack.dll
[2011/04/30 15:12:51 | 000,041,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2011/04/30 15:12:51 | 000,035,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\imgutil.dll
[2011/04/30 15:12:51 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2011/04/30 15:10:05 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[2011/04/30 15:10:05 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2011/04/30 15:10:02 | 000,876,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsPrint.dll
[2008/10/08 00:42:42 | 000,060,928 | ---- | C] ( ) -- C:\Windows\System32\a3d.dll
[2008/10/08 00:23:46 | 000,012,800 | ---- | C] ( ) -- C:\Windows\System32\killapps.exe
[2008/07/02 10:46:03 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\MXR\AppData\Roaming\pcouffin.sys
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/28 18:16:58 | 000,004,176 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/05/28 18:16:58 | 000,004,176 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/05/28 18:10:00 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/28 16:17:37 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/28 16:16:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/05/28 16:15:23 | 000,055,612 | ---- | M] () -- C:\Windows\System32\BMXStateBkp-{00000001-00000000-00000007-00001102-00000005-00211102}.rfx
[2011/05/28 16:15:23 | 000,055,612 | ---- | M] () -- C:\Windows\System32\BMXState-{00000001-00000000-00000007-00001102-00000005-00211102}.rfx
[2011/05/28 16:15:23 | 000,000,788 | ---- | M] () -- C:\Windows\System32\DVCState-{00000001-00000000-00000007-00001102-00000005-00211102}.rfx
[2011/05/28 08:03:50 | 000,012,288 | ---- | M] () -- C:\Windows\System32\umstartup000.etl
[2011/05/28 07:43:27 | 000,000,136 | ---- | M] () -- C:\ProgramData\~43638520r
[2011/05/28 07:43:27 | 000,000,104 | ---- | M] () -- C:\ProgramData\~43638520
[2011/05/28 07:22:21 | 000,000,392 | ---- | M] () -- C:\ProgramData\43638520
[2011/05/26 02:28:05 | 000,028,672 | ---- | M] () -- C:\Users\MXR\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/24 00:04:46 | 000,622,094 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/05/24 00:04:46 | 000,111,648 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/05/19 12:15:56 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/05/12 01:38:13 | 000,781,060 | -H-- | M] () -- C:\Users\MXR\Documents\Diabetes_PAP_Insulin_with_HIPPA_and_Victoza.pdf
[2011/05/03 15:57:45 | 000,040,693 | -H-- | M] () -- C:\Users\MXR\Documents\Hemp_Facts.pdf
[2011/04/30 15:44:13 | 000,000,943 | ---- | M] () -- C:\Users\MXR\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/04/30 15:13:03 | 000,008,798 | ---- | M] () -- C:\Windows\System32\icrav03.rat
[2011/04/30 15:13:03 | 000,001,988 | ---- | M] () -- C:\Windows\System32\ticrf.rat
[2011/04/30 15:12:54 | 000,176,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/04/30 15:12:54 | 000,162,304 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msrating.dll
[2011/04/30 15:12:54 | 000,161,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msls31.dll
[2011/04/30 15:12:54 | 000,086,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2011/04/30 15:12:54 | 000,076,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SetIEInstalledDate.exe
[2011/04/30 15:12:54 | 000,074,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2011/04/30 15:12:54 | 000,065,024 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/04/30 15:12:54 | 000,048,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll
[2011/04/30 15:12:53 | 003,695,416 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat
[2011/04/30 15:12:53 | 000,434,176 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2011/04/30 15:12:53 | 000,367,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011/04/30 15:12:53 | 000,353,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll
[2011/04/30 15:12:53 | 000,231,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011/04/30 15:12:53 | 000,223,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll
[2011/04/30 15:12:53 | 000,074,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2011/04/30 15:12:53 | 000,074,240 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2011/04/30 15:12:53 | 000,072,822 | ---- | M] () -- C:\Windows\System32\ieuinit.inf
[2011/04/30 15:12:53 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2011/04/30 15:12:52 | 002,382,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/04/30 15:12:52 | 001,427,456 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2011/04/30 15:12:52 | 000,580,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/04/30 15:12:52 | 000,420,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2011/04/30 15:12:52 | 000,353,584 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011/04/30 15:12:52 | 000,152,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wextract.exe
[2011/04/30 15:12:52 | 000,150,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iexpress.exe
[2011/04/30 15:12:52 | 000,142,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2011/04/30 15:12:52 | 000,101,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll
[2011/04/30 15:12:52 | 000,078,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\inseng.dll
[2011/04/30 15:12:52 | 000,054,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll
[2011/04/30 15:12:52 | 000,023,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2011/04/30 15:12:51 | 001,797,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/04/30 15:12:51 | 000,716,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/04/30 15:12:51 | 000,227,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2011/04/30 15:12:51 | 000,163,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll
[2011/04/30 15:12:51 | 000,130,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieakeng.dll
[2011/04/30 15:12:51 | 000,118,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011/04/30 15:12:51 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\IEAdvpack.dll
[2011/04/30 15:12:51 | 000,041,472 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2011/04/30 15:12:51 | 000,035,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\imgutil.dll
[2011/04/30 15:12:51 | 000,010,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/28 02:41:15 | 000,000,136 | ---- | C] () -- C:\ProgramData\~43638520r
[2011/05/28 02:41:14 | 000,000,104 | ---- | C] () -- C:\ProgramData\~43638520
[2011/05/28 02:40:56 | 000,000,392 | ---- | C] () -- C:\ProgramData\43638520
[2011/05/12 01:38:12 | 000,781,060 | -H-- | C] () -- C:\Users\MXR\Documents\Diabetes_PAP_Insulin_with_HIPPA_and_Victoza.pdf
[2011/05/03 15:57:45 | 000,040,693 | -H-- | C] () -- C:\Users\MXR\Documents\Hemp_Facts.pdf
[2011/04/30 15:12:53 | 000,072,822 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2011/04/19 02:26:42 | 000,028,672 | ---- | C] () -- C:\Users\MXR\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/18 18:38:22 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/18 18:38:22 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/05/29 17:52:26 | 000,204,800 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/05/29 17:47:06 | 000,881,664 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/05/29 06:11:20 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/03/16 09:36:05 | 000,000,118 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2009/02/12 10:52:41 | 000,065,536 | ---- | C] () -- C:\Windows\System32\dmcrypto.dll
[2009/02/12 10:51:34 | 000,000,135 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/02/12 10:51:32 | 000,000,209 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2009/02/12 10:51:31 | 000,159,744 | ---- | C] () -- C:\Windows\System32\hcwChDB.dll
[2009/02/12 10:51:00 | 000,006,350 | ---- | C] () -- C:\Windows\HCWPNP.INI
[2009/02/12 10:25:44 | 000,066,048 | ---- | C] () -- C:\Windows\System32\hcwXDS.dll
[2009/01/29 00:16:57 | 000,144,896 | ---- | C] () -- C:\Windows\System32\APOMngr.DLL
[2009/01/29 00:16:57 | 000,071,168 | ---- | C] () -- C:\Windows\System32\CmdRtr.DLL
[2008/10/08 01:08:38 | 000,020,936 | ---- | C] () -- C:\Windows\System32\instwdm.ini
[2008/10/08 00:41:40 | 000,002,560 | ---- | C] () -- C:\Windows\System32\CtxfiRes.dll
[2008/10/08 00:41:40 | 000,002,560 | ---- | C] () -- C:\Windows\CTXFIRES.DLL
[2008/10/08 00:31:14 | 000,321,512 | ---- | C] () -- C:\Windows\System32\ctdlang.dat
[2008/10/08 00:31:14 | 000,056,509 | ---- | C] () -- C:\Windows\System32\ctdnlstr.dat
[2008/10/08 00:26:38 | 000,016,384 | ---- | C] () -- C:\Windows\System32\regplib.exe
[2008/10/08 00:23:50 | 000,007,680 | ---- | C] () -- C:\Windows\System32\enlocstr.exe
[2008/09/18 21:17:19 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/09/12 22:22:40 | 000,000,054 | ---- | C] () -- C:\Windows\System32\ctzapxx.ini
[2008/07/02 10:48:38 | 000,000,664 | -H-- | C] () -- C:\Users\MXR\AppData\Roaming\vso_ts_preview.xml
[2008/07/02 10:46:03 | 000,087,608 | ---- | C] () -- C:\Users\MXR\AppData\Roaming\inst.exe
[2008/07/02 10:46:03 | 000,007,887 | ---- | C] () -- C:\Users\MXR\AppData\Roaming\pcouffin.cat
[2008/07/02 10:46:03 | 000,001,144 | ---- | C] () -- C:\Users\MXR\AppData\Roaming\pcouffin.inf
[2008/06/25 22:00:35 | 000,940,896 | ---- | C] () -- C:\Windows\System32\Incinerator.dll
[2008/06/25 22:00:30 | 000,028,672 | ---- | C] () -- C:\Windows\System32\iolobtdfg.exe
[2008/06/25 22:00:30 | 000,008,192 | ---- | C] () -- C:\Windows\System32\smrgdf.exe
[2008/06/24 10:28:19 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dll
[2008/06/21 15:32:06 | 000,002,568 | -HS- | C] () -- C:\Windows\System32\KGyGaAvL.sys
[2008/06/21 15:32:06 | 000,000,088 | RHS- | C] () -- C:\Windows\System32\AB08F48236.sys
[2008/06/21 14:40:24 | 000,162,304 | ---- | C] () -- C:\Windows\System32\ztvunrar36.dll
[2008/06/21 14:40:24 | 000,153,088 | ---- | C] () -- C:\Windows\System32\UNRAR3.dll
[2008/06/21 14:40:24 | 000,077,312 | ---- | C] () -- C:\Windows\System32\ztvunace26.dll
[2008/06/21 14:40:24 | 000,075,264 | ---- | C] () -- C:\Windows\System32\unacev2.dll
[2008/04/18 08:51:46 | 000,024,064 | -H-- | C] () -- C:\Users\MXR\AppData\Roaming\UserTile.png
[2008/03/31 14:25:46 | 000,831,488 | ---- | C] () -- C:\Windows\System32\divx_xx0a.dll
[2008/03/21 13:30:08 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/03/21 13:28:20 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2007/10/25 22:59:44 | 000,043,520 | ---- | C] () -- C:\Windows\System32\CTBURST.DLL
[2007/10/25 22:56:28 | 000,037,888 | ---- | C] () -- C:\Windows\System32\PSCONV.EXE
[2007/10/25 22:44:52 | 000,149,838 | ---- | C] () -- C:\Windows\System32\CTBAS2W.DAT
[2007/10/25 22:43:10 | 000,274,587 | ---- | C] () -- C:\Windows\System32\CTSBAS2W.DAT
[2007/10/25 22:43:04 | 000,241,084 | ---- | C] () -- C:\Windows\System32\CTSBASW.DAT
[2007/10/25 22:43:04 | 000,115,166 | ---- | C] () -- C:\Windows\System32\CTBASICW.DAT
[2007/10/25 22:42:50 | 000,313,207 | ---- | C] () -- C:\Windows\System32\CTSTATIC.DAT
[2007/10/25 22:42:50 | 000,053,932 | ---- | C] () -- C:\Windows\System32\CTDAUGHT.DAT
[2007/09/04 13:56:10 | 000,164,352 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2007/08/13 21:45:02 | 000,077,824 | ---- | C] () -- C:\Windows\System32\CTMMACTL.DLL
[2007/06/27 01:27:52 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2007/06/05 13:20:32 | 000,177,704 | ---- | C] () -- C:\Windows\System32\PSIService.exe
[2007/02/20 20:39:10 | 000,144,773 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2007/02/05 21:05:26 | 000,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI
[2006/11/02 05:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 05:47:37 | 000,264,840 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 05:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:33:01 | 000,622,094 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 03:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 03:33:01 | 000,111,648 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 03:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 03:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 03:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 01:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 01:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 00:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/10/02 18:25:18 | 000,000,321 | ---- | C] () -- C:\Windows\System32\kill.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:D1B5B4F1
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:CB0AACC9

< End of report >


	Logged

Musicallyhopeless

Newbie

Posts: 7

Re: Window Vista Recovery Malware

« Reply #7 on: May 28, 2011, 06:45:06 PM »

Here are the results of the GMER SCAN. I tried the aswMBR scan but the program shut itself down after a minute or so of scanning.

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84BD81F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 84BD81F8
Device \Driver\atapi \Device\Ide\IdePort0 84BD81F8
Device \Driver\atapi \Device\Ide\IdePort1 84BD81F8
Device \Driver\atapi \Device\Ide\IdePort2 84BD81F8
Device \Driver\atapi \Device\Ide\IdePort3 84BD81F8
Device \Driver\atapi \Device\Ide\IdePort4 84BD81F8
Device \Driver\atapi \Device\Ide\IdePort5 84BD81F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 84BD81F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 84BD81F8
Device \Driver\ahgl0no0 \Device\Scsi\ahgl0no01Port8Path0Target0Lun0 85E851F8
Device \Driver\ahgl0no0 \Device\Scsi\ahgl0no01 85E851F8
Device \FileSystem\Ntfs \Ntfs 84BD91F8

---- Threads - GMER 1.0.15 ----

Thread System [4:368] 85AE5E7A
Thread System [4:372] 85AE8008

---- EOF - GMER 1.0.15 ----


	Logged

Jintan

Administrator
Hero Member

Posts: 3879

Re: Window Vista Recovery Malware

« Reply #8 on: May 28, 2011, 07:39:00 PM »

Sure looks like MBR (Master Boot Record) infection. May also have a guardian rootkit as well. Try some other, different MBR methods.

Download Gmer's mbr.exe from here and place it on your C drive (so the file is then C:\mbr.exe).

Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after:

cd\

mbr.exe -t

Then type exit and press Enter to close the command window.

The report created in the command window will have been saved to C:\mbr.log. Locate that and post it here please.

---------

If that fails, Go here and download Mischel's MBR Backup to your desktop, then click MBRBackup.exe to start the utility.

Click Save MBR, and save that file to location you can easily return to later. Then close MBR Backup.

(NB - the file is always prenamed MBR_year_month_day.bin - MBR_2011_05_27.bin for example)

Then Just go here, press NEW TOPIC (right hand side, just at the top of the forum thread list), fill in the needed details and just give a link to your post back here (see the "Instructions for uploading files" there for help, if needed). Then press the browse button and then navigate to that saved MBR copy, and click that file to upload it.

You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.


	Logged

Musicallyhopeless

Newbie

Posts: 7

Re: Window Vista Recovery Malware

« Reply #9 on: May 28, 2011, 09:49:38 PM »

Jintan,
This is the report from GMER's mbr.exe

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Maxtor_6L300S0 rev.BACE1G20 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Also, in spite of the Vista system restore to a previous point, the malware has come back in the form of fake antivirus and it will not allow any other windows to open.

Is there something else I could do. Perhaps it is the rootkit you mentioned.
Thank you for your attention.


	Logged

Jintan

Administrator
Hero Member

Posts: 3879

Re: Window Vista Recovery Malware

« Reply #10 on: May 29, 2011, 06:32:24 PM »

Sorry, but we need a real check of the MBR there, and that mbr.exe scan wasn't run correctly. The malware is being returned by the bootkit, as it redirects your surfing to bad sites. You do need to minimize the use of the computer until we get the malware removed.

Review and try the mbr.exe -t step again please. And also do the MBR Backup step.


	Logged

Pages: [1]

« previous next »