0

Hello all, 2 days ago my computer was infected by something called Windows Safe Mode. it tells me my ram usage is maxed and one of my hard drives has failed. Also, after 15 minutes or so I will get 1 or 2 error messages and clicking anything on them causes my computer to shut down and restart. This seems to be fairly new as I haven't seen many reports about it. System restore doesn't give me any restore points and Firefox gets redirected to a page asking for me to purchase some software.

I've read another thread here and followed instructions given by Sam Chi but I'm still having problems. I was able to boot into Safe Mode with command prompt and open explorer and task manager, although I'm not sure why opening task manager was necessary. I believe my situation is a bit different from Sam's in that upon loading explorer.exe I would get error messages even in Safe Mode. (Ram usage is critical, hard drive has failed, etc.) I was able to find the folder location and delete all the files except the .dll file. When I restarted in safe mode the other files remained deleted but I was still unable to delete the .dll file. I'm unable to run a virus scan with Spybot and doing it in Safe Mode had no effect. When I started up in normal mode everything was back.

I have access to a clean computer and a USB stick. Any help would be appreciated, this thing is driving me up the wall!!!

Edit: I have access to a computer to post all day but I am only able to work on my computer after 9 EST due to work.

Edited by Churchj5: n/a

3
Contributors
16
Replies
17
Views
6 Years
Discussion Span
Last Post by PhilliePhan
0

Edit: I have access to a computer to post all day but I am only able to work on my computer after 9 EST due to work.

No worries - we're all volunteers with differing availability as well.

-- Can you open an elevated command prompt in Normal Windows Boot and type:
tasklist >>C:\Logit.txt ENTER and post the C:\Logit.txt

Note: tasklist <space> >>C:\Logit.txt

I'd like to see what the running processes are for this thing.


-- Are you able to run MBAM in Normal Windows Boot (or in Safe Mode, if Normal fails) as per the linky below? You'll need to be sure to update it before the scan and to Reboot after the scan.
http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Let me know how it shakes out.

PP:)

Edited by PhilliePhan: n/a

0

Okay, wasn't able to run MBAM in normal but got it in Safe Mode. Here is what I was able to get.

This is what pops up after the computer has been on for 15 or so minutes:

Exception Processing Message 0x0000013 Parameters
0x000007FEFE037240 0x0000000000000004 0x000007FEFE037240
0x000007FEFE037240

Cancel Try Again Continue

If I leave it alone I'm ok but clicking on anything shuts the computer down.


Here is my Tasklist log:

*Note my C drive is named D

D:\Users\Matt>tasklist

Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 12 K
System 4 Services 0 704 K
smss.exe 284 Services 0 1,548 K
csrss.exe 392 Services 0 7,648 K
csrss.exe 468 Console 1 8,116 K
wininit.exe 476 Services 0 30,472 K
services.exe 516 Services 0 36,244 K
lsass.exe 532 Services 0 18,020 K
lsm.exe 540 Services 0 6,248 K
winlogon.exe 616 Console 1 32,244 K
svchost.exe 708 Services 0 37,632 K
svchost.exe 792 Services 0 4,868 K
svchost.exe 896 Services 0 12,388 K
svchost.exe 932 Services 0 50,104 K
svchost.exe 980 Services 0 58,628 K
audiodg.exe 1056 Services 0 13,256 K
svchost.exe 1124 Services 0 6,284 K
svchost.exe 1256 Services 0 8,356 K
AAWService.exe 1340 Services 0 48,904 K
spoolsv.exe 1444 Services 0 42,720 K
svchost.exe 1484 Services 0 7,188 K
taskhost.exe 1660 Console 1 14,580 K
AppleMobileDeviceService. 1760 Services 0 46,172 K
mDNSResponder.exe 1840 Services 0 27,296 K
svchost.exe 1884 Services 0 8,944 K
svchost.exe 1936 Services 0 3,496 K
sppsvc.exe 1880 Services 0 16,400 K
svchost.exe 2084 Services 0 3,492 K
unsecapp.exe 2148 Services 0 12,312 K
WmiPrvSE.exe 2320 Services 0 15,880 K
AAWTray.exe 2596 Console 1 1,580 K
dwm.exe 2720 Console 1 50,676 K
explorer.exe 2728 Console 1 124,792 K
106578.exe 2736 Console 1 79,064 K
GrooveMonitor.exe 2972 Console 1 40,288 K
CTHELPER.EXE 2984 Console 1 20,220 K
acrotray.exe 3044 Console 1 25,632 K
jusched.exe 3080 Console 1 29,132 K
iTunesHelper.exe 3104 Console 1 73,344 K
msiexec.exe 3356 Services 0 9,692 K
iPodService.exe 3524 Services 0 4,884 K
SearchIndexer.exe 3612 Services 0 12,492 K
svchost.exe 3820 Services 0 27,688 K
SearchProtocolHost.exe 3936 Console 1 4,628 K
wmpnetwk.exe 4060 Services 0 20,476 K
SSScheduler.exe 576 Console 1 2,708 K
ONENOTEM.EXE 784 Console 1 788 K
WmiPrvSE.exe 3168 Services 0 7,760 K
TrustedInstaller.exe 2180 Services 0 6,808 K
slui.exe 3892 Console 1 9,104 K
taskhost.exe 3340 Services 0 12,812 K
SearchFilterHost.exe 3496 Services 0 3,688 K
SearchProtocolHost.exe 168 Services 0 6,272 K
iexplore.exe 3872 Console 1 20,948 K
iexplore.exe 1216 Console 1 27,364 K
cmd.exe 3996 Console 1 4,316 K
conhost.exe 3980 Console 1 4,848 K
tasklist.exe 3828 Console 1 4,164 K


And here is my MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

3/8/2011 8:13:56 PM
MBAM log

Scan type: Full scan (C:\|D:\|)
Objects scanned: 311792
Time elapsed: 39 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
d:\Users\Matt\AppData\Local\Temp\0.3539384419420911.exe (Trojan.Dropper) -> No action taken.

Hope this answers some questions, thanks again for the help.

Edited by Churchj5: n/a

0

Hope this helps, thanks again for the help.

That'll work.

Open Task Manager and kill 106578.exe

Then see if MBAM will run in Normal Windows Boot. If not, run it in safe mode and have it fix what it finds. Be sure to click the Update tab and update it to latest definitions (if possible).

Have it remove the baddies it finds and then post that log for me and we'll go from there.

PP:)

0

There wasn't a 106578.exe in the task manager but there was a 761750.exe that I killed. It removed the 'Windows Safe Mode' window but the error messages remained. I was able to update MBAM and run a quick scan in normal.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5995

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

3/8/2011 9:00:19 PM
mbam-log-2011-03-08 (21-00-19).txt

Scan type: Quick scan
Objects scanned: 155840
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I restarted into SafeMode with cmd prompt and am ready for the next step.

0

There wasn't a 106578.exe in the task manager but there was a 761750.exe that I killed. It removed the 'Windows Safe Mode' window but the error messages remained. I was able to update MBAM and run a quick scan in normal.

OK - obviously it's going to be switching random names on us. That can make the manual removal difficult.
Interesting that MBAM didn't flag it on second run.

Anyhoo, before we have to resort to manual removal, let's try this:

Please follow the instructions in the link below to download Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to svchost.com and then download it to your Desktop as that and then follow the instructions in the linky very carefully to run it and post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Once svchost.com is on the Desktop, close all programs and browsers and Click START --> RUN --> and enter the following command in red exactly as shown to start combofix:

"%userprofile%\desktop\svchost.com" /killall

Note: "%userprofile%\desktop\svchost.com" <space> /killall

Now, we want to do this in Normal Windows Boot, if possible. Kill the random.exe in task manager first, if necessary.

-- Let combofix run and please post me the log.

Let me know if you run into trouble along the way. I'll try to check back later tonight, if possible.

PP:)

0

I couldn't get it to run using the instructions you gave however, I do have some updates.

When I tried to run it the first time I messed up and named it svchost without the .com at the end. When I put in "%userprofile%\desktop\svchost.com" /killall it couldn't find the file and I changed .com to .exe. I got an error and my machine shut down. However, on restarting my computer the virus didn't pop up and I was able to go into my ProgramData folder and delete all the files related to the virus. This includes the .dll file that I wasn't able to delete before.

I'm still unable to use the internet as Firefox redirects me to a bogus page soliciting software. However, everything else seems to be working as normal and the virus files haven't shown back up. I ran combofix normally and have a log for you:


ComboFix 11-03-08.03 - Matt 03/08/2011 22:42:05.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1219 [GMT -6:00]
Running from: d:\users\Matt\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\program files\Quicktime\QTTask.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))
.
.
2011-03-09 05:03 . 2011-03-09 05:04 -------- d-----w- d:\users\Matt\AppData\Local\temp
2011-03-09 05:03 . 2011-03-09 05:03 -------- d-----w- d:\users\Default\AppData\Local\temp
2011-03-09 04:34 . 2011-03-09 04:34 -------- d--h--w- d:\windows\PIF
2011-03-09 01:33 . 2011-03-09 01:33 -------- d-----w- d:\users\Matt\AppData\Roaming\Malwarebytes
2011-03-09 01:33 . 2010-12-21 00:09 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2011-03-09 01:33 . 2011-03-09 01:33 -------- d-----w- d:\programdata\Malwarebytes
2011-03-09 01:33 . 2011-03-09 01:33 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2011-03-08 05:05 . 2011-03-08 05:05 -------- d-sh--w- d:\windows\system32\%APPDATA%
2011-02-13 09:55 . 2011-01-13 09:41 5890896 ----a-w- d:\programdata\Microsoft\Windows Defender\Definition Updates\{54B5BF44-89EA-4C2F-8055-538E91A00909}\mpengine.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-25 16:23 . 2010-12-25 16:21 967 ----a-w- d:\windows\ScUnin.pif
2010-12-25 16:23 . 2010-12-25 16:21 94208 ----a-w- d:\windows\ScUnin.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2002-01-14 61440]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="d:\windows\READREG" [X]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576]
"UpdReg"="d:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="d:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"Acrobat Assistant 8.0"="d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
d:\users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - d:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
d:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - d:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-8-25 295606]
Adobe Acrobat Synchronizer.lnk - d:\program files\Adobe\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-22 734872]
McAfee Security Scan Plus.lnk - d:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
R2 .1250113864;1250113864;d:\program files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360\562C4DD5\3.0.0.135\bntr1250113864.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - d:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\qt8bj7ia.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - d:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - d:\users\Matt\AppData\Roaming\Move Networks
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-QuickTime Task - d:\program files\QuickTime\QTTask.exe
AddRemove-Nero8Lite_is1 - d:\program files\Nero\unins000.exe
AddRemove-Spybot - Search & Destroy_is1 - d:\spybot - search & destroy\unins000.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM]
@Denied: (B C D 1 2 3 4 5 6) (LocalSystem)
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-03-08 23:08:56
ComboFix-quarantined-files.txt 2011-03-09 05:08
.
Pre-Run: 6,869,360,640 bytes free
Post-Run: 7,000,076,288 bytes free
.
- - End Of File - - CD7D819AA21EF9FF10E29B6C3C95AF66


Thanks again for all the help, I think we're making progress.

Edited by Churchj5: n/a

0

Thanks again for all the help, I think we're making progress.

Happy to help :)

But, these are some odd looking logs - not seeing what I'd expect to see...
It's odd that we didn't need to run RKILL beforehand. You are able to run the tools with no issues.
Plus, MBAM should remove all of this.

Let's remove Combofix:
-- First, change the name of Combofix back to Combofix.exe

• Click Start > Run
• Type or Copy&Paste ComboFix /Uninstall into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

THEN:
Please update MBAM and run the Full Scan in Normal Windows Boot and post the log. Let's see what the Full Scan finds.

Then, after a reboot, please download OTL.exe to the Desktop.
-- Run it and click Scan All Users and then hit Quick Scan and post me the TWO resulting logs.
I'd like to get better picture of the machine - hopefully this will do it...

With any luck, I'll be back this evening.

Cheers :)
PP

0

Alright, just got back from work and got those done. I haven't had the windows safe mode window pop up anymore but I have had what seems to be another piece of malware pop up. I ran uninstall for combo fix then ran a full scan for MBAM.

Here's the log:


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5995

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

3/9/2011 9:08:59 PM
mbam-log-2011-03-09 (21-08-59).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 317593
Time elapsed: 55 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\gewxgnem (Trojan.FakeAlert.Gen) -> Value: gewxgnem -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
d:\Users\Matt\AppData\LocalLow\Sun\Java\deployment\cache\6.0\58\235dcafa-43abd2bf (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
d:\Users\Matt\AppData\Local\temp\0.36322290255828693.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
d:\Users\Matt\AppData\Local\temp\rnjvdvujk\mromqysjfdi.exe (Trojan.FakeAlert.Gen) -> Delete on reboot.


And the OTL log:


OTL logfile created on: 3/9/2011 9:13:28 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = D:\Users\Matt\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\Windows | %ProgramFiles% = D:\Program Files
Drive C: | 12.11 Gb Total Space | 2.94 Gb Free Space | 24.26% Space Free | Partition Type: NTFS
Drive D: | 74.52 Gb Total Space | 6.67 Gb Free Space | 8.96% Space Free | Partition Type: NTFS
Drive F: | 3.73 Gb Total Space | 3.71 Gb Free Space | 99.56% Space Free | Partition Type: FAT32

Computer Name: MATT-PC | User Name: Matt | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/09 20:48:46 | 000,580,608 | ---- | M] (OldTimer Tools) -- D:\Users\Matt\Desktop\OTL.exe
PRC - [2011/03/01 04:19:25 | 001,405,384 | ---- | M] (Lavasoft Limited) -- D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2011/02/08 06:55:04 | 000,939,848 | ---- | M] (Lavasoft Limited) -- D:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/01/15 06:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- D:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/10/30 23:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- D:\Windows\explorer.exe
PRC - [2009/07/13 19:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- D:\Windows\System32\taskhost.exe
PRC - [2006/10/22 21:24:02 | 000,620,152 | ---- | M] (Adobe Systems Inc.) -- D:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
PRC - [2002/07/02 15:56:00 | 000,024,576 | ---- | M] (Creative Technology Ltd) -- D:\Windows\System32\CTHELPER.EXE


========== Modules (SafeList) ==========

MOD - [2011/03/09 20:48:46 | 000,580,608 | ---- | M] (OldTimer Tools) -- D:\Users\Matt\Desktop\OTL.exe
MOD - [2010/08/20 23:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- D:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (.1250113864)
SRV - [2011/03/01 04:19:25 | 001,405,384 | ---- | M] (Lavasoft Limited) [Auto | Running] -- D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/03/10 02:01:00 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- D:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/01/15 06:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- D:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/09/09 18:11:13 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/07/13 19:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- D:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 19:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- D:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 19:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- D:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/03/20 14:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- D:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)


========== Driver Services (SafeList) ==========

DRV - [2011/02/04 08:27:14 | 000,015,232 | ---- | M] () [Kernel | On_Demand | Stopped] -- D:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010/08/22 19:33:15 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- D:\Windows\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/07/13 19:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/13 19:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- D:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/13 19:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/13 17:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/13 17:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/13 17:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/13 16:09:17 | 004,194,816 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- D:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2009/05/21 16:24:44 | 000,021,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\dc3d.sys -- (dc3d) MS Hardware Device Detection Driver (HID)
DRV - [2009/02/26 08:11:02 | 000,299,520 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\netr70.sys -- (rt70x86)
DRV - [2007/06/28 05:18:10 | 001,310,720 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- D:\Windows\System32\drivers\CM108.sys -- (USBPNPA)
DRV - [2005/06/24 16:36:16 | 000,039,036 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2005/05/26 09:01:36 | 000,038,144 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2005/05/26 09:01:18 | 000,021,344 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2002/07/24 11:52:26 | 000,998,004 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- D:\Windows\System32\drivers\HA10KX2K.SYS -- (ha10kx2k)
DRV - [2002/07/19 08:48:32 | 000,156,604 | ---- | M] (Creative Technology Ltd) [Kernel | Unknown | Stopped] -- D:\Windows\System32\drivers\emupia2k.sys -- (emupia)
DRV - [2002/07/19 08:48:22 | 000,213,860 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2002/07/19 08:48:08 | 000,011,068 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2002/07/19 08:48:04 | 000,195,432 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- D:\Windows\System32\drivers\CTOSS2K.SYS -- (ossrv)
DRV - [2002/07/19 08:47:52 | 000,837,548 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- D:\Windows\System32\drivers\CTAUD2K.SYS -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2002/07/19 08:46:28 | 000,127,948 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\ctac32k.sys -- (ctac32k)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2526936241-2825536731-3168407100-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-2526936241-2825536731-3168407100-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BA DA B0 70 F7 DD CB 01 [binary data]
IE - HKU\S-1-5-21-2526936241-2825536731-3168407100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-2526936241-2825536731-3168407100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.%(version)s

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2011/03/05 21:24:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2011/03/05 21:24:49 | 000,000,000 | ---D | M]

[2009/08/12 20:30:56 | 000,000,000 | ---D | M] (No name found) -- D:\Users\Matt\AppData\Roaming\Mozilla\Extensions
[2011/02/27 10:24:35 | 000,000,000 | ---D | M] (No name found) -- D:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\qt8bj7ia.default\extensions
[2011/03/06 10:56:20 | 000,000,000 | ---D | M] (No name found) -- D:\Program Files\Mozilla Firefox\extensions
[2010/01/03 18:27:00 | 000,000,000 | ---D | M] (Move Media Player) -- D:\USERS\MATT\APPDATA\ROAMING\MOVE NETWORKS

O1 HOSTS File: ([2011/03/08 23:04:38 | 000,000,027 | ---- | M]) - D:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - File not found
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - File not found
O3 - HKU\S-1-5-21-2526936241-2825536731-3168407100-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] D:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] D:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [DevconDefaultDB] D:\Windows\READREG.exe (Creative Technology Limited)
O4 - HKLM..\Run: [Jet Detection] D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe ()
O4 - HKLM..\Run: [UpdReg] D:\Windows\Updreg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [WINDVDPatch] File not found
O4 - HKU\S-1-5-21-2526936241-2825536731-3168407100-1000..\Run: [SetDefaultMIDI] D:\Windows\MIDIDEF.EXE (Creative Technology Ltd)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2526936241-2825536731-3168407100-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2526936241-2825536731-3168407100-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2526936241-2825536731-3168407100-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2526936241-2825536731-3168407100-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoChangeStartMenu = 0
O7 - HKU\S-1-5-21-2526936241-2825536731-3168407100-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKU\S-1-5-21-2526936241-2825536731-3168407100-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - D:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - D:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 15:42:20 | 000,000,024 | ---- | M] () - D:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - D:\Windows\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/09 21:13:00 | 000,580,608 | ---- | C] (OldTimer Tools) -- D:\Users\Matt\Desktop\OTL.exe
[2011/03/08 23:09:03 | 000,000,000 | -HSD | C] -- D:\$RECYCLE.BIN
[2011/03/08 23:08:59 | 000,000,000 | ---D | C] -- D:\Users\Matt\AppData\Local\temp
[2011/03/08 23:03:59 | 000,000,000 | ---D | C] -- D:\Windows\temp
[2011/03/08 22:39:27 | 000,000,000 | ---D | C] -- D:\Windows\ERDNT
[2011/03/08 22:34:39 | 000,000,000 | -H-D | C] -- D:\Windows\PIF
[2011/03/08 19:33:35 | 000,000,000 | ---D | C] -- D:\Users\Matt\AppData\Roaming\Malwarebytes
[2011/03/08 19:33:31 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- D:\Windows\System32\drivers\mbamswissarmy.sys
[2011/03/08 19:33:31 | 000,000,000 | ---D | C] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/08 19:33:30 | 000,000,000 | ---D | C] -- D:\ProgramData\Malwarebytes
[2011/03/08 19:33:27 | 000,000,000 | ---D | C] -- D:\Program Files\Malwarebytes' Anti-Malware
[2011/03/08 19:33:12 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- D:\Users\Matt\Desktop\mbam-setup (1).exe
[2011/03/08 19:25:11 | 000,000,000 | ---D | C] -- D:\Users\Matt\Desktop\Malwarebytes' Anti-Malware
[2011/03/07 23:05:44 | 000,000,000 | -HSD | C] -- D:\Windows\System32\%APPDATA%
[2011/03/07 22:18:40 | 000,000,000 | ---D | C] -- D:\Users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Safemode
[2011/03/06 13:25:30 | 000,000,000 | ---D | C] -- D:\Users\Matt\Documents\Dean Owen Cpa
[2009/08/12 18:14:10 | 000,065,536 | ---- | C] ( ) -- D:\Windows\System32\A3D.DLL

========== Files - Modified Within 30 Days ==========

[2011/03/09 21:16:15 | 000,618,026 | ---- | M] () -- D:\Windows\System32\perfh009.dat
[2011/03/09 21:16:15 | 000,104,340 | ---- | M] () -- D:\Windows\System32\perfc009.dat
[2011/03/09 21:10:38 | 000,067,584 | --S- | M] () -- D:\Windows\bootstat.dat
[2011/03/09 21:10:33 | 1609,670,656 | -HS- | M] () -- D:\hiberfil.sys
[2011/03/09 21:09:58 | 000,015,744 | ---- | M] () -- D:\Windows\System32\BMXCtrlState-{00000002-00000000-00000009-00001102-00000002-80401102}.rfx
[2011/03/09 21:09:58 | 000,015,744 | ---- | M] () -- D:\Windows\System32\BMXBkpCtrlState-{00000002-00000000-00000009-00001102-00000002-80401102}.rfx
[2011/03/09 21:09:58 | 000,000,024 | ---- | M] () -- D:\Windows\System32\DVCStateBkp-{00000002-00000000-00000009-00001102-00000002-80401102}.dat
[2011/03/09 21:09:58 | 000,000,024 | ---- | M] () -- D:\Windows\System32\DVCState-{00000002-00000000-00000009-00001102-00000002-80401102}.dat
[2011/03/09 21:09:47 | 000,014,224 | -H-- | M] () -- D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/03/09 21:09:47 | 000,014,224 | -H-- | M] () -- D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/03/09 21:08:53 | 000,001,425 | ---- | M] () -- D:\Users\Matt\Desktop\MBAM Log march 9
[2011/03/09 20:48:46 | 000,580,608 | ---- | M] (OldTimer Tools) -- D:\Users\Matt\Desktop\OTL.exe
[2011/03/08 23:04:38 | 000,000,027 | ---- | M] () -- D:\Windows\System32\drivers\etc\hosts
[2011/03/08 20:13:56 | 000,001,410 | ---- | M] () -- D:\Users\Matt\Desktop\MBAM log
[2011/03/08 19:33:31 | 000,001,071 | ---- | M] () -- D:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/08 18:56:38 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- D:\Users\Matt\Desktop\mbam-setup (1).exe
[2011/03/07 22:18:41 | 000,000,612 | ---- | M] () -- D:\Users\Matt\Desktop\Windows Safemode.lnk
[2011/02/26 19:46:21 | 000,001,989 | ---- | M] () -- D:\Users\Public\Desktop\Adobe Reader X.lnk
[2011/02/09 20:42:32 | 002,529,872 | ---- | M] () -- D:\Windows\System32\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2011/03/09 21:08:53 | 000,001,425 | ---- | C] () -- D:\Users\Matt\Desktop\MBAM Log march 9
[2011/03/08 20:13:56 | 000,001,410 | ---- | C] () -- D:\Users\Matt\Desktop\MBAM log
[2011/03/08 19:33:31 | 000,001,071 | ---- | C] () -- D:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/07 22:18:41 | 000,000,612 | ---- | C] () -- D:\Users\Matt\Desktop\Windows Safemode.lnk
[2011/02/26 19:46:21 | 000,001,989 | ---- | C] () -- D:\Users\Public\Desktop\Adobe Reader X.lnk
[2011/02/26 19:46:20 | 000,002,441 | ---- | C] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2010/12/25 10:21:24 | 000,032,829 | ---- | C] () -- D:\Windows\scunin.dat
[2010/08/22 22:08:39 | 000,015,880 | ---- | C] () -- D:\Windows\System32\lsdelete.exe
[2010/02/25 18:00:48 | 000,000,044 | ---- | C] () -- D:\Windows\System32\msssc.dll
[2009/08/29 18:44:39 | 000,000,262 | ---- | C] () -- D:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/08/25 09:49:24 | 002,463,976 | ---- | C] () -- D:\Windows\System32\NPSWF32.dll
[2009/08/12 20:30:49 | 000,000,000 | ---- | C] () -- D:\Windows\nsreg.dat
[2009/08/12 18:28:53 | 000,000,024 | ---- | C] () -- D:\Windows\System32\DVCStateBkp-{00000002-00000000-00000009-00001102-00000002-80401102}.dat
[2009/08/12 18:28:53 | 000,000,024 | ---- | C] () -- D:\Windows\System32\DVCState-{00000002-00000000-00000009-00001102-00000002-80401102}.dat
[2009/08/12 18:14:48 | 000,000,128 | ---- | C] () -- D:\Windows\SBWIN.INI
[2009/08/12 18:14:47 | 000,000,231 | ---- | C] () -- D:\Windows\AC3API.INI
[2009/08/12 18:14:45 | 001,048,576 | ---- | C] () -- D:\Windows\System32\SFMAN.DAT
[2009/08/12 18:14:14 | 000,037,727 | ---- | C] () -- D:\Windows\System32\Emu10kx.ini
[2009/08/12 18:14:14 | 000,000,029 | ---- | C] () -- D:\Windows\System32\ctzapxx.ini
[2009/08/12 18:14:12 | 000,179,669 | ---- | C] () -- D:\Windows\System32\CTSTATIC.DAT
[2009/08/12 18:14:12 | 000,164,044 | ---- | C] () -- D:\Windows\System32\CTDLANG.DAT
[2009/08/12 18:14:12 | 000,113,373 | ---- | C] () -- D:\Windows\System32\CTBASICW.DAT
[2009/08/12 18:14:12 | 000,113,273 | ---- | C] () -- D:\Windows\System32\CTBAS2W.DAT
[2009/08/12 18:14:12 | 000,044,055 | ---- | C] () -- D:\Windows\System32\CTDAUGHT.DAT
[2009/08/12 18:14:11 | 000,184,320 | ---- | C] () -- D:\Windows\PSCONV.EXE
[2009/08/12 18:14:11 | 000,049,152 | ---- | C] () -- D:\Windows\System32\KILLAPPS.EXE
[2009/08/12 18:14:11 | 000,036,864 | ---- | C] () -- D:\Windows\System32\REGPLIB.EXE
[2009/08/12 18:14:11 | 000,000,180 | ---- | C] () -- D:\Windows\System32\KILL.INI
[2009/08/12 12:02:10 | 000,000,000 | ---- | C] () -- D:\Windows\ativpsrm.bin
[2009/08/12 12:02:10 | 000,000,000 | ---- | C] () -- D:\Windows\System32\atiicdxx.dat
[2009/08/12 11:58:13 | 002,529,872 | ---- | C] () -- D:\Windows\System32\FNTCACHE.DAT
[2009/08/03 13:07:42 | 000,403,816 | ---- | C] () -- D:\Windows\System32\OGACheckControl.dll
[2009/08/03 13:07:42 | 000,230,768 | ---- | C] () -- D:\Windows\System32\OGAEXEC.exe
[2009/07/13 22:57:37 | 000,067,584 | --S- | C] () -- D:\Windows\bootstat.dat
[2009/07/13 20:05:48 | 000,618,026 | ---- | C] () -- D:\Windows\System32\perfh009.dat
[2009/07/13 20:05:48 | 000,291,294 | ---- | C] () -- D:\Windows\System32\perfi009.dat
[2009/07/13 20:05:48 | 000,104,340 | ---- | C] () -- D:\Windows\System32\perfc009.dat
[2009/07/13 20:05:48 | 000,031,548 | ---- | C] () -- D:\Windows\System32\perfd009.dat
[2009/07/13 20:05:05 | 000,000,741 | ---- | C] () -- D:\Windows\System32\NOISE.DAT
[2009/07/13 20:04:11 | 000,215,943 | ---- | C] () -- D:\Windows\System32\dssec.dat
[2009/07/13 18:19:49 | 000,066,048 | ---- | C] () -- D:\Windows\System32\PrintBrmUi.exe
[2009/07/13 17:55:01 | 000,043,131 | ---- | C] () -- D:\Windows\mib.bin
[2009/07/13 17:51:43 | 000,073,728 | ---- | C] () -- D:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 17:42:10 | 000,064,000 | ---- | C] () -- D:\Windows\System32\BWContextHandler.dll
[2009/06/10 15:26:10 | 000,673,088 | ---- | C] () -- D:\Windows\System32\mlang.dat

========== LOP Check ==========

[2009/09/09 18:33:32 | 000,000,000 | ---D | M] -- D:\Users\Matt\AppData\Roaming\com.adobe.ExMan
[2011/02/27 10:22:01 | 000,032,570 | ---- | M] () -- D:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >


And the OTL extras:


OTL Extras logfile created on: 3/9/2011 9:13:28 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = D:\Users\Matt\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\Windows | %ProgramFiles% = D:\Program Files
Drive C: | 12.11 Gb Total Space | 2.94 Gb Free Space | 24.26% Space Free | Partition Type: NTFS
Drive D: | 74.52 Gb Total Space | 6.67 Gb Free Space | 8.96% Space Free | Partition Type: NTFS
Drive F: | 3.73 Gb Total Space | 3.71 Gb Free Space | 99.56% Space Free | Partition Type: FAT32

Computer Name: MATT-PC | User Name: Matt | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- D:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- D:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome

[HKEY_USERS\S-1-5-21-2526936241-2825536731-3168407100-1000\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{1D58229F-C505-45CA-8223-F35F3A34B963}" = Adobe Version Cue CS3 Server
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{222421DC-CAEB-42EC-AF15-09A39AA5C94D}" = Adobe Creative Suite 3 Design Standard
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java(TM) 6 Update 15
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}" = Sound Blaster Live! Web 2K/XP
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B7F560B3-6EFF-4026-A982-843895A41149}" = Adobe BridgeTalk Plugin CS3
"{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}" = Adobe Flash Player 9 ActiveX
"{C0E5147E-C9F3-4360-9ED0-2E875F11766C}" = Respondus LockDown Browser
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CB3F8375-B600-4B9F-83C9-238ED1E583FD}" = Adobe InDesign CS3
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{D4DBF0C9-E294-4C01-A205-73B8ED947D50}" = Adobe Setup
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6333AB7-7C1F-4817-9805-40E048F95C7B}_is1" = AdvancedDefrag 3.0
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe_0e772471f6aed60c960ed52600a76bd" = Add or Remove Adobe Creative Suite 3 Design Standard
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"Combined Community Codec Pack BETA_is1" = Combined Community Codec Pack BETA 2009-06-18
"ENTERPRISE" = Microsoft Office Enterprise 2007
"EVEREST Ultimate Edition_is1" = EVEREST Ultimate Edition v5.02
"HashTab" = HashTab 3.0.0
"Magic ISO Maker v5.5 (build 0261)" = Magic ISO Maker v5.5 (build 0261)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Security Scan" = McAfee Security Scan Plus
"Mozilla Firefox (3.6.15)" = Mozilla Firefox (3.6.15)
"Starcraft" = Starcraft
"StarCraft II" = StarCraft II
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"World of Warcraft" = World of Warcraft

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2526936241-2825536731-3168407100-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/5/2011 11:24:38 PM | Computer Name = Matt-PC | Source = MsiInstaller | ID = 11706
Description =

Error - 3/6/2011 5:47:01 PM | Computer Name = Matt-PC | Source = Application Error | ID = 1000
Description = Faulting application name: AcroRd32.exe, version: 10.0.1.434, time
stamp: 0x4d456f48 Faulting module name: AGM.dll, version: 4.21.17.1, time stamp:
0x4d457d62 Exception code: 0xc0000005 Fault offset: 0x000362be Faulting process id:
0x7f8 Faulting application start time: 0x01cbdc32d11cc78c Faulting application path:
D:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe Faulting module path: D:\Program
Files\Adobe\Reader 10.0\Reader\AGM.dll Report Id: 4427cd57-483b-11e0-97b5-000ea6460867

Error - 3/6/2011 7:47:43 PM | Computer Name = Matt-PC | Source = Application Error | ID = 1000
Description = Faulting application name: AcroRd32.exe, version: 10.0.1.434, time
stamp: 0x4d456f48 Faulting module name: AGM.dll, version: 4.21.17.1, time stamp:
0x4d457d62 Exception code: 0xc0000005 Fault offset: 0x000362be Faulting process id:
0x92c Faulting application start time: 0x01cbdc4835988dc0 Faulting application path:
D:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe Faulting module path: D:\Program
Files\Adobe\Reader 10.0\Reader\AGM.dll Report Id: 2091ab3f-484c-11e0-97b5-000ea6460867

Error - 3/6/2011 8:35:43 PM | Computer Name = Matt-PC | Source = MsiInstaller | ID = 11706
Description =

Error - 3/6/2011 8:46:54 PM | Computer Name = Matt-PC | Source = MsiInstaller | ID = 11706
Description =

Error - 3/6/2011 9:18:47 PM | Computer Name = Matt-PC | Source = MsiInstaller | ID = 11706
Description =

Error - 3/7/2011 12:18:38 AM | Computer Name = Matt-PC | Source = MsiInstaller | ID = 11706
Description =

Error - 3/7/2011 11:26:17 PM | Computer Name = Matt-PC | Source = MsiInstaller | ID = 11706
Description =

Error - 3/7/2011 11:32:53 PM | Computer Name = Matt-PC | Source = MsiInstaller | ID = 11706
Description =

Error - 3/7/2011 11:43:02 PM | Computer Name = Matt-PC | Source = MsiInstaller | ID = 11706
Description =

[ OSession Events ]
Error - 9/3/2009 1:22:33 PM | Computer Name = Matt-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 21
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/3/2009 1:23:16 PM | Computer Name = Matt-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 6
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/13/2009 10:56:35 PM | Computer Name = Matt-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1463
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/15/2009 10:05:29 PM | Computer Name = Matt-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 9
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/15/2009 10:05:44 PM | Computer Name = Matt-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 8
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 3/9/2011 1:08:41 AM | Computer Name = Matt-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\DR0.

Error - 3/9/2011 1:08:41 AM | Computer Name = Matt-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\DR0.

Error - 3/9/2011 1:08:41 AM | Computer Name = Matt-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\DR0.

Error - 3/9/2011 1:08:41 AM | Computer Name = Matt-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\DR0.

Error - 3/9/2011 10:01:41 PM | Computer Name = Matt-PC | Source = Microsoft-Windows-Kernel-Processor-Power | ID = 6
Description = Some processor performance power management features have been disabled
due to a known firmware problem. Check with the computer manufacturer for updated
firmware.

Error - 3/9/2011 10:01:59 PM | Computer Name = Matt-PC | Source = Service Control Manager | ID = 7000
Description = The 1250113864 service failed to start due to the following error:
%%2

Error - 3/9/2011 10:01:59 PM | Computer Name = Matt-PC | Source = Service Control Manager | ID = 7000
Description = The adfs service failed to start due to the following error: %%2

Error - 3/9/2011 11:10:29 PM | Computer Name = Matt-PC | Source = Microsoft-Windows-Kernel-Processor-Power | ID = 6
Description = Some processor performance power management features have been disabled
due to a known firmware problem. Check with the computer manufacturer for updated
firmware.

Error - 3/9/2011 11:10:46 PM | Computer Name = Matt-PC | Source = Service Control Manager | ID = 7000
Description = The 1250113864 service failed to start due to the following error:
%%2

Error - 3/9/2011 11:10:46 PM | Computer Name = Matt-PC | Source = Service Control Manager | ID = 7000
Description = The adfs service failed to start due to the following error: %%2


< End of report >


Thanks again.

0

Alright, just got back from work and got those done. I haven't had the windows safe mode window pop up anymore but I have had what seems to be another piece of malware pop up.

Just rolled in myself - What new malware do you suspect?

I am heading right back out the door, but gave the logs a quick glance and did not see much. I am not as up to date on Windows 7 as I probably should be, so I'm not going to mess with stuff I am not sure of.


As for the rest, fire up OTL.exe again and copy and paste all of the text in Red into the Custom Scans/Fixes Box:

:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - File not found
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - File not found
O4 - HKLM..\Run: [WINDVDPatch] File not found
[2011/03/07 22:18:40 | 000,000,000 | ---D | C] -- D:\Users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Safemode
[2011/03/07 22:18:41 | 000,000,612 | ---- | C] () -- D:\Users\Matt\Desktop\Windows Safemode.lnk
:commands
[EMPTYTEMP]

-- Click Run Fix and let it run.
-- OTL should force a reboot of your compy. If it doesn't, Reboot the machine manually.
-- Please post the Fix Log for me and let me know what that malware is that you suspect.

-- You also need to Uninstall all your old versions of Java (security risk) and install the latest version from here:
http://www.java.com/getjava/
You should probably make sure Adobe is up to date as well.

I'll be back late tonight or Thursday evening.

Cheers :)
PP

0

Ok, here's the OTL log I ran. I'm in the process of updating java and adobe right now. Not sure what the other malware was called. It was of the same variety as the Safe Mode virus, run this scan buy this software etc. I'm going to run MBAM after I finish with Adobe and Java and see if it finds anything. Hopefully this log tells you what you need to know.

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE7CD045-E861-484f-8273-0445EE161910}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\WINDVDPatch deleted successfully.
D:\Users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Safemode folder moved successfully.
D:\Users\Matt\Desktop\Windows Safemode.lnk moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Matt
->Temp folder emptied: 254252 bytes
->Temporary Internet Files folder emptied: 50398481 bytes
->Java cache emptied: 44853631 bytes
->FireFox cache emptied: 112715866 bytes
->Flash cache emptied: 180730 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 844 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 199.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 03102011_203441

Files\Folders moved on Reboot...
D:\Users\Matt\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

0

...It was of the same variety as the Safe Mode virus, run this scan buy this software etc. I'm going to run MBAM after I finish with Adobe and Java and see if it finds anything...

OK - Be sure to (always) Update MBAM before running it so it has up to date definitions.

-- I did not see anything in the previous logs that jumped out at me. What product does it try to foist on you?
Hopefully there's no rootkit involved.... Try running the GMER scans from the "Read Me First" sticky post and post those for me.

PP:)

0

Everything seems to be ok for the most part. MBAM showed no other viruses, Ad-Aware found a few cookies but nothing else. The only problem I'm having now is using google. If I search something and click on the link it get this:

404 Not Found
nginx/0.7.63

But if I copy and paste the link it works fine, that one's got me perplexed. Anyways, here are the two GMER logs:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-03-10 22:43:08
Windows 6.1.7600 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-1 WDC_AC313000R rev.15.01J55
Running: 6mkpxibb.exe; Driver: D:\Users\Matt\AppData\Local\Temp\kxldypow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

---- Threads - GMER 1.0.15 ----

Thread System [4:252] 85A48E84
Thread System [4:256] 85A4B084

---- EOF - GMER 1.0.15 ----


And the 2nd log:


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-03-10 23:07:08
Windows 6.1.7600 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-1 WDC_AC313000R rev.15.01J55
Running: 6mkpxibb.exe; Driver: D:\Users\Matt\AppData\Local\Temp\kxldypow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004b halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:252] 85A48E84
Thread System [4:256] 85A4B084

---- EOF - GMER 1.0.15 ----


Once again, can't thank you enough for the help.

0

Once again, can't thank you enough for the help.

You're welcome - Happy to help :)

But, I am a bit flummoxed. I don't see anything in the logs....

Your google is not being redirected. Rather you're getting the 404 which doesn't make any sense.
Maybe I am missing something.

-- Can you open D:\Windows\System32\drivers\etc\hosts with notepad and post the contents?

PP:)

0

This is all it showed:

127.0.0.1 localhost

I'm getting really confused. I was playing Wow for a bit tonight and it seemed to work alright except a bit slow. The only thing was after an hour I got booted and got this error:

World of WarCraft: Retail Build (build 13623)

Exe: D:\World of Warcraft\WoW.exe
Time: Mar 12, 2011 9:37:29.038 PM
User: Matt
Computer: MATT-PC
------------------------------------------------------------------------------

This application has encountered a critical error:

ERROR #132 (0x85100084) Fatal Exception
Program: D:\World of Warcraft\WoW.exe
Exception: 0xC0000005 (ACCESS_VIOLATION) at 001B:0019E612

This error pops up every time I try to log in now :(

I don't know what's going on. I'm starting to think reformatting and starting from scratch would be better. The only thing that concerns me is if some malware or a virus got into my Wow folder, it would be a bitch to reinstall and download all the patches. Anyways, let me know if there's something else I can do, thanks.

Edited by Churchj5: n/a

0

If I may, from what I have found the main reason for this error #132 when playing World of WarCraft may be caused by failing RAM or a problem with your video card or not enough allotted storage space and not infection.

For your 404 errors can you give us two or three of the links that you have tried and received this error?

Edited by jholland1964: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.