TechSpot

Cannot install Malwarebytes Anti-Malware: Access is Denied

Solved
By Rangoon
Oct 24, 2011
  1. Hi,

    I have been dealing with infections on my computer for the past few weeks. I thought I had cleared it, but now it's back. I have been trying to use RKill to pave the way for MBAM to install anew, but can't get it to complete.

    Can anyone help? I've gone years without any serious infections, so I'm not well versed in cleaning this stuff up. I clearly need to adjust my practices, though; I have been a bit nonchalant about any defense beyond a router with Tomato firmware installed.

    Thanks!

    EDIT: I suppose I should add more of my symptoms. I am getting redirects in Firefox, most/all files are hidden, occasional blue screen, frequently programs/services are quitting.
     
  2. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
    Complete as many steps as you can.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. Rangoon

    Rangoon TS Rookie Topic Starter Posts: 20

    Thanks for the quick reply!

    I have gone through the steps from your post.

    Step 1: I hadn't been using anti-virus (yes, that was stupid apparently). I am now using Avast and have it set to the default settings presently.

    Step 2: I am still unable to install MBAM. I had it installed before, but when I tried to install the newest version, it uninstalled the previous version and then failed to install. I'm getting the "Access is Denied" error. I have tried naming it different things, with different extensions, etc. It always does the same thing: seems to be installing fine, but when the progress bar approaches the end it gives me the error. Needless to say, I have no log to paste.

    Step 3: Oddly, my gmer.log files is blank. The program launched and I saw it scanning furiously for a few seconds. It stopped and I clicked to save the file. I created the log, but when I opened it, it was blank. So there is nothing to paste.

    Step 4:

    DDS.txt


    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.6001.19120 BrowserJavaVersion: 1.6.0_23
    Run by Jeff at 23:07:07 on 2011-10-24
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.4094.2662 [GMT -5:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\runservice.exe
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\IObit\Game Booster\gbtray.exe
    C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
    C:\Program Files\Logitech\GamePanel Software\LCD Manager\lcdmon.exe
    C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
    C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
    C:\Program Files\Logitech\SetPoint II\SetPointII.exe
    C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Windows\SysWOW64\Ctxfihlp.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\SysWOW64\CTXFISPI.EXE
    C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
    C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
    C:\Program Files\Windows Media Player\WMPSideShowGadget.exe
    C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
    C:\Windows\Explorer.exe
    C:\Windows\System32\svchost.exe -k wdisvc
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
    mRun: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL
    mRun: [VolPanel] "C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe" /r
    mRun: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [AmazonGSDownloaderTray] "C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe"
    mRun: [CTxfiHlp] CTXFIHLP.EXE
    mRun: [QuickTime Task] "C:\Program Files (x86)\MpcStar\Codecs\QuickTime\QTTask.exe" -atboottime
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SETPOI~1.LNK - C:\Program Files (x86)\Logitech\SetPoint II\SetPointII.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    Trusted Zone: mozilla.com\www
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{89E33CA3-EE61-45F0-AEEA-17B030314824} : DhcpNameServer = 192.168.1.1
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    mRun-x64: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL
    mRun-x64: [VolPanel] "C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe" /r
    mRun-x64: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [AmazonGSDownloaderTray] "C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe"
    mRun-x64: [CTxfiHlp] CTXFIHLP.EXE
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\MpcStar\Codecs\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\5ttf6sw7.default\
    FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\MpcStar\Codecs\QuickTime\Plugins\npqtplugin.dll
    FF - plugin: C:\Program Files (x86)\MpcStar\Codecs\QuickTime\Plugins\npqtplugin2.dll
    FF - plugin: C:\Program Files (x86)\MpcStar\Codecs\QuickTime\Plugins\npqtplugin3.dll
    FF - plugin: C:\Program Files (x86)\MpcStar\Codecs\QuickTime\Plugins\npqtplugin4.dll
    FF - plugin: C:\Program Files (x86)\MpcStar\Codecs\QuickTime\Plugins\npqtplugin5.dll
    FF - plugin: c:\program files\real\realplayer\Netscape6\nppl3260.dll
    FF - plugin: c:\program files\real\realplayer\Netscape6\nprjplug.dll
    FF - plugin: c:\program files\real\realplayer\Netscape6\nprpjplug.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
    R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
    R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
    R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
    R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-10-24 44768]
    R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-6 21504]
    R2 LicCtrlService;LicCtrl Service;C:\Windows\Runservice.exe [2011-7-17 2560]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-5-17 2226792]
    R3 chdrvr01;CH Control Manager Driver 1;C:\Windows\system32\DRIVERS\chdrvr01.sys --> C:\Windows\system32\DRIVERS\chdrvr01.sys [?]
    R3 chdrvr02;CH Control Manager Driver 2;C:\Windows\system32\DRIVERS\chdrvr02.sys --> C:\Windows\system32\DRIVERS\chdrvr02.sys [?]
    R3 chdrvr03;chdrvr03;C:\Windows\system32\DRIVERS\chdrvr03.sys --> C:\Windows\system32\DRIVERS\chdrvr03.sys [?]
    R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
    R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
    R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
    R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\system32\drivers\LGBusEnum.sys --> C:\Windows\system32\drivers\LGBusEnum.sys [?]
    R3 npusbio;npusbio;C:\Windows\system32\Drivers\npusbio_x64.sys --> C:\Windows\system32\Drivers\npusbio_x64.sys [?]
    R3 NVNET55;NVIDIA nForce 10/100/1000 Mbps Ethernet ;C:\Windows\system32\DRIVERS\nvmimx64.sys --> C:\Windows\system32\DRIVERS\nvmimx64.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-24 136176]
    S3 Amazon Download Agent;Amazon Download Agent;C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2011-5-2 401920]
    S3 cpuz132;cpuz132;C:\Program Files (x86)\CPUID\PC Wizard 2010\pcwiz64.sys [2010-9-19 19432]
    S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-5-9 79360]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-11-19 79360]
    S3 CT20XUT;CT20XUT;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
    S3 CTEXFIFX;CTEXFIFX;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
    S3 CTHWIUT;CTHWIUT;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe --> c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [?]
    S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-24 136176]
    S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-6-6 19968]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
    S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-8-31 89920]
    .
    =============== File Associations ===============
    .
    inffile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1
    JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
    VBEFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
    VBSFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
    .
    =============== Created Last 30 ================
    .
    2011-10-25 01:50:17 -------- d-----w- C:\Users\Jeff\AppData\Local\Google
    2011-10-25 01:50:15 65368 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2011-10-25 01:50:15 601944 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
    2011-10-25 01:49:44 41184 ----a-w- C:\Windows\avastSS.scr
    2011-10-25 01:49:35 -------- d-----w- C:\ProgramData\AVAST Software
    2011-10-25 01:49:35 -------- d-----w- C:\Program Files\AVAST Software
    2011-10-24 21:13:33 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-10-24 21:00:51 -------- d-----w- C:\14442b
    2011-10-24 20:56:30 98816 ----a-w- C:\Windows\sed.exe
    2011-10-24 20:56:30 518144 ----a-w- C:\Windows\SWREG.exe
    2011-10-24 20:56:30 256000 ----a-w- C:\Windows\PEV.exe
    2011-10-24 20:56:30 208896 ----a-w- C:\Windows\MBR.exe
    2011-10-24 18:28:24 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F41617A7-82FD-4256-80F7-6D394E464028}\mpengine.dll
    2011-10-24 03:29:15 -------- d--h--w- C:\Users\Jeff\AppData\Local\Take On Helicopters
    2011-10-24 03:25:43 -------- d-----w- C:\Users\Jeff\{61f13630-6f16-42c7-9a60-1be001aa4f87}
    2011-10-24 03:24:54 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
    2011-10-24 03:24:54 212992 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll
    2011-10-24 03:24:54 208896 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
    2011-10-24 03:24:54 151552 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
    2011-10-24 01:28:04 -------- d-----w- C:\Program Files\Bohemia Interactive
    2011-10-12 04:05:30 -------- d--h--w- C:\ProgramData\WSTB
    2011-10-05 04:33:07 -------- d-----w- C:\Windows\SysWow64\Adobe
    .
    ==================== Find3M ====================
    .
    2011-10-25 01:58:48 3657 ----a-w- C:\Windows\SysWow64\mmf.sys
    2011-10-13 19:27:42 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-10-07 12:59:52 3657 ----a-w- C:\Windows\SysWow64\mmf(31215).sys
    2011-09-28 04:09:08 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
    2011-09-28 04:09:08 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
    2011-09-28 04:07:13 270904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
    2011-08-31 22:00:50 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
    .
    ============= FINISH: 23:07:35.13 ===============



    Attach.txt


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/6/2008 9:30:28 PM
    System Uptime: 10/24/2011 8:58:06 PM (3 hours ago)
    .
    Motherboard: EVGA | | 132-CK-NF78
    Processor: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz | Socket 775 | 3825/425mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 279 GiB total, 192.233 GiB free.
    D: is CDROM (UDF)
    E: is FIXED (NTFS) - 140 GiB total, 17.863 GiB free.
    F: is CDROM ()
    G: is FIXED (NTFS) - 932 GiB total, 365.126 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: Mass Storage Controller
    Device ID: PCI\VEN_105A&DEV_4D69&SUBSYS_4D68105A&REV_02\4&276FBEC1&0&4878
    Manufacturer:
    Name: Mass Storage Controller
    PNP Device ID: PCI\VEN_105A&DEV_4D69&SUBSYS_4D68105A&REV_02\4&276FBEC1&0&4878
    Service:
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: NVIDIA nForce 10/100/1000 Mbps Ethernet
    Device ID: PCI\VEN_10DE&DEV_0373&SUBSYS_C55E10DE&REV_A3\3&2411E6FE&0&90
    Manufacturer: NVIDIA
    Name: NVIDIA nForce 10/100/1000 Mbps Ethernet #2
    PNP Device ID: PCI\VEN_10DE&DEV_0373&SUBSYS_C55E10DE&REV_A3\3&2411E6FE&0&90
    Service: NVNET55
    .
    ==== System Restore Points ===================
    .
    RP1022: 10/24/2011 2:04:35 PM - Windows Update
    RP1023: 10/24/2011 2:13:27 PM - Restore Operation
    RP1024: 10/24/2011 8:49:21 PM - avast! Free Antivirus Setup
    .
    ==== Installed Programs ======================
    .
    18 Wheels of Steel: American Long Haul
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 11 Plugin
    Adobe Flash Player ActiveX
    Adobe Reader X (10.1.1)
    Adobe Shockwave Player 11.6
    AI War: Fleet Command
    Alice: Madness Returns
    Aliens vs. Predator
    Alpha Protocol
    Amazon Games & Software Downloader
    Apache: Air Assault 1.0.2.1
    APOX
    Apple Application Support
    Apple Software Update
    ArcaniA – Gothic 4
    ARMA 2
    ARMA 2: British Armed Forces
    ARMA 2: British Armed Forces - Data cache removal
    ARMA 2: Operation Arrowhead
    ARMA 2: Private Military Company
    ARMA 2: Private Military Company - Data cache removal
    Assassin's Creed
    Auslogics Disk Defrag
    avast! Free Antivirus
    AviSynth 2.5
    Batman: Arkham Asylum GOTY Edition
    Battlefield: Bad Company 2
    BattlEye for OA Uninstall
    BattlEye Uninstall
    BioShock
    BitTorrent
    Brothers in Arms: Earned in Blood
    Brothers in Arms: Hell's Highway
    Brothers in Arms: Road to Hill 30
    Call of Duty(R) 4 - Modern Warfare(TM)
    Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
    Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
    Call of Duty: Modern Warfare 2
    Call of Juarez: Bound in Blood
    CH Control Manager Software
    Clive Barker's Jericho
    Combat Mission Shock Force
    Command and Conquer 4: Tiberian Twilight
    Company of Heroes
    Compatibility Pack for the 2007 Office system
    Creative ALchemy
    Creative Audio Control Panel
    Creative Console Launcher
    Creative Software AutoUpdate
    Creative Sound Blaster Properties x64 Edition
    Crysis WARHEAD(R)
    Crysis WARHEAD(R) Patch
    Crysis(R)
    Dark Messiah Might and Magic Single Player
    Dark Sector
    Darwinia
    Dead Space™
    Defense Grid: The Awakening
    Divinity II - The Dragon Knight Saga
    Dragon Age: Origins
    Dragon Age: Origins - Ultimate Edition
    Dungeon Keeper 2
    EA Download Manager
    Emote-Launcher (remove only)
    Empire: Total War
    er100LT
    EVE Online: Incarna
    EVGA Precision 1.3.1
    F.E.A.R.
    F1 2010™
    Fallout 3 - Game of the Year Edition
    Fallout Mod Manager 0.11.9
    Far Cry 2
    FCR v1.3 final or Flash Mod v1.01
    Flight Control HD
    Francesco's leveled creatures-items mod 4.5b
    Francesco's optional new items/creatures 4.5
    Fraps (remove only)
    Game Booster
    GameSpy Comrade
    Ghostbusters: The Video Game
    Google Chrome
    Google Update Helper
    Gothic 3 Forsaken Gods Enhanced Edition
    Grand Theft Auto IV
    Graphical Enhancement Resources 2.5
    Graphical Enhancement Textures 2.5
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hydrophobia: Prophecy
    Jade Empire: Special Edition
    Java Auto Updater
    Java(TM) 6 Update 23
    Java(TM) 6 Update 6
    Java(TM) 6 Update 7
    JScreenFix
    Just Cause 2
    Kane & Lynch 2: Dog Days
    King Arthur - The Role-playing Wargame
    Left 4 Dead 2
    Machinarium
    Mafia II
    Magicka
    Majesty 2: The Fantasy Kingdom Sim - patch v.1.3.336
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Medal of Honor(TM) Single Player
    Medieval II Total War
    Medieval II Total War : Kingdoms : Americas
    Medieval II Total War : Kingdoms : Britannia
    Medieval II Total War : Kingdoms : Crusades
    Medieval II Total War : Kingdoms : Teutonic
    Men of War
    Men of War: Red Tide
    Metro 2033
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Games for Windows Marketplace
    Microsoft Office Word Viewer 2003
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft XNA Framework Redistributable 3.1
    Mirror's Edge
    Mount and Blade: Warband
    Mozilla Firefox 8.0 (x86 en-US)
    MpcStar 3.1
    MSI Afterburner 2.1.0
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    Napoleon: Total War
    NVIDIA PhysX
    Oblivion
    Oblivion - TweakOblivion 5.10 (Build:370)
    Oblivion mod manager 1.1.11
    OpenAL
    OpenOffice.org 2.4
    Operation Flashpoint: Dragon Rising
    Osmos
    Pathologic
    PC Wizard 2010.1.95
    PunkBuster Services
    Python 2.5.2
    QuickTime
    R.U.S.E
    RealPlayer
    Red Faction: Guerrilla
    Resident Evil 5
    Risen
    S.T.A.L.K.E.R. - Clear Sky
    Saints Row 2
    Scabbar Mod ver 1.03
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Sid Meier's Civilization V
    Sid Meier's Civilization V SDK
    Silent Hunter III
    Singularity
    Skype™ 5.1
    SlimDX Redistributable (March 2009)
    Sniper: Ghost Warrior
    Spellforce: Platinum Edition
    Stainless_Steel_6.0_Part1of2
    Star Wars: Empire at War Gold
    Star Wars: Knights of the Old Republic
    Steam
    swMSM
    System Requirements Lab
    Take On Helicopters
    The First Templar
    The Path
    The Polynomial
    The Settlers 7: Paths to a Kingdom - Gold Edition
    The Sims(TM) 3
    The Witcher Enhanced Edition
    Theatre of War
    Theatre of War 2: Africa 1943
    Theatre of War 2: Kursk 1943
    Thief: Deadly Shadows
    Tom Clancy's EndWar
    Tom Clancy's Ghost Recon: Advanced Warfighter
    Tom Clancy's Ghost Recon: Advanced Warfighter 2
    Tom Clancy's Splinter Cell Chaos Theory
    Tom Clancy's Splinter Cell: Conviction
    Total War: SHOGUN 2
    TrackIR4
    Two Worlds: Epic Edition
    UDPixel.exe
    Unofficial Shivering Isles Patch v1.4.0
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Uplink
    Vista Codec Package
    VLC media player 1.1.9
    Volume Panel
    World in Conflict: Soviet Assault
    wxPython 2.8.7.1 (ansi) for Python 2.5
    yuPlay client 0.7.19
    Zeno Clash
    .
    ==== Event Viewer Messages From Past Week ========
    .
    10/24/2011 9:00:06 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Beep CSC DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The Terminal Services Configuration service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The Creative Audio Service service depends on the Windows Audio service which failed to start because of the following error: The dependency service or group failed to start.
    10/24/2011 7:04:55 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    10/24/2011 7:04:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    10/24/2011 7:04:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    10/24/2011 7:04:02 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    10/24/2011 7:04:02 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    10/24/2011 7:04:02 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    10/24/2011 7:04:00 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    10/24/2011 7:03:51 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    10/24/2011 4:06:34 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    10/24/2011 4:06:00 PM, Error: Application Popup [1060] - \??\C:\14442b\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    10/24/2011 4:01:33 PM, Error: Service Control Manager [7034] - The LicCtrl Service service terminated unexpectedly. It has done this 1 time(s).
    10/24/2011 4:00:34 PM, Error: Service Control Manager [7034] - The Adobe Acrobat Update Service service terminated unexpectedly. It has done this 1 time(s).
    10/24/2011 3:59:42 PM, Error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    10/24/2011 3:50:19 PM, Error: nvstor64 [3] - Data error on device. Device: \Device\RaidPort2 Model: WDC WD1500ADFD-00NLR5 Firmware Version: 21.0 Serial Number: WD-WMAP42126892 Port: 1
    10/24/2011 2:04:54 PM, Error: volsnap [20] - The shadow copies of volume C: were aborted because of a failed free space computation.
    10/24/2011 12:31:31 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
    10/24/2011 12:30:05 PM, Error: EventLog [6008] - The previous system shutdown at 12:27:42 PM on 10/24/2011 was unexpected.
    10/24/2011 12:27:42 PM, Error: EventLog [6008] - The previous system shutdown at 12:25:35 PM on 10/24/2011 was unexpected.
    10/24/2011 1:31:59 PM, Error: EventLog [6008] - The previous system shutdown at 1:29:20 PM on 10/24/2011 was unexpected.
    10/20/2011 6:58:43 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
    10/19/2011 11:52:44 PM, Error: Microsoft-Windows-PrintSpooler [6161] - The document Print, owned by Jeff, failed to print on printer Canon Inkjet MP150 Series. Try to print the document again, or restart the print spooler. Data type: NT EMF 1.008. Size of the spool file in bytes: 196608. Number of bytes printed: 73252. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: \\JEFFVISTA64. Win32 error code returned by the print processor: 259. No more data is available.
    10/19/2011 1:16:01 PM, Error: Microsoft-Windows-PrintSpooler [6161] - The document X - Google Maps, owned by Jeff, failed to print on printer Canon Inkjet MP150 Series. Try to print the document again, or restart the print spooler. Data type: NT EMF 1.008. Size of the spool file in bytes: 4264988. Number of bytes printed: 4264988. Total number of pages in the document: 2. Number of pages printed: 1. Client computer: \\JEFFVISTA64. Win32 error code returned by the print processor: 0. The operation completed successfully.
    10/18/2011 6:40:47 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    .
    ==== End Of File ===========================



    Step 5: this post.

    Thanks!
     
  4. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
    2. Restart your computer (very important).
    3. Download and run this utility.
    4. It will ask to restart your computer (please allow it to).
    5. After the computer restarts, install the latest version from here.
    Let me know, if it worked.

    Then.....

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. Rangoon

    Rangoon TS Rookie Topic Starter Posts: 20

    Here is my MBAM log - it removed three files, but they were all Rkill files which had been named in a way which malware might have allowed to run:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8015

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19120

    10/24/2011 11:36:32 PM
    mbam-log-2011-10-24 (23-36-32).txt

    Scan type: Quick scan
    Objects scanned: 191307
    Time elapsed: 1 minute(s), 41 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\Jeff\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
    c:\Users\Jeff\Desktop\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
    c:\Users\Jeff\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


    Here is my aswMBR log:

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-10-24 23:40:32
    -----------------------------
    23:40:32.856 OS Version: Windows x64 6.0.6002 Service Pack 2
    23:40:32.856 Number of processors: 2 586 0x1706
    23:40:32.857 ComputerName: JEFFVISTA64 UserName: Jeff
    23:40:33.506 Initialize success
    23:40:33.749 AVAST engine defs: 11102402
    23:41:09.759 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000063
    23:41:09.760 Disk 0 Vendor: WDC_WD30 03.0 Size: 286168MB BusType: 3
    23:41:09.761 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000064
    23:41:09.762 Disk 1 Vendor: WDC_WD10 05.0 Size: 953869MB BusType: 3
    23:41:09.764 Disk 2 \Device\Harddisk2\DR2 -> \Device\00000067
    23:41:09.765 Disk 2 Vendor: WDC_WD15 21.0 Size: 143089MB BusType: 3
    23:41:11.781 Disk 0 MBR read successfully
    23:41:11.782 Disk 0 MBR scan
    23:41:11.784 Disk 0 Windows VISTA default MBR code
    23:41:11.786 Service scanning
    23:41:13.345 Modules scanning
    23:41:13.347 Disk 0 trace - called modules:
    23:41:13.359 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys storport.sys hal.dll nvstor64.sys
    23:41:13.683 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005031150]
    23:41:13.685 3 CLASSPNP.SYS[fffffa6001275c33] -> nt!IofCallDriver -> [0xfffffa8004e827c0]
    23:41:13.687 5 acpi.sys[fffffa60008fbfde] -> nt!IofCallDriver -> \Device\00000063[0xfffffa8004e82060]
    23:41:14.255 AVAST engine scan C:\Windows
    23:41:18.822 AVAST engine scan C:\Windows\system32
    23:42:07.903 AVAST engine scan C:\Windows\system32\drivers
    23:42:12.330 AVAST engine scan C:\Users\Jeff
    23:47:08.138 AVAST engine scan C:\ProgramData
    23:47:35.763 Scan finished successfully
    23:48:35.894 Disk 0 MBR has been saved successfully to "C:\Users\Jeff\Desktop\MBR.dat"
    23:48:35.896 The log file has been saved successfully to "C:\Users\Jeff\Desktop\aswMBR.txt"


    And here is my combofix log:

    ComboFix 11-10-24.05 - Jeff 10/24/2011 23:53:37.2.2 - x64
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.4094.2487 [GMT -5:00]
    Running from: c:\users\Jeff\Downloads\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\users\Jeff\AppData\Local\{0FD55ED5-1212-41C1-BD44-576823EADBFE}\chrome.manifest
    c:\users\Jeff\AppData\Local\{0FD55ED5-1212-41C1-BD44-576823EADBFE}\chrome\content\overlay.xul
    c:\users\Jeff\AppData\Local\{0FD55ED5-1212-41C1-BD44-576823EADBFE}\install.rdf
    c:\users\Jeff\g2mdlhlpx.exe
    E:\install.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-25 to 2011-10-25 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-25 04:58 . 2011-10-25 04:58 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2011-10-25 04:58 . 2011-10-25 04:58 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-10-25 04:33 . 2011-10-25 04:33 -------- d-----w- c:\users\Jeff\AppData\Roaming\Malwarebytes
    2011-10-25 04:33 . 2011-10-25 04:33 -------- d-----w- c:\programdata\Malwarebytes
    2011-10-25 04:33 . 2011-10-25 04:33 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-10-25 04:33 . 2011-08-31 22:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-25 01:50 . 2011-10-25 01:52 -------- d-----w- c:\users\Jeff\AppData\Local\Google
    2011-10-25 01:50 . 2011-10-25 01:50 -------- d-----w- c:\program files (x86)\Google
    2011-10-25 01:50 . 2011-09-06 20:38 301912 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-10-25 01:50 . 2011-09-06 20:36 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-10-25 01:50 . 2011-09-06 20:36 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-10-25 01:50 . 2011-09-06 20:45 254400 ----a-w- c:\windows\system32\aswBoot.exe
    2011-10-25 01:50 . 2011-09-06 20:38 601944 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-10-25 01:50 . 2011-09-06 20:36 58200 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-10-25 01:50 . 2011-09-06 20:36 65368 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-10-25 01:49 . 2011-09-06 20:45 41184 ----a-w- c:\windows\avastSS.scr
    2011-10-25 01:49 . 2011-09-06 20:45 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2011-10-25 01:49 . 2011-10-25 01:49 -------- d-----w- c:\programdata\AVAST Software
    2011-10-25 01:49 . 2011-10-25 01:49 -------- d-----w- c:\program files\AVAST Software
    2011-10-24 18:28 . 2011-10-18 07:27 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F41617A7-82FD-4256-80F7-6D394E464028}\mpengine.dll
    2011-10-24 03:29 . 2011-10-24 03:29 -------- d--h--w- c:\users\Jeff\AppData\Local\Take On Helicopters
    2011-10-24 03:25 . 2011-10-24 18:13 -------- d-----w- c:\users\Jeff\{61f13630-6f16-42c7-9a60-1be001aa4f87}
    2011-10-24 03:24 . 2000-01-05 10:35 208896 ----a-w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
    2011-10-24 03:24 . 2000-01-04 10:44 151552 ----a-w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
    2011-10-24 03:24 . 2000-01-04 10:39 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
    2011-10-24 03:24 . 2000-01-04 10:39 212992 ----a-w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll
    2011-10-24 01:28 . 2011-10-24 01:28 -------- d-----w- c:\program files\Bohemia Interactive
    2011-10-13 21:32 . 2011-10-13 21:32 -------- d-----w- c:\program files (x86)\Common Files\Adobe
    2011-10-12 13:42 . 2011-10-12 13:42 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(5791)\TEXTBOX.JS
    2011-10-12 04:05 . 2011-10-12 13:25 -------- d--h--w- c:\programdata\WSTB
    2011-10-05 04:33 . 2011-10-05 05:07 -------- d-----w- c:\windows\SysWow64\Adobe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-13 19:27 . 2011-05-18 03:56 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-09-28 04:09 . 2010-08-30 01:00 280736 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
    2011-09-28 04:09 . 2009-06-14 23:16 280736 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
    2011-09-28 04:07 . 2010-08-30 01:00 270904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
    2011-08-31 01:00 . 2009-08-18 17:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
    2011-08-31 01:00 . 2009-08-18 16:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-08-14 13:41 . 2011-08-14 13:41 0 ---ha-w- c:\users\Jeff\AppData\Local\Kronadod.bin
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-10-24_21.08.44 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-06-07 03:33 . 2011-10-25 05:05 57514 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 15:44 . 2011-10-25 05:05 70310 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2008-06-07 03:33 . 2011-10-25 05:05 20238 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1787995230-711523803-3076010400-1000_UserData.bin
    - 2008-06-07 02:24 . 2011-10-24 19:17 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-06-07 02:24 . 2011-10-25 05:02 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-06-07 02:24 . 2011-10-25 05:02 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-06-07 02:24 . 2011-10-24 19:17 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-06-07 02:24 . 2011-10-24 19:17 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-06-07 02:24 . 2011-10-25 05:02 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-10-25 01:56 . 2011-10-25 01:56 22016 c:\windows\Installer\48a7cb.msi
    - 2011-07-17 16:16 . 2011-10-24 21:08 3657 c:\windows\SysWOW64\mmf.sys
    + 2011-07-17 16:16 . 2011-10-25 05:00 3657 c:\windows\SysWOW64\mmf.sys
    + 2008-07-10 02:49 . 2011-10-25 00:01 3978 c:\windows\system32\WDI\ERCQueuedResolutions.dat
    - 2011-10-24 21:08 . 2011-10-24 21:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-10-25 05:00 . 2011-10-25 05:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-10-25 05:00 . 2011-10-25 05:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-10-24 21:08 . 2011-10-24 21:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2008-06-07 05:13 . 2011-10-02 09:51 245760 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-06-07 05:13 . 2011-10-25 05:00 245760 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-06-07 05:13 . 2011-10-02 09:51 638976 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-06-07 05:13 . 2011-10-25 05:00 638976 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2006-11-02 12:46 . 2011-10-24 19:23 672542 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2011-10-25 04:45 672542 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2011-10-25 04:45 131964 c:\windows\system32\perfc009.dat
    - 2006-11-02 12:46 . 2011-10-24 19:23 131964 c:\windows\system32\perfc009.dat
    + 2009-05-01 20:22 . 2011-10-25 05:02 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    - 2009-05-01 20:22 . 2011-10-24 19:17 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    + 2011-10-25 01:49 . 2011-10-25 01:49 219648 c:\windows\Installer\48a7bb.msi
    - 2008-06-07 05:13 . 2011-10-02 09:51 3375104 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-06-07 05:13 . 2011-10-25 05:00 3375104 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2006-11-02 12:33 . 2011-10-24 18:37 11272192 c:\windows\system32\SMI\Store\Machine\schema.dat
    + 2006-11-02 12:33 . 2011-10-25 01:57 11272192 c:\windows\system32\SMI\Store\Machine\schema.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files (x86)\Windows Media Player\WMPNSCFG.exe" [BU]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "AsioThk32Reg"="CTASIO.DLL" [2010-05-06 51712]
    "VolPanel"="c:\program files (x86)\Creative\Volume Panel\VolPanlu.exe" [BU]
    "TkBellExe"="c:\program files (x86)\Common Files\Real\Update_OB\realsched.exe" [2009-11-23 198160]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "AmazonGSDownloaderTray"="c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
    "CTxfiHlp"="CTXFIHLP.EXE" [2010-05-06 25600]
    "QuickTime Task"="c:\program files (x86)\MpcStar\Codecs\QuickTime\QTTask.exe" [2011-07-05 421888]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetPointII.exe [2007-8-30 809984]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    "EnableLUA"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-25 136176]
    R3 Amazon Download Agent;Amazon Download Agent;c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
    R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-05-10 79360]
    R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-11-19 79360]
    R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [x]
    R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [x]
    R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [x]
    R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-25 136176]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
    S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2011-07-17 2560]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-14 2226792]
    S3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\DRIVERS\chdrvr01.sys [x]
    S3 chdrvr02;CH Control Manager Driver 2;c:\windows\system32\DRIVERS\chdrvr02.sys [x]
    S3 chdrvr03;chdrvr03;c:\windows\system32\DRIVERS\chdrvr03.sys [x]
    S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [x]
    S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [x]
    S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [x]
    S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [x]
    S3 npusbio;npusbio;c:\windows\system32\Drivers\npusbio_x64.sys [x]
    S3 NVNET55;NVIDIA nForce 10/100/1000 Mbps Ethernet ;c:\windows\system32\DRIVERS\nvmimx64.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-25 01:50]
    .
    2011-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-25 01:50]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-09-06 20:45 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-07-17 134160]
    "Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-08-14 415752]
    "Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-08-13 2093064]
    "Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-08-14 4195848]
    "XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 825184]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    Trusted Zone: mozilla.com\www
    TCP: DhcpNameServer = 192.168.1.1
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\5ttf6sw7.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-BattlEye - c:\program files (x86)\steam\steamapps\common\arma 2BattlEye\UnInstallBE.exe
    AddRemove-BattlEye for OA - g:\program files\steam\steamapps\common\arma 2 operation arrowheadExpansion\BattlEye\UnInstallBE.exe
    AddRemove-Fallout Mod Manager_is1 - c:\program files (x86)\steam\steamapps\common\fallout 3 goty\fomm\uninstall\unins000.exe
    AddRemove-Graphical Enhancement Resources - e:\program files\Mount&Blade\uninstall_commonres_pack.exe
    AddRemove-Graphical Enhancement Textures - e:\program files\Mount&Blade\uninstall_texture_pack.exe
    AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe
    AddRemove-Steam App 10680 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 12210 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 1500 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 17450 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 1930 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 21970 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 21980 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 24400 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 24960 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 27000 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 28000 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 33900 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 40700 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 42910 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 43110 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 48700 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 550 - c:\program files (x86)\Steam\steam.exe
    AddRemove-Steam App 80000 - c:\program files (x86)\Steam\steam.exe
    AddRemove-JScreenFix - c:\windows\system32\javaws.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1787995230-711523803-3076010400-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    @Allowed: (Read) (RestrictedCode)
    "??"=hex:f1,e6,84,f6,26,73,a7,60,32,9c,9b,f0,de,16,3b,76,5b,30,f3,60,ab,2f,70,
    07,d7,c5,95,59,ad,36,6f,e1,4f,86,ea,1c,c4,ba,29,4a,c6,48,6f,ca,fb,a1,f6,72,\
    "??"=hex:c6,9b,7c,aa,dd,7d,a6,fd,b6,bf,b5,8f,fe,30,cd,49
    .
    [HKEY_USERS\S-1-5-21-1787995230-711523803-3076010400-1000\Software\SecuROM\License information*]
    "datasecu"=hex:a6,f5,d4,1d,3b,19,59,5c,43,f3,26,a1,25,c3,6a,28,8b,11,0c,83,8e,
    0d,88,60,62,9f,e7,77,7a,84,1c,f7,1a,a5,11,7a,e8,e0,89,98,91,1c,f4,05,10,40,\
    "rkeysecu"=hex:84,83,28,42,05,f6,23,8a,bd,5f,77,2c,42,ca,84,50
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.9"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9f.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9f.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
    "1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
    25
    "2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
    c3
    "3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
    8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\0472A5F591DE6EF2D1809DE316FEF63A]
    "1"=hex:29,fc,2c,6f,ce,aa,f2,69,e8,37,99,34,ad,33,e5,ad
    "2"=hex:12,f9,35,71,08,62,dd,b1
    "3"=hex:ad,5f,c6,98,7e,bc,0f,22,d1,01,38,55,1a,8b,a2,63,57,68,f0,72,8c,65,90,
    f0,40,ba,67,ed,2b,0a,60,03,0f,7a,75,4e,0b,a9,0e,6e,01,84,7f,37,9c,5d,ce,1f,\
    "4"=hex:2f,ad,a2,e7,8a,bf,05,5e
    "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
    1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
    "6"=hex:29,fc,2c,6f,ce,aa,f2,69,91,58,78,d6,14,eb,6c,a9,de,cd,51,b9,df,64,e3,
    ab,8e,48,3d,02,33,b8,24,79,16,a3,2d,4e,34,ce,a4,f8,78,49,2a,cb,3c,6d,8e,47,\
    "7"=hex:6a,0b,56,13,c1,93,dc,9c,a0,00,aa,b4,e4,7b,e0,c8,74,2a,16,32,d3,b5,82,
    f9,9f,42,18,f6,e4,ae,ab,8d,c8,97,d7,68,80,f0,f7,2b,97,55,94,90,3e,a5,3b,6a,\
    "8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,43,69,70,4c,7e,7f,7c,
    de,a0,46,ee,d1,e1,d8,58,7c,16,70,d4,a0,8c,ec,86,77,7d,72,2c,53,77,0b,6f,be,\
    "9"=hex:81,20,8f,ab,28,6a,52,9c
    "18"=hex:d0,71,12,cb,08,b7,a7,d6
    "10"=hex:81,20,8f,ab,28,6a,52,9c
    "11"=hex:81,20,8f,ab,28,6a,52,9c
    "12"=hex:64,29,c6,72,26,3a,bc,62,7f,ad,70,79,d2,7c,44,4c,f2,9d,e5,18,79,7b,4d,
    c0,44,de,5b,b1,a8,50,d5,04,86,e8,10,55,99,d8,c2,69,44,c5,e0,3a,0e,9c,fa,2f,\
    "13"=hex:f6,a6,f1,66,bd,09,35,15,47,21,ca,50,14,2b,da,f5,1d,02,33,ac,7a,f0,30,
    a1
    "14"=hex:15,24,77,86,e3,cd,8e,2c,a9,6f,d7,b7,1a,9c,78,6b
    "24"=hex:81,20,8f,ab,28,6a,52,9c
    "26"=hex:81,20,8f,ab,28,6a,52,9c
    "27"=hex:81,20,8f,ab,28,6a,52,9c
    "19"=hex:6e,03,58,68,65,9c,f5,be,49,f0,3e,aa,ff,42,eb,8b
    "22"=hex:81,20,8f,ab,28,6a,52,9c
    "15"=hex:f6,a8,f5,4f,3c,f5,b5,60,2b,ec,47,87,ac,a3,fb,59,9f,0d,30,f3,32,8c,a4,
    7a,d5,7c,e3,12,33,5f,08,b6,cd,71,5a,18,a5,df,03,c5,ae,a6,a8,9e,91,b4,71,03,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\C4838B3D951212E6CDEE180D9201C56E]
    "1"=hex:07,1f,1a,27,85,96,85,c3,38,71,53,58,52,6e,65,80,4c,0f,9a,93,b5,f7,5b,
    e0
    "2"=hex:0d,61,15,35,3f,ec,03,67
    "3"=hex:01,01,19,43,70,2d,c9,18,f3,48,c5,94,89,f0,e2,13,ef,cf,90,7a,13,d2,62,
    1a,53,a9,d8,55,78,d0,35,72,f2,19,db,7c,99,9c,98,f0,17,83,f1,86,d6,04,4a,8c,\
    "4"=hex:2f,ad,a2,e7,8a,bf,05,5e
    "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
    1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
    "6"=hex:07,1f,1a,27,85,96,85,c3,38,71,53,58,52,6e,65,80,0a,e7,b1,ce,73,6a,58,
    57,ea,89,c4,2a,ac,9b,2f,fa,c1,bc,5c,c1,e9,c5,f3,62,38,ea,16,8c,a1,a7,a5,09,\
    "7"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,56,a7,02,9d,f0,a0,1d,
    cc,28,d9,b1,18,9e,f1,8d,e8,54,e6,61,27,95,2e,52,cc,1c,f7,fa,64,bd,24,b7,82,\
    "8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,43,69,70,4c,7e,7f,7c,
    de,a0,46,ee,d1,e1,d8,58,7c,16,70,d4,a0,8c,ec,86,77,7d,72,2c,53,77,0b,6f,be,\
    "9"=hex:81,20,8f,ab,28,6a,52,9c
    "18"=hex:d0,71,12,cb,08,b7,a7,d6
    "10"=hex:81,20,8f,ab,28,6a,52,9c
    "11"=hex:81,20,8f,ab,28,6a,52,9c
    "12"=hex:e6,b9,76,dd,d5,90,90,b7,2d,65,66,20,8c,4f,cf,fc,d3,53,44,ad,5b,ec,9d,
    b3,1f,f0,f1,44,8e,6f,ac,f5,ad,94,6a,55,a3,e9,cc,77,e3,f7,42,5b,ac,85,7d,7d,\
    "13"=hex:3c,18,2b,d4,38,26,d5,62,57,b5,56,f4,fc,36,90,70,e8,8c,59,9a,9b,1a,b6,
    49
    "14"=hex:cc,37,e6,02,49,3c,f3,ea,f2,40,e6,1c,3c,12,e0,3d
    "24"=hex:81,20,8f,ab,28,6a,52,9c
    "26"=hex:81,20,8f,ab,28,6a,52,9c
    "27"=hex:81,20,8f,ab,28,6a,52,9c
    "19"=hex:6e,03,58,68,65,9c,f5,be,49,f0,3e,aa,ff,42,eb,8b
    "22"=hex:81,20,8f,ab,28,6a,52,9c
    "15"=hex:3b,eb,c3,4d,0e,fc,32,2d,68,51,f5,00,d3,35,9d,6e,19,a2,c0,e9,ed,d0,47,
    34,b8,d1,6f,d2,7b,d3,23,c8,00,be,af,8f,78,c6,5e,10,81,f0,ce,a0,0f,4b,fe,37,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\DF7B54A6112C2A0959607A574D3D99D6]
    "1"=hex:05,a5,52,27,27,68,21,41,63,83,05,15,ef,55,2c,92
    "2"=hex:0d,61,15,35,3f,ec,03,67
    "3"=hex:7c,30,70,f4,f1,2f,24,2b,07,d4,c8,10,50,5f,b1,9c,4d,4d,7a,5b,f4,dd,bb,
    54,0d,ff,07,ba,bf,b1,e5,47,48,8f,f7,1f,d9,50,19,53,72,bb,23,ac,63,7c,ec,71,\
    "4"=hex:2f,ad,a2,e7,8a,bf,05,5e
    "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
    1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
    "6"=hex:05,a5,52,27,27,68,21,41,e8,57,cb,d5,86,b9,d9,4d,04,e9,ec,33,5f,dc,e0,
    5f,f1,36,b3,d4,f9,4f,c1,10,42,ec,21,28,86,84,ba,98,1e,6a,ac,b2,20,42,3f,13,\
    "7"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,56,a7,02,9d,f0,a0,1d,
    cc,28,d9,b1,18,9e,f1,8d,e8,54,e6,61,27,95,2e,52,cc,1c,f7,fa,64,bd,24,b7,82,\
    "8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,43,69,70,4c,7e,7f,7c,
    de,a0,46,ee,d1,e1,d8,58,7c,16,70,d4,a0,8c,ec,86,77,7d,72,2c,53,77,0b,6f,be,\
    "9"=hex:81,20,8f,ab,28,6a,52,9c
    "18"=hex:d0,71,12,cb,08,b7,a7,d6
    "10"=hex:81,20,8f,ab,28,6a,52,9c
    "11"=hex:81,20,8f,ab,28,6a,52,9c
    "12"=hex:d5,90,e6,df,4e,37,01,15,0c,c2,ff,ad,61,7c,6a,9d,39,0c,79,c9,07,ef,e3,
    ac,65,be,f2,80,0d,c6,1b,5a,a1,43,f4,b1,0e,10,22,86,33,8d,21,6e,46,8b,6e,d7,\
    "13"=hex:f0,33,65,9f,eb,89,46,b0,63,1b,8f,01,9c,12,f9,88,a1,9a,09,82,82,d5,4b,
    42
    "14"=hex:08,ff,2b,1c,69,18,ef,7b,2e,51,47,6e,41,a5,c7,f7
    "24"=hex:81,20,8f,ab,28,6a,52,9c
    "26"=hex:81,20,8f,ab,28,6a,52,9c
    "27"=hex:81,20,8f,ab,28,6a,52,9c
    "19"=hex:6e,03,58,68,65,9c,f5,be,49,f0,3e,aa,ff,42,eb,8b
    "22"=hex:81,20,8f,ab,28,6a,52,9c
    "15"=hex:7d,53,1c,0a,cf,9d,47,75,c8,92,3c,95,49,d1,43,24,9c,0b,a9,e3,43,db,f2,
    7c,65,49,3b,bf,20,39,49,ec,80,7f,ac,24,3a,ff,e0,15,7b,c4,8f,e5,18,79,04,f6,\
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\windows\SysWOW64\PnkBstrA.exe
    c:\program files (x86)\IObit\Game Booster\gbtray.exe
    c:\program files (x86)\Windows Media Player\wmplayer.exe
    .
    **************************************************************************
    .
    Completion time: 2011-10-25 00:07:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-10-25 05:07
    .
    Pre-Run: 206,310,313,984 bytes free
    Post-Run: 206,291,058,688 bytes free
    .
    - - End Of File - - 35ECEB32026ED4BD9DAC5FE58BEB9C5A

    Thanks!
     
  6. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Looks good :)

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  7. Rangoon

    Rangoon TS Rookie Topic Starter Posts: 20

    Hi Broni,

    Thanks again for your continued assistance!

    Here is OTL.txt (part 1):


    OTL logfile created on: 10/25/2011 8:10:33 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Jeff\Desktop
    64bit-Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.19120)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    4.00 Gb Total Physical Memory | 2.62 Gb Available Physical Memory | 65.62% Memory free
    8.19 Gb Paging File | 6.70 Gb Available in Paging File | 81.79% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 279.46 Gb Total Space | 188.88 Gb Free Space | 67.59% Space Free | Partition Type: NTFS
    Drive D: | 6.61 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
    Drive E: | 139.73 Gb Total Space | 17.86 Gb Free Space | 12.78% Space Free | Partition Type: NTFS
    Drive G: | 931.51 Gb Total Space | 365.12 Gb Free Space | 39.20% Space Free | Partition Type: NTFS

    Computer Name: JEFFVISTA64 | User Name: Jeff | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/10/25 19:36:09 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Jeff\Desktop\OTL.exe
    PRC - [2011/09/06 15:45:30 | 003,722,416 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
    PRC - [2011/09/06 15:45:28 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    PRC - [2011/07/17 11:16:52 | 000,002,560 | ---- | M] () -- C:\Windows\Runservice.exe
    PRC - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2011/05/13 23:27:00 | 002,226,792 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    PRC - [2011/02/08 15:40:47 | 000,075,136 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
    PRC - [2011/01/20 17:20:34 | 000,426,840 | ---- | M] (IObit) -- C:\Program Files (x86)\IObit\Game Booster\gbtray.exe
    PRC - [2010/09/13 08:56:02 | 000,168,960 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    PRC - [2010/05/14 11:44:46 | 000,501,480 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
    PRC - [2010/05/05 19:56:42 | 000,025,600 | ---- | M] (Creative Technology Ltd) -- C:\Windows\SysWOW64\Ctxfihlp.exe
    PRC - [2010/05/05 19:51:56 | 001,212,928 | ---- | M] (Creative Technology Ltd) -- C:\Windows\SysWOW64\CTxfispi.exe
    PRC - [2010/02/12 10:23:12 | 000,286,720 | ---- | M] (Creative Technology Ltd) -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
    PRC - [2009/11/23 15:13:31 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
    PRC - [2009/08/13 18:37:44 | 000,522,760 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/01/20 17:21:16 | 000,511,384 | ---- | M] () -- C:\Program Files (x86)\IObit\Game Booster\sqlite3.dll
    MOD - [2010/05/05 19:56:46 | 000,002,560 | ---- | M] () -- C:\Windows\SysWOW64\CtxfiRes.dll
    MOD - [2009/09/15 19:20:50 | 000,177,152 | -H-- | M] () -- C:\Program Files (x86)\IObit\Game Booster\madbasic_.bpl
    MOD - [2009/09/15 19:20:50 | 000,044,544 | -H-- | M] () -- C:\Program Files (x86)\IObit\Game Booster\maddisAsm_.bpl
    MOD - [2009/09/15 19:20:44 | 000,345,088 | -H-- | M] () -- C:\Program Files (x86)\IObit\Game Booster\madexcept_.bpl
    MOD - [2009/03/26 14:46:42 | 000,148,480 | ---- | M] () -- C:\Windows\SysWOW64\APOMngr.DLL


    ========== Win32 Services (SafeList) ==========

    SRV:64bit: - [2011/09/06 15:45:28 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV:64bit: - [2008/01/19 00:06:52 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV:64bit: - [2008/01/19 00:00:54 | 000,195,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
    SRV - [2011/07/17 11:16:52 | 000,002,560 | ---- | M] () [Auto | Running] -- C:\Windows\Runservice.exe -- (LicCtrlService)
    SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2011/06/01 22:52:33 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2011/05/13 23:27:00 | 002,226,792 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
    SRV - [2011/05/09 19:08:34 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe -- (Creative ALchemy AL6 Licensing Service)
    SRV - [2011/02/08 15:40:47 | 000,075,136 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
    SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2010/02/12 10:23:12 | 000,286,720 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
    SRV - [2009/11/19 14:51:10 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
    SRV - [2009/10/23 12:31:44 | 000,401,920 | ---- | M] (Amazon.com) [On_Demand | Stopped] -- C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe -- (Amazon Download Agent)
    SRV - [2009/03/29 23:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2011/09/06 15:38:18 | 000,601,944 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
    DRV:64bit: - [2011/09/06 15:38:16 | 000,301,912 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
    DRV:64bit: - [2011/09/06 15:36:41 | 000,058,200 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
    DRV:64bit: - [2011/09/06 15:36:41 | 000,042,328 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr.sys -- (aswRdr)
    DRV:64bit: - [2011/09/06 15:36:30 | 000,065,368 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
    DRV:64bit: - [2011/09/06 15:36:14 | 000,024,408 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV:64bit: - [2010/05/05 21:30:52 | 001,561,688 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ha20x2k.sys -- (ha20x2k)
    DRV:64bit: - [2010/05/05 21:30:42 | 000,118,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\emupia2k.sys -- (emupia)
    DRV:64bit: - [2010/05/05 21:30:34 | 000,213,080 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctsfm2k.sys -- (ctsfm2k)
    DRV:64bit: - [2010/05/05 21:30:26 | 000,015,960 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctprxy2k.sys -- (ctprxy2k)
    DRV:64bit: - [2010/05/05 21:30:18 | 000,179,288 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctoss2k.sys -- (ossrv)
    DRV:64bit: - [2010/05/05 21:30:10 | 000,684,376 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
    DRV:64bit: - [2010/05/05 21:30:02 | 000,580,696 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ctac32k.sys -- (ctac32k)
    DRV:64bit: - [2010/05/05 21:29:52 | 001,417,304 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CTEXFIFX.SYS -- (CTEXFIFX.SYS)
    DRV:64bit: - [2010/05/05 21:29:52 | 001,417,304 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CTEXFIFX.SYS -- (CTEXFIFX)
    DRV:64bit: - [2010/05/05 21:29:42 | 000,094,808 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CTHWIUT.SYS -- (CTHWIUT.SYS)
    DRV:64bit: - [2010/05/05 21:29:42 | 000,094,808 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CTHWIUT.SYS -- (CTHWIUT)
    DRV:64bit: - [2010/05/05 21:29:34 | 000,202,840 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CT20XUT.SYS -- (CT20XUT.SYS)
    DRV:64bit: - [2010/05/05 21:29:34 | 000,202,840 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CT20XUT.SYS -- (CT20XUT)
    DRV:64bit: - [2009/09/09 20:24:12 | 000,074,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\xusb21.sys -- (xusb21)
    DRV:64bit: - [2009/07/14 16:36:28 | 000,022,408 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LGBusEnum.sys -- (LGBusEnum)
    DRV:64bit: - [2009/07/01 13:19:00 | 000,423,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\nvmimx64.sys -- (NVNET55)
    DRV:64bit: - [2009/06/12 18:06:20 | 000,314,016 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\atksgt.sys -- (atksgt)
    DRV:64bit: - [2009/06/12 18:06:20 | 000,043,680 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\lirsgt.sys -- (lirsgt)
    DRV:64bit: - [2008/11/25 05:21:46 | 000,015,200 | ---- | M] (CH Products) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\chdrvr03.sys -- (chdrvr03)
    DRV:64bit: - [2008/11/25 05:21:30 | 000,010,720 | ---- | M] (CH Products) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\chdrvr02.sys -- (chdrvr02)
    DRV:64bit: - [2008/11/25 05:21:14 | 000,248,416 | ---- | M] (CH Products) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\chdrvr01.sys -- (chdrvr01)
    DRV:64bit: - [2008/04/25 15:54:58 | 000,055,328 | ---- | M] (Thesycon GmbH, Germany) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\npusbio_x64.sys -- (npusbio)
    DRV:64bit: - [2008/01/18 22:30:10 | 000,903,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\xnacc.sys -- (xnacc)
    DRV:64bit: - [2007/07/17 17:42:38 | 000,056,336 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\LMouFilt.Sys -- (LMouFilt)
    DRV:64bit: - [2007/07/17 17:42:32 | 000,054,288 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\LHidFilt.Sys -- (LHidFilt)
    DRV:64bit: - [2006/10/09 21:09:03 | 000,742,696 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nvm60x64.sys -- (NVENETFD)
    DRV - [2009/03/07 12:03:40 | 000,019,432 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\CPUID\PC Wizard 2010\pcwiz64.sys -- (cpuz132)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-1787995230-711523803-3076010400-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-21-1787995230-711523803-3076010400-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-21-1787995230-711523803-3076010400-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 68 21 AC CE EB 5C CC 01 [binary data]
    IE - HKU\S-1-5-21-1787995230-711523803-3076010400-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKU\S-1-5-21-1787995230-711523803-3076010400-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    ========== FireFox ==========


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.448: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/10/24 20:49:45 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/10/24 13:13:21 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

    [2009/06/21 20:29:41 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Jeff\AppData\Roaming\Mozilla\Extensions
    [2011/10/05 17:53:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\5ttf6sw7.default\extensions
    [2011/10/24 13:13:43 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\5ttf6sw7.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2011/10/13 10:13:59 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
    [2011/10/22 14:42:45 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\distribution\extensions
    [2011/10/22 14:42:45 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
    [2011/10/06 23:42:27 | 000,002,252 | -H-- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
    [2011/10/06 23:42:27 | 000,002,040 | -H-- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml
    [2011/10/05 08:30:14 | 000,002,223 | -H-- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\websearch.xml

    ========== Chrome ==========

    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
    CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\14.0.835.202\gcswf32.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\MpcStar\Codecs\QuickTime\plugins\npqtplugin.dll
    CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\MpcStar\Codecs\QuickTime\plugins\npqtplugin2.dll
    CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\MpcStar\Codecs\QuickTime\plugins\npqtplugin3.dll
    CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\MpcStar\Codecs\QuickTime\plugins\npqtplugin4.dll
    CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\MpcStar\Codecs\QuickTime\plugins\npqtplugin5.dll
    CHR - plugin: Java Deployment Toolkit 6.0.230.5 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    CHR - plugin: Java(TM) Platform SE 6 U23 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
    CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll
    CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
    CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = c:\program files\real\realplayer\Netscape6\nppl3260.dll
    CHR - plugin: RealPlayer Version Plugin (Enabled) = c:\program files\real\realplayer\Netscape6\nprpjplug.dll
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\14.0.835.202\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\14.0.835.202\pdf.dll
    CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    CHR - plugin: Windows Presentation Foundation (Enabled) = C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
    CHR - plugin: RealJukebox NS Plugin (Enabled) = c:\program files\real\realplayer\Netscape6\nprjplug.dll
    CHR - plugin: Default Plug-in (Enabled) = default_plugin
    CHR - Extension: avast! WebRep = C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\6.0.1289_0\

    O1 HOSTS File: ([2011/10/25 00:04:14 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\realplayer\rpbrowserrecordplugin.dll (RealPlayer)
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O4:64bit: - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
    O4:64bit: - HKLM..\Run: [Launch LCDMon] C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe (Logitech Inc.)
    O4:64bit: - HKLM..\Run: [Launch LGDCore] C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe (Logitech Inc.)
    O4:64bit: - HKLM..\Run: [Launch LgDeviceAgent] C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe (Logitech Inc.)
    O4:64bit: - HKLM..\Run: [XboxStat] C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [AmazonGSDownloaderTray] C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe (Amazon.com)
    O4 - HKLM..\Run: [AsioThk32Reg] C:\Windows\SysWow64\ctasio.dll (Creative Technology Ltd)
    O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [CTxfiHlp] C:\Windows\SysWow64\Ctxfihlp.exe (Creative Technology Ltd)
    O4 - HKLM..\Run: [TkBellExe] C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
    O4 - HKLM..\Run: [VolPanel] "C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe" /r File not found
    O4 - HKU\S-1-5-21-1787995230-711523803-3076010400-1000..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
    O4 - HKU\S-1-5-21-1787995230-711523803-3076010400-1005..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-21-1787995230-711523803-3076010400-1005..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1787995230-711523803-3076010400-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1787995230-711523803-3076010400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\S-1-5-21-1787995230-711523803-3076010400-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O15 - HKU\S-1-5-21-1787995230-711523803-3076010400-1000\..Trusted Domains: mozilla.com ([www] http in Trusted sites)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{89E33CA3-EE61-45F0-AEEA-17B030314824}: DhcpNameServer = 192.168.1.1
    O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
    O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img2.jpg
    O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img2.jpg
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

    Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32:64bit: VIDC.FPS1 - frapsv64.dll (Beepa P/L)
    Drivers32: msacm.divxa32 - C:\Windows\SysWow64\divxa32.acm (Kristal StudioDFileDescription)
    Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\Windows\SysWow64\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)
    Drivers32: VIDC.FFDS - C:\Windows\SysWow64\ff_vfw.dll ()
    Drivers32: VIDC.FPS1 - C:\Windows\SysWow64\frapsvid.dll (Beepa P/L)
    Drivers32: VIDC.RTV1 - rtvcvfw32.dll File not found
    Drivers32: vidc.tscc - C:\Program Files (x86)\MpcStar\Codecs\tscc\tsccvid.dll (TechSmith Corporation)
    Drivers32: vidc.VP60 - C:\Windows\system32\vp6vfw.dll File not found
    Drivers32: vidc.VP61 - C:\Windows\system32\vp6vfw.dll File not found
    Drivers32: vidc.XVID - C:\Windows\SysWow64\xvidvfw.dll ()
    Drivers32: VIDC.YV12 - C:\Windows\SysWOW64\ff_vfw.dll ()

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/10/25 19:36:07 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Jeff\Desktop\OTL.exe
    [2011/10/25 00:08:13 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2011/10/25 00:07:32 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2011/10/24 23:33:54 | 000,000,000 | ---D | C] -- C:\Users\Jeff\AppData\Roaming\Malwarebytes
    [2011/10/24 23:33:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/10/24 23:33:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2011/10/24 23:33:21 | 000,025,416 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2011/10/24 23:33:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2011/10/24 20:50:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
    [2011/10/24 20:50:17 | 000,301,912 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
    [2011/10/24 20:50:17 | 000,024,408 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
    [2011/10/24 20:50:17 | 000,000,000 | ---D | C] -- C:\Users\Jeff\AppData\Local\Google
    [2011/10/24 20:50:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Google
    [2011/10/24 20:50:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
    [2011/10/24 20:50:16 | 000,042,328 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr.sys
    [2011/10/24 20:50:15 | 000,601,944 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
    [2011/10/24 20:50:15 | 000,254,400 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
    [2011/10/24 20:50:15 | 000,065,368 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
    [2011/10/24 20:50:15 | 000,058,200 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
    [2011/10/24 20:49:44 | 000,041,184 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
    [2011/10/24 20:49:43 | 000,199,304 | ---- | C] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe
    [2011/10/24 20:49:35 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
    [2011/10/24 20:49:35 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
    [2011/10/24 15:56:30 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2011/10/24 15:56:30 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2011/10/24 15:56:30 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2011/10/24 15:56:20 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2011/10/24 15:56:14 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/10/23 22:29:15 | 000,000,000 | -H-D | C] -- C:\Users\Jeff\AppData\Local\Take On Helicopters
    [2011/10/23 22:29:15 | 000,000,000 | ---D | C] -- C:\Users\Jeff\Documents\Take On Helicopters
    [2011/10/23 22:25:43 | 000,000,000 | ---D | C] -- C:\Users\Jeff\{61f13630-6f16-42c7-9a60-1be001aa4f87}
    [2011/10/23 20:28:04 | 000,000,000 | ---D | C] -- C:\Program Files\Bohemia Interactive
    [2011/10/13 16:32:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe
    [2011/10/11 23:05:30 | 000,000,000 | -H-D | C] -- C:\ProgramData\WSTB
    [2011/10/04 23:33:07 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Adobe
    [2010/05/05 19:59:10 | 000,060,928 | ---- | C] ( ) -- C:\Windows\SysWow64\a3d.dll
    [2010/05/05 19:38:18 | 000,012,800 | ---- | C] ( ) -- C:\Windows\SysWow64\killapps.exe
    [6 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
    [2 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
    [14 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/10/25 20:05:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2011/10/25 19:36:09 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Jeff\Desktop\OTL.exe
    [2011/10/25 18:57:28 | 000,004,080 | ---- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2011/10/25 18:57:28 | 000,004,080 | ---- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2011/10/25 14:05:00 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2011/10/25 09:03:39 | 000,802,418 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2011/10/25 09:03:39 | 000,672,542 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2011/10/25 09:03:39 | 000,131,964 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2011/10/25 08:57:39 | 000,003,657 | ---- | M] () -- C:\Windows\SysWow64\mmf.sys
    [2011/10/25 08:57:27 | 000,067,584 | ---- | M] () -- C:\Windows\bootstat.dat
    [2011/10/25 01:20:46 | 000,061,040 | ---- | M] () -- C:\Windows\SysNative\BMXStateBkp-{00000005-00000000-0000000A-00001102-00000005-002C1102}.rfx
    [2011/10/25 01:20:46 | 000,061,040 | ---- | M] () -- C:\Windows\SysNative\BMXState-{00000005-00000000-0000000A-00001102-00000005-002C1102}.rfx
    [2011/10/25 01:20:46 | 000,000,788 | ---- | M] () -- C:\Windows\SysNative\DVCState-{00000005-00000000-0000000A-00001102-00000005-002C1102}.rfx
    [2011/10/25 00:04:14 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
    [2011/10/24 23:48:35 | 000,000,512 | ---- | M] () -- C:\Users\Jeff\Desktop\MBR.dat
    [2011/10/24 20:50:46 | 000,002,009 | ---- | M] () -- C:\Users\Jeff\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
    [2011/10/24 20:50:15 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
    [2011/10/24 14:01:19 | 000,161,792 | ---- | M] () -- C:\Users\Jeff\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/10/07 07:59:52 | 000,003,657 | ---- | M] () -- C:\Windows\SysWow64\mmf(31215).sys
    [2011/10/07 00:56:08 | 000,085,401 | -H-- | M] () -- C:\Users\Jeff\Desktop\MHA Fall Meeting 2011.pdf
    [2011/09/28 16:23:44 | 001,394,670 | -H-- | M] () -- C:\Users\Jeff\Desktop\PilotInsurance_2011.jpg
    [2011/09/28 09:27:48 | 000,108,256 | -H-- | M] () -- C:\Users\Jeff\Desktop\pilot form 001.tif
    [2011/09/27 23:09:08 | 000,280,736 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.xtr
    [2011/09/27 23:09:08 | 000,280,736 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.exe
    [2011/09/27 23:07:13 | 000,270,904 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.ex0
    [6 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
    [2 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
    [14 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
     
  8. Rangoon

    Rangoon TS Rookie Topic Starter Posts: 20

    and OTL.txt (part 2):


    ========== Files Created - No Company Name ==========

    [2011/10/24 23:48:35 | 000,000,512 | ---- | C] () -- C:\Users\Jeff\Desktop\MBR.dat
    [2011/10/24 20:50:46 | 000,002,009 | ---- | C] () -- C:\Users\Jeff\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
    [2011/10/24 20:50:23 | 000,000,894 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2011/10/24 20:50:22 | 000,000,890 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2011/10/24 20:50:15 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt
    [2011/10/24 15:56:30 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2011/10/24 15:56:30 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2011/10/24 15:56:30 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2011/10/24 15:56:30 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2011/10/24 15:56:30 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2011/10/13 16:32:08 | 000,002,425 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
    [2011/10/07 00:56:08 | 000,085,401 | -H-- | C] () -- C:\Users\Jeff\Desktop\MHA Fall Meeting 2011.pdf
    [2011/09/28 16:20:40 | 001,394,670 | -H-- | C] () -- C:\Users\Jeff\Desktop\PilotInsurance_2011.jpg
    [2011/09/28 09:12:49 | 000,108,256 | -H-- | C] () -- C:\Users\Jeff\Desktop\pilot form 001.tif
    [2011/08/14 09:08:57 | 000,012,082 | -H-- | C] () -- C:\Users\Jeff\AppData\Local\050dhxf3unx808x
    [2011/08/14 09:08:57 | 000,012,082 | -H-- | C] () -- C:\ProgramData\050dhxf3unx808x
    [2011/08/14 08:41:42 | 000,000,120 | -H-- | C] () -- C:\Users\Jeff\AppData\Local\Wsajirux.dat
    [2011/08/14 08:41:42 | 000,000,000 | -H-- | C] () -- C:\Users\Jeff\AppData\Local\Kronadod.bin
    [2011/07/17 11:16:52 | 000,048,640 | ---- | C] () -- C:\Windows\mmfs.dll
    [2011/07/17 11:16:52 | 000,048,640 | ---- | C] () -- C:\Windows\mmfs(14087).dll
    [2011/07/17 11:16:52 | 000,003,657 | ---- | C] () -- C:\Windows\SysWow64\mmf.sys
    [2011/07/17 11:16:52 | 000,003,657 | ---- | C] () -- C:\Windows\SysWow64\mmf(31215).sys
    [2011/07/17 11:16:52 | 000,002,560 | ---- | C] () -- C:\Windows\Runservice.exe
    [2011/07/17 11:16:52 | 000,002,560 | ---- | C] () -- C:\Windows\Runservice(14110).exe
    [2011/05/09 18:18:03 | 000,148,480 | ---- | C] () -- C:\Windows\SysWow64\APOMngr.DLL
    [2011/05/09 18:18:03 | 000,073,728 | ---- | C] () -- C:\Windows\SysWow64\CmdRtr.DLL
    [2011/04/09 18:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
    [2010/08/29 20:00:19 | 000,280,736 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
    [2010/08/29 20:00:14 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
    [2010/05/05 20:37:52 | 000,021,204 | ---- | C] () -- C:\Windows\SysWow64\instwdm.ini
    [2010/05/05 19:38:22 | 000,007,680 | ---- | C] () -- C:\Windows\SysWow64\enlocstr.exe
    [2009/08/31 20:39:25 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
    [2009/08/31 20:39:07 | 000,107,612 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchema.bin
    [2009/08/31 20:38:49 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
    [2009/08/05 18:04:04 | 000,009,809 | -H-- | C] () -- C:\Users\Jeff\AppData\Roaming\TheHunterSettings.bin
    [2009/08/03 16:29:09 | 000,000,037 | ---- | C] () -- C:\Users\Jeff\AppData\Roaming\TheHunterSettings.cfg
    [2009/06/04 02:37:06 | 000,000,054 | ---- | C] () -- C:\Windows\SysWow64\ctzapxx.ini
    [2009/06/04 01:55:20 | 000,002,560 | ---- | C] () -- C:\Windows\SysWow64\CtxfiRes.dll
    [2009/06/04 01:40:44 | 000,321,512 | ---- | C] () -- C:\Windows\SysWow64\ctdlang.dat
    [2009/06/04 01:40:44 | 000,056,509 | ---- | C] () -- C:\Windows\SysWow64\ctdnlstr.dat
    [2009/05/27 10:49:00 | 000,000,285 | ---- | C] () -- C:\Windows\SysWow64\kill.ini
    [2009/05/10 20:12:21 | 000,000,760 | ---- | C] () -- C:\Users\Jeff\AppData\Roaming\setup_ldm.iss
    [2009/03/12 17:08:00 | 000,000,580 | R--- | C] () -- C:\ProgramData\ntuser.pol
    [2008/12/07 12:29:27 | 000,000,038 | ---- | C] () -- C:\Windows\cdplayer.ini
    [2008/12/01 15:22:40 | 000,000,331 | ---- | C] () -- C:\Windows\game.ini
    [2008/10/24 17:41:56 | 000,018,904 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchemaTrivial.bin
    [2008/10/24 15:34:51 | 000,001,356 | -H-- | C] () -- C:\Users\Jeff\AppData\Local\d3d9caps.dat
    [2008/10/24 15:34:50 | 000,000,552 | -H-- | C] () -- C:\Users\Jeff\AppData\Local\d3d8caps.dat
    [2008/10/24 01:57:00 | 000,000,082 | ---- | C] () -- C:\Windows\TweakOblivion.ini
    [2008/09/28 18:36:41 | 000,000,510 | ---- | C] () -- C:\Windows\WORDPAD.INI
    [2008/09/26 17:42:49 | 000,000,023 | ---- | C] () -- C:\Windows\BlendSettings.ini
    [2008/08/24 11:51:33 | 000,161,792 | ---- | C] () -- C:\Users\Jeff\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2008/07/12 18:40:52 | 000,000,092 | -H-- | C] () -- C:\Users\Jeff\AppData\Local\fusioncache.dat
    [2008/07/12 18:20:58 | 000,786,440 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2008/07/12 18:14:04 | 002,250,024 | ---- | C] () -- C:\Windows\SysWow64\pbsvc.exe
    [2008/06/12 20:36:38 | 000,007,680 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
    [2008/06/09 08:14:10 | 000,029,752 | ---- | C] () -- C:\Windows\SysWow64\InstHelper.dll
    [2008/06/06 23:55:08 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
    [2008/06/06 22:07:50 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
    [2008/06/06 22:01:11 | 000,003,644 | -H-- | C] () -- C:\Users\Jeff\AppData\Local\d3d9caps64.dat
    [2008/04/12 07:41:20 | 000,180,224 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
    [2008/04/12 07:30:20 | 000,765,952 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
    [2007/02/05 20:05:26 | 000,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI
    [2006/11/02 10:35:48 | 000,067,584 | ---- | C] () -- C:\Windows\bootstat.dat
    [2006/11/02 07:37:14 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
    [2006/11/02 07:24:17 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
    [2006/11/02 07:18:17 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
    [2006/11/02 04:47:54 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

    ========== LOP Check ==========

    [2010/11/11 01:07:29 | 000,000,000 | ---D | M] -- C:\Users\Jeff\AppData\Roaming\.minecraft
    [2011/10/24 13:13:42 | 000,000,000 | ---D | M] -- C:\Users\Jeff\AppData\Roaming\ACV
    [2011/10/24 13:13:42 | 000,000,000 | ---D | M] -- C:\Users\Jeff\AppData\Roaming\APOX
    [2008/10/13 01:19:21 | 000,000,000 | -H-D | M] -- C:\Users\Jeff\AppData\Roaming\Auslogics
    [2011/10/24 13:13:42 | 000,000,000 | ---D | M] -- C:\Users\Jeff\AppData\Roaming\BitTorrent
    [2011/05/25 00:47:00 | 000,000,000 | ---D | M] -- C:\Users\Jeff\AppData\Roaming\Gearbox Software
    [2011/08/28 15:08:19 | 000,000,000 | ---D | M] -- C:\Users\Jeff\AppData\Roaming\Kalypso Media
    [2008/06/07 01:10:23 | 000,000,000 | -H-D | M] -- C:\Users\Jeff\AppData\Roaming\Leadertech
    [2009/03/12 18:08:45 | 000,000,000 | -H-D | M] -- C:\Users\Jeff\AppData\Roaming\Mount&Blade
    [2010/08/03 16:13:43 | 000,000,000 | -H-D | M] -- C:\Users\Jeff\AppData\Roaming\Mount&Blade Warband
    [2011/09/04 00:13:41 | 000,000,000 | -H-D | M] -- C:\Users\Jeff\AppData\Roaming\Polynomial
    [2011/10/24 13:13:44 | 000,000,000 | ---D | M] -- C:\Users\Jeff\AppData\Roaming\SystemRequirementsLab
    [2011/05/10 19:35:30 | 000,000,000 | -H-D | M] -- C:\Users\Jeff\AppData\Roaming\The Creative Assembly
    [2011/10/24 13:13:44 | 000,000,000 | ---D | M] -- C:\Users\Jeff\AppData\Roaming\The First Templar
    [2009/04/18 16:28:20 | 000,000,000 | -H-D | M] -- C:\Users\Jeff\AppData\Roaming\The Path
    [2008/09/23 15:56:37 | 000,000,000 | -H-D | M] -- C:\Users\Jeff\AppData\Roaming\TigerPlayer
    [2010/02/23 15:50:28 | 000,000,000 | -H-D | M] -- C:\Users\Jeff\AppData\Roaming\XRay Engine
    [2011/10/25 01:20:41 | 000,032,570 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2009/06/17 09:09:06 | 000,000,000 | -H-- | M] () -- C:\acc_speed.txt
    [2009/04/11 01:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
    [2008/06/07 00:19:04 | 000,008,192 | RH-- | M] () -- C:\BOOTSECT.BAK
    [2011/10/25 00:07:30 | 000,029,535 | ---- | M] () -- C:\ComboFix.txt
    [2011/05/09 13:59:00 | 000,017,786 | -H-- | M] () -- C:\CTSUFile.txt
    [2008/06/06 22:57:44 | 000,327,336 | -H-- | M] () -- C:\DS-263N.icc
    [2006/12/01 23:37:14 | 000,904,704 | ---- | M] (Microsoft Corporation) -- C:\msdia80.dll
    [2011/10/25 08:57:24 | 312,094,719 | -HS- | M] () -- C:\pagefile.sys
    [2011/10/24 19:32:51 | 000,000,452 | ---- | M] () -- C:\rkill.log
    [2011/10/24 19:29:31 | 000,071,316 | ---- | M] () -- C:\TDSSKiller.2.6.12.0_24.10.2011_19.29.03_log.txt

    < %systemroot%\Fonts\*.com >
    [2006/11/02 10:05:44 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2006/11/02 10:05:44 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2006/11/02 10:05:44 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2009/08/31 22:12:20 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2006/09/18 16:35:48 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2011/09/06 15:45:29 | 000,041,184 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
    [6 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2008/06/07 00:13:35 | 000,000,174 | ---- | M] () -- C:\Program Files (x86)\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >

    < %USERPROFILE%\Desktop\*.exe >
    [2011/04/14 23:05:37 | 000,627,641 | ---- | M] () -- C:\Users\Jeff\Desktop\Minecraft_Server.exe
    [2011/10/25 19:36:09 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Jeff\Desktop\OTL.exe
    [2011/07/05 23:42:20 | 003,248,481 | ---- | M] (Gaijin Enertainment) -- C:\Users\Jeff\Desktop\Wings_of_Prey.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2006/11/02 10:03:11 | 000,000,802 | ---- | M] () -- C:\Windows\ADDINS\FXSEXT.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2011/08/14 08:43:24 | 000,000,104 | ---- | M] () -- C:\Users\Jeff\Favorites\Games - Shortcut.lnk

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2011/08/14 09:27:37 | 000,012,082 | -H-- | M] () -- C:\ProgramData\050dhxf3unx808x
    [2009/11/11 11:12:49 | 000,000,580 | R--- | M] () -- C:\ProgramData\ntuser.pol

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 498 bytes -> C:\ProgramData\TEMP:05EE1EEF
    @Alternate Data Stream - 168 bytes -> C:\Users\Jeff\Desktop\2009_IRS_Interest_and_Penalties.jpg:3or4kl4x13tuuug3Byamue2s4b
    @Alternate Data Stream - 168 bytes -> C:\Users\Jeff\Desktop\PilotInsurance_2011.jpg:3or4kl4x13tuuug3Byamue2s4b
    @Alternate Data Stream - 168 bytes -> C:\Users\Jeff\Desktop\Beethoven.jpg:3or4kl4x13tuuug3Byamue2s4b

    < End of report >
     
  9. Rangoon

    Rangoon TS Rookie Topic Starter Posts: 20

    Extras.txt (part 1):

    OTL Extras logfile created on: 10/25/2011 8:10:33 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Jeff\Desktop
    64bit-Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.19120)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    4.00 Gb Total Physical Memory | 2.62 Gb Available Physical Memory | 65.62% Memory free
    8.19 Gb Paging File | 6.70 Gb Available in Paging File | 81.79% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 279.46 Gb Total Space | 188.88 Gb Free Space | 67.59% Space Free | Partition Type: NTFS
    Drive D: | 6.61 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
    Drive E: | 139.73 Gb Total Space | 17.86 Gb Free Space | 12.78% Space Free | Partition Type: NTFS
    Drive G: | 931.51 Gb Total Space | 365.12 Gb Free Space | 39.20% Space Free | Partition Type: NTFS

    Computer Name: JEFFVISTA64 | User Name: Jeff | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .html[@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
    .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .html [@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)

    [HKEY_USERS\S-1-5-21-1787995230-711523803-3076010400-1000\SOFTWARE\Classes\<extension>]
    .html [@ = ChromeHTML] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
    https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
    inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "E:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "E:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "E:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "E:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0
    "VistaSp1" = 31 3B AB 59 5D C8 C8 01 [binary data]
    "VistaSp2" = 71 EB E0 1B B3 2A CA 01 [binary data]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "oobe_av" = 1

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 0

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{1C22CB14-77BA-467D-BE7C-799AA9F7B45D}" = lport=8413 | protocol=17 | dir=in | name=bitcomet 8413 udp |
    "{28ADEDE1-A4D5-42D8-9B05-BF7C283C4061}" = lport=21248 | protocol=6 | dir=in | name=spport |
    "{28ADEDE1-A4D5-42D8-9B05-BF7C283C4062}" = lport=21248 | protocol=6 | dir=out | name=spport |
    "{FC659859-9CA3-4B04-8D22-B2CA543FF3B1}" = lport=8413 | protocol=6 | dir=in | name=bitcomet 8413 tcp |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0168800C-BD10-40E3-A273-26383B6560DD}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\king arthur - the role-playing wargame\kingarthur.exe |
    "{0181F382-3755-4AB7-8475-6A15C03A3295}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\thepolynomial\polynomial.exe |
    "{0199D45C-4CCD-4C59-B18A-7E234E94DFD5}" = protocol=6 | dir=in | app=g:\steamapps\common\dragon age origins\daoriginslauncher.exe |
    "{0202EBF3-C0C2-4CF8-A79A-EAB2B38778E1}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\total war shogun 2\benchmarks\benchmark_specify_properties.bat |
    "{0260971C-017A-476D-828A-16DF767C4007}" = protocol=17 | dir=in | app=c:\program files (x86)\activision\call of duty 4 - modern warfare\iw3mp.exe |
    "{0271D10C-79FD-4EB1-9BBD-1918FE4DC92B}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\magicka\magicka.exe |
    "{02E4CEA7-3E07-4584-B7F6-09037194FE1E}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\ghostbusters\ghost_w32.exe |
    "{02F93C26-B25F-4256-A1E1-99AFD5530944}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\darwinia\darwinia.exe |
    "{03768405-36BF-435A-8A9B-4BA1731977E0}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\borderlands\binaries\borderlands.exe |
    "{038592CF-5B58-470A-A86D-4ACE7FD96C50}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\tom clancy's splinter cell conviction\src\system\conviction_game.exe |
    "{0477B40A-FC90-42A5-8DA5-C32EDA7A3779}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\dragon age ultimate edition\daoriginslauncher.exe |
    "{06866397-2991-481D-8C9A-F95BFF0F769F}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\aliens vs predator\avp.exe |
    "{06FF6540-C902-47E2-A6E5-615AA084EA30}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\eve online\eve.exe |
    "{07343EA6-08D5-45BA-B4E8-B857C9C882B3}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\left 4 dead 2\left4dead2.exe |
    "{077BC844-3F81-4576-AA25-2423BD453369}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\aliens vs predator\avp_dx11.exe |
    "{08315F06-08A2-484E-B511-F57F83AF1BC1}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\medal of honor\support\ea help\electronic_arts_technical_support.htm |
    "{084B73DB-7D84-4EBF-9BE9-46949EC4177B}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\king arthur - the role-playing wargame\kingarthurmulti.exe |
    "{08AAD5C4-CB60-48FA-94D2-11D306F202E3}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\mountblade warband\mb_warband.exe |
    "{0958C4D3-3AC4-42E6-B529-66D1BBDF63EA}" = protocol=6 | dir=in | app=g:\steamapps\common\kane & lynch 2 - dog days\kl2.exe |
    "{0A5A5A35-2D58-4C41-8781-24BECADAE6B5}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\fear ultimate shooter edition\fear.exe |
    "{0ACCC3B4-5D90-4835-9F78-900A80FF5028}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\battlefield bad company 2\bfbc2game.exe |
    "{0C397BB9-162D-481E-BA14-E068DDC7FDD6}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\machinarium\machinarium.exe |
    "{0C413B69-7651-4C61-A199-02486B530764}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\arma 2\arma2.exe |
    "{0CF7E2ED-6374-4CC6-8D5A-CBB4316155B4}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\empire total war\empire.exe |
    "{0E550509-D377-4EF9-B80E-F6B5C80CA558}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\apox\gameclient\apox.exe |
    "{0E6EB69C-3ED0-46A8-A8E7-A2BD9DD26530}" = protocol=17 | dir=in | app=g:\steamapps\common\aliens vs predator\avp.exe |
    "{0E9DF74A-2DBF-4591-9A7E-E7D080E0F58F}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\magicka\magicka.exe |
    "{0FA856DE-BD42-4C7F-90A5-993063BAC245}" = protocol=6 | dir=in | app=g:\steamapps\common\king arthur - the role-playing wargame\kingarthur.exe |
    "{10430F51-BEC0-4D83-8962-1AC7B1220959}" = protocol=6 | dir=in | app=g:\steamapps\common\grand theft auto iv\gtaiv\launchgtaiv.exe |
    "{11C6441B-01BC-4507-997C-AD18B18CDBC6}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\star wars empire at war\runme.exe |
    "{1339D7C2-3B10-4388-B92B-AA8A2649B65F}" = protocol=17 | dir=in | app=e:\program files\deep silver\s.t.a.l.k.e.r. - clear sky\bin\dedicated\xrengine.exe |
    "{135468C7-A3A0-43E4-B06A-3A9E0270A249}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\jade empire\jadeempirelauncher.exe |
    "{1387900B-0E21-43A3-9C0C-AC13EBE2748E}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\uplink\uplink.exe |
    "{13B0D2C8-4D60-4E64-A5A6-41AF6F17E335}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\left 4 dead 2\left4dead2.exe |
    "{1463153B-E828-476E-9CCC-3B4725624C55}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\batman arkham asylum goty\binaries\bmlauncher.exe |
    "{156C435A-0DCD-40F5-875A-BABDC918B6F2}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\ghost recon advanced warfighter\graw.exe |
    "{15AD8E7D-0E62-4AE1-8F26-1840D415AFF8}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\dragon age ultimate edition\daoriginslauncher.exe |
    "{16B5C76C-B622-4CE2-B91D-2673C3B4CC30}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\men of war\mow.exe |
    "{17B59786-3E90-4075-9ED1-DCFCA78F4D48}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\mafia ii\pc\mafia2.exe |
    "{1861399D-C313-414E-A748-C8D35D163202}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\two worlds - epic edition\twoworlds_radeon.exe |
    "{1964E41B-12E5-4A90-9DF6-DD7DBD5E9DD4}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\call of juarez - bound in blood\cojbibgame_x86.exe |
    "{1B15651C-9199-41AA-AB5B-A9088F28C345}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\arma 2 operation arrowhead\dlcsetup\pmc\datacachepreprocessor.exe |
    "{1B6610E1-864B-4BAC-8D90-5EB8F0394DC3}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\theatre of war\tow.exe |
    "{1BBE0901-14A8-4314-8DD7-2640915234D0}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\the sims 3\support\ea help\electronic_arts_technical_support.htm |
    "{1BDE31DC-F16F-469D-A8B1-662EB7D35680}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\the path\pathviewer.exe |
    "{1C2FD3A7-52F9-416E-96CD-9291265AF6BF}" = protocol=17 | dir=in | app=e:\program files\electronic arts\crytek\crysis\bin64\crysis.exe |
    "{1C394986-6FFA-4318-90D6-2B124DE23786}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\metro 2033\metro2033.exe |
    "{1CC94C65-92B0-4B47-9F26-38617E8B62E7}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\dragon age origins\daoriginslauncher.exe |
    "{1D19F8F3-82A2-4EFF-9B02-E61DE29906A5}" = protocol=6 | dir=in | app=e:\program files\electronic arts\crytek\crysis\bin64\crysisdedicatedserver.exe |
    "{1DF3FBBC-1D95-43D7-B5F1-E748AFB68B95}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\spellforce platinum edition\spellforce.exe |
    "{1F890F93-040B-467E-9176-8BE07BE513F3}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\sniper ghost warrior\sniper_x86.exe |
    "{1FF21EF0-552F-494C-9032-43ADBDE7E83B}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\theatre of war 2 africa 1943\options.exe |
    "{205F3B22-DDD2-4F3E-BA4A-74044C1975A2}" = protocol=17 | dir=in | app=e:\program files\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\xr_3da.exe |
    "{2174A1D7-9FE3-40B8-91B2-BD54FC92026F}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\sid meier's civilization v\launcher.exe |
    "{21F7CCCD-2942-4B23-A87B-7EFF5682DEB4}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstra.exe |
    "{22D1910B-BB56-472C-BED0-B23A7BD22301}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\operation flashpoint dragon rising\ofdr.exe |
    "{22EFFD48-2585-4050-AE4A-F6A3CE59D887}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\mountblade warband\mb_warband.exe |
    "{23B8B4A5-CA3E-4E93-97F6-7C215EE3603A}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\arma 2 operation arrowhead\_runa2co.cmd |
    "{248F5F8A-DF48-4F5F-A0B1-8232D665ECED}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\battlefield bad company 2\support\ea help\electronic_arts_technical_support.htm |
    "{2505563A-B99B-403F-9102-861118CA8AB0}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\two worlds - epic edition\twoworlds_radeon.exe |
    "{2562B166-32DE-476D-B559-4A540FA7D1A8}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\gothic 3 forsaken gods\gothic iii forsaken gods.exe |
    "{25CC3CD2-B561-4234-B164-C134F4CD6FC3}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\king arthur - the role-playing wargame\kingarthur.exe |
    "{260CADAC-DD84-4E0F-816B-FE2D270375C5}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\apox\gameclient\apox.exe |
    "{264C307C-DFD1-4BCF-B61D-409801586E1A}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\jade empire\jadeempirelauncher.exe |
    "{26567294-9FC7-4861-9309-E7A8F09A2099}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\clive barker's jericho\bin\jericho.exe |
    "{26BF3C76-E737-44AB-B0DD-AE4249B9DE3E}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\mountblade warband\mb_warband.exe |
    "{28ADEDE1-A4D5-42D8-9B05-BF7C283C4059}" = protocol=6 | dir=in | app=c:\windows\system32\svchost.exe |
    "{28ADEDE1-A4D5-42D8-9B05-BF7C283C4060}" = protocol=6 | dir=out | app=c:\windows\system32\svchost.exe |
    "{28E8D82E-E538-4A21-9E19-34A1C213BD7B}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\thief deadly shadows\system\runme.exe |
    "{28E98E7A-9F3D-4C1B-B4BA-A1157A20A8EB}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\resident evil 5\launcher.exe |
    "{29FFBF34-C22D-4512-A025-511750246155}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\arcania gothic 4\arcania.exe |
    "{2A4FAAFB-A5A2-4F27-8BAE-BC8343E64020}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\settlers 7 gold\data\base\_dbg\bin\release\settlers7r.exe |
    "{2A8E29C4-2766-49A7-B595-143A060C5E23}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\total war shogun 2\benchmarks\benchmark_current_settings.bat |
    "{2AC39D36-8A3B-4E9A-B84F-12594885DC73}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\f1 2010\f1_2010.exe |
    "{2B7BAA5C-4E81-4673-9210-CBD640280FE2}" = protocol=6 | dir=in | app=e:\program files\atari\arma\arma_server.exe |
    "{2B7FD404-4ACB-423D-A353-2D8885EFD684}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\magicka\magicka.exe |
    "{2BC1F09D-C5B4-41DF-82A2-DC1AC8A8B65B}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\saints row 2\sr2_pc.exe |
    "{2D9FDB1F-A947-4FD2-A9BC-B0C7C2488C4F}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\gothic 3 forsaken gods\gothic iii forsaken gods.exe |
    "{2DD880A6-494F-4FF7-8DAF-7263C96888D7}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\ghostbusters\ghost_w32.exe |
    "{2DED7C19-E234-41AE-8C8B-B0BD62E6C7B1}" = protocol=6 | dir=in | app=c:\program files (x86)\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\dedicated\xr_3da.exe |
    "{2E0E3A1B-7B89-4323-8AEB-EE3C249E373F}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\brothers in arms hells highway\binaries\biahh.exe |
    "{2E0FDA5B-9E91-450D-A79D-D69BB9BA3A5C}" = protocol=6 | dir=in | app=g:\steamapps\common\mountblade warband\mb_warband.exe |
    "{2E18D1AA-70DC-4824-80CB-CCF2DAB409E1}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\mirrors edge\support\ea help\electronic_arts_technical_support.htm |
    "{2E78675F-2428-4887-9767-2E8740CA97B5}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\command and conquer 4 tiberian twilight\support\ea help\electronic_arts_technical_support.htm |
    "{2EC4E7B3-721B-4523-927F-B4C867675A20}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |
    "{2FF5516B-6850-41C4-A653-222BC0FABF6C}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\star wars empire at war\runme.exe |
    "{3034E52D-05EB-4FDA-A1A7-2875E51D386F}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\tom clancy's splinter cell conviction\src\system\conviction_game.exe |
    "{31658130-A28C-4779-9D21-FC81AB3B2A8D}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\battlefield bad company 2\support\ea help\electronic_arts_technical_support.htm |
    "{331838EF-A98F-4402-A44B-5692FA8C5921}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\magicka\magicka.exe |
    "{33995D27-F31B-4F4A-80BD-9446A385504C}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\machinarium\machinarium.exe |
    "{35E90431-E30B-4983-92F1-862C385E2EEB}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\risen\bin\risen.exe |
    "{36E1A68D-5A0C-4480-B404-9E65E2514B2B}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\left 4 dead\left4dead.exe |
    "{3702C5B7-C15E-48C0-A771-2248ED49A879}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\total war shogun 2\benchmarks\benchmark_specify_properties.bat |
    "{37799BD1-06E2-43CA-85C9-5F4D00C3E470}" = protocol=17 | dir=in | app=g:\steamapps\common\two worlds - epic edition\twoworlds.exe |
    "{386E2B56-F730-4429-99B6-B4DBF3ECFD93}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\assassins creed\assassinscreed_game.exe |
    "{39D56F78-7EBD-42BA-89F1-195651A3B315}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\red faction guerrilla\rfg_launcher.exe |
    "{3A2212B5-7E84-42F0-B054-A8AAFF0281B0}" = protocol=6 | dir=in | app=e:\program files\deep silver\s.t.a.l.k.e.r. - clear sky\bin\xrengine.exe |
    "{3AF9FE18-9595-4E7C-A503-4452E30217D1}" = protocol=17 | dir=in | app=g:\steamapps\common\king arthur - the role-playing wargame\kingarthurmulti.exe |
    "{3C05BFDA-64B0-4322-B340-FEEBB807B2CE}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\theatre of war\towsetup.exe |
    "{3CA7132C-06A1-494C-9AF2-5E85030DE1FB}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\battlefield bad company 2\support\ea help\electronic_arts_technical_support.htm |
    "{3CF0402C-00ED-42D8-BDEE-2B510729A936}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\darwinia\darwinia.exe |
    "{3EB0D8BF-1C93-4D1A-B2F7-34C51E5170DA}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\ghost recon advanced warfighter 2\graw2.exe |
    "{3F450A4B-99DB-495D-9433-EBDCF1B65B59}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\batman arkham asylum goty\binaries\bmlauncher.exe |
    "{3FD522E3-DDAE-4319-A405-118D452952EC}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\battlefield bad company 2\bfbc2game.exe |
    "{40C97ADC-64DC-4128-9B80-95C2CC39568C}" = protocol=6 | dir=in | app=e:\program files\activision\apache air assault\yuplay\yuplay.exe |
    "{420C8288-6315-4DE3-8D47-AE6ACE6F4132}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\apox\gameclient\apox.exe |
    "{42DDD655-9FA1-4648-A1B7-ED8C269249B6}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\battlefield bad company 2\support\ea help\electronic_arts_technical_support.htm |
    "{4323A477-EB99-4AAD-93C8-E4BBDA89B7BA}" = protocol=6 | dir=in | app=g:\steamapps\common\battlefield bad company 2\support\ea help\electronic_arts_technical_support.htm |
    "{446BE15F-7111-4252-86A5-A31D7C072173}" = protocol=6 | dir=in | app=g:\steamapps\common\dragon age origins\docs\ea help\electronic_arts_technical_support.htm |
    "{44B6C0BF-8A5A-4072-A9B0-53A945C3D917}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\arcania gothic 4\arcania.exe |
    "{44F92070-4D33-4F5F-83B7-438B16140A97}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\machinarium\machinarium.exe |
    "{45302D54-D661-4F04-A6D2-60AA6F67FBA0}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\sniper ghost warrior\sniper_x86.exe |
    "{4668F720-4287-4273-B075-B59ABE916693}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\mafia ii\pc\mafia2.exe |
    "{46B9745B-C93D-481E-B459-44A2F4188C5C}" = protocol=6 | dir=in | app=g:\steamapps\common\left 4 dead 2\left4dead2.exe |
    "{4793106E-E768-4673-8838-4B595DD34B42}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\far cry 2\bin\fc2benchmarktool.exe |
    "{480B5F1C-1805-464D-948F-1DE0FDF0A710}" = protocol=6 | dir=in | app=g:\steamapps\common\magicka\magicka.exe |
    "{48566608-82C5-42F0-B718-27E14BC446B9}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\kane & lynch 2 - dog days\kl2.exe |
    "{49BE12FF-8211-4A57-B174-5AD2BA675D35}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
    "{49E6DA2C-75D8-49E9-9E3E-EA0692E630F8}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\eve online\eve.exe |
    "{4C9BE8F0-56AD-4D7F-8C2F-214AB080C2F8}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\kane & lynch 2 - dog days\kl2.exe |
    "{4CD95F5B-809A-424C-AD67-F875CD906CC2}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\saints row 2\sr2_pc.exe |
    "{4D6D9837-1C19-4128-8DC1-E421FF28CF2C}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\theatre of war ii kursk 1943\kursk1943.exe |
    "{4DE5EE0A-6246-4402-B931-BD47401709E1}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\dragon age origins\daoriginslauncher.exe |
    "{4E4455C3-3528-447C-9C38-3A3668D5B583}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\eve online\eve.exe |
    "{4EC767BE-5FBD-4F03-92B1-B5C2DCA9A423}" = protocol=17 | dir=in | app=g:\steamapps\common\kane & lynch 2 - dog days\kl2.exe |
    "{4F4743BC-BEB5-4562-95E3-34BB7DDAC986}" = protocol=17 | dir=in | app=c:\program files (x86)\sierra entertainment\world in conflict\wic.exe |
    "{4FC5771E-DB30-408B-982D-A62B65D873CB}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\aliens vs predator\avp_launcher.exe |
    "{50D768D4-DD93-4DD1-949E-4919E9C965AA}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\the first templar\tft.exe |
    "{51B825DA-8B3A-41B0-B810-24EB184F2F55}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\far cry 2\bin\fc2serverlauncher.exe |
    "{51E31035-A8F0-4646-ADF6-81D16E1675EB}" = protocol=17 | dir=in | app=g:\steamapps\common\aliens vs predator\avp_launcher.exe |
    "{523C184E-F99A-44E7-98AB-969F723A2870}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\flight_control_hd\flightcontrol_win32.exe |
    "{52BC75FB-5F8A-4884-9285-5FC080166938}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\theatre of war 2 africa 1943\africa1943.exe |
    "{5315562C-C1DB-4FDF-9D76-38A491517A3F}" = protocol=17 | dir=in | app=g:\steamapps\common\aliens vs predator\avp_dx11.exe |
    "{535D7122-3FE4-4337-A79D-55B57984EFE7}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\settlers 7 gold\data\base\_dbg\bin\release\settlers7r.exe |
    "{549165DA-6DCE-4408-B81E-AEF6F2E99521}" = protocol=17 | dir=in | app=e:\program files\activision\apache air assault\yuplay\yuplay.exe |
    "{55002D0E-9247-4397-85D5-2BD2DAA71A5D}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\metro 2033\metro2033.exe |
    "{55CF711E-30C8-42C8-AFA9-358D00F045CE}" = protocol=17 | dir=in | app=g:\steamapps\common\dragon age origins\docs\ea help\electronic_arts_technical_support.htm |
    "{567C5CDE-C7FA-4F85-838F-77C7F88EE9C7}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\the path\pathviewer.exe |
    "{56CD445A-116B-4070-A281-CFADE4BB2232}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\18 wheels of steel american long haul\alh.exe |
    "{577242A4-7604-4410-A4C8-5EEA1F26EE57}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\clive barker's jericho\bin\jericho.exe |
    "{57AF471A-FE4F-48DE-8F35-117983A294C0}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\bioshock\builds\release\bioshock.exe |
    "{57B8D256-C3E4-42BE-926F-6EF95F86A43D}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\far cry 2\bin\fc2editor.exe |
    "{584C2918-ABC8-413A-93F2-A3FDBB6427CF}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\far cry 2\bin\fc2serverlauncher.exe |
    "{5854F05E-F330-4650-9D72-371BBC8D08B5}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\the sims 3\game\bin\sims3launcher.exe |
    "{591DDC5B-741E-4693-B397-54EF09E53676}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\mirrors edge\support\ea help\electronic_arts_technical_support.htm |
    "{59EC2971-47B2-422E-BF7A-DB76816DE950}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\dragon age origins\docs\ea help\electronic_arts_technical_support.htm |
    "{5B4EEFD4-F445-460C-9230-30C9502DD77F}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\dragon age origins\docs\ea help\electronic_arts_technical_support.htm |
    "{5B5F794E-B3CB-478B-BF46-A4E3F7A4999F}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\total war shogun 2\data\encyclopedia\how_to_play.html |
    "{5B6971F8-EC95-4508-ACE0-F30DBDB76E81}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\assassins creed\assassinscreed_game.exe |
    "{5B818C15-C0D3-4C76-A5FB-35ABAABB09EA}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\bioshock\builds\release\bioshock.exe |
    "{5BA064B6-C993-412B-AC58-22FAED455A1A}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\operation flashpoint dragon rising\mission editor\missioneditor.exe |
    "{5CB9928A-3DD0-4B6D-A0B6-245416BB2EC9}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\silent hunter 3\sh3.exe |
    "{5DF89756-F38C-4C29-B683-BB740240EEA1}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\men of war\mow_editor.exe |
    "{5F0E563C-5629-4BCE-903D-1A28A0B583BC}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\brothers in arms earned in blood\system\eib.exe |
    "{5F1DB7C9-02AA-4347-99E1-02FEFDCD099B}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\arma 2 operation arrowhead\besetup\setup_battleyearma2oa.exe |
    "{5F248993-50DC-49AB-860E-05FC5BD72267}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\brothers in arms road to hill 30\system\bia.exe |
    "{5F53947A-5797-46B6-B5FD-6A82DBC2A75F}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\arma 2 operation arrowhead\dlcsetup\baf\datacachepreprocessor.exe |
    "{5FDF2CCD-0C1E-4233-BA1F-B65E1811C6E6}" = protocol=6 | dir=in | app=e:\program files\electronic arts\crytek\crysis\bin32\crysis.exe |
    "{60BB3274-3526-479A-AB06-6F36073C67AE}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\aliens vs predator\avp.exe |
    "{611ADAE6-F38B-4EAF-96F7-083BB84D82E5}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\darwinia\darwinia.exe |
    "{6155BAA6-4D94-4303-9D12-CE00C11E2587}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\dragon age origins\daoriginslauncher.exe |
    "{6170AF94-F6A4-4CBE-8621-4E02F51DF148}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\dragon age origins\docs\ea help\electronic_arts_technical_support.htm |
    "{61C8738F-4D9D-45AE-AC94-F432951CC627}" = protocol=17 | dir=in | app=g:\steamapps\common\king arthur - the role-playing wargame\kingarthur.exe |
    "{62A5792D-11DC-4526-BC64-D558DE83775D}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\aliens vs predator\avp_launcher.exe |
    "{635F0A88-E45F-4DA2-8F2E-E31E484CAB56}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\spellforce platinum edition\spellforce.exe |
    "{6370E062-6EB3-4FA2-9BE4-93321148E5B3}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\call of juarez - bound in blood\cojbibgame_x86.exe |
    "{64403110-4B3F-456F-BEB3-ADAF7BCDB2EE}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\risen\bin\risen.exe |
    "{6453FADF-694D-44FC-81AC-0D1FB87F8D1D}" = protocol=17 | dir=in | app=e:\program files\deep silver\s.t.a.l.k.e.r. - clear sky\bin\xrengine.exe |
    "{656F30E2-B372-4FAF-AC83-2B1CED663883}" = protocol=6 | dir=in | app=e:\program files\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\xr_3da.exe |
    "{65A70134-2A9A-4058-8CF9-DCBC3CC826A3}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\magicka\magicka.exe |
    "{6666D8D5-E851-4F7D-8144-B3AF26000279}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\theatre of war\missioneditor\missiongen.exe |
    "{66A7507E-0DFC-43F7-ABD7-F4BD36294306}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\fear ultimate shooter edition\fearxp\fearxp.exe |
    "{67219839-C890-4BDF-AECD-C97C7219858A}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\alpha protocol\aplauncher.exe |
    "{67782DB8-9E10-4EC2-BD1B-8387DAB1E3FF}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\star wars empire at war\runme2.exe |
    "{691BF10E-70B4-4873-A8D3-55414B2C4442}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\arma 2 operation arrowhead\_runa2co.cmd |
    "{693AE134-D0BD-4508-B1D0-7DDF1C460841}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\theatre of war 2 africa 1943\options.exe |
    "{695A3C3F-D6C6-494B-9FD5-5411F5AEB391}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\left 4 dead\left4dead.exe |
    "{698E662B-D670-4D0E-9CED-3573EF1FE3F0}" = protocol=17 | dir=in | app=c:\program files\bohemia interactive\take on helicopters\takeonh.exe |
    "{6D91B4ED-B2C9-4B81-B54F-E6928A8EB87E}" = protocol=17 | dir=in | app=g:\steamapps\common\dragon age origins\bin_ship\daorigins.exe |
    "{6D92D144-CE65-458B-9327-74B4CA22DB2D}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe |
    "{6EECDF01-BDFC-4410-A2EE-D19D1CAD2B49}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\daorigins.exe |
    "{6FB77D23-A047-4A31-A572-29FE41AADE02}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\brothers in arms earned in blood\system\eib.exe |
    "{6FDB24F9-CBA4-4CE9-8B8F-76A34E3AAB25}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\dragon age ultimate edition\docs\ea help\electronic_arts_technical_support.htm |
    "{71B2AC42-0956-4641-BDDC-88678E7B3BF8}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\darwinia\darwinia.exe |
    "{72829960-0490-42DC-9895-A8F3B4CF9EC8}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\grand theft auto iv\gtaiv\launchgtaiv.exe |
    "{735687D8-5121-424E-AEC2-6A62A6B32832}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\resident evil 5\launcher.exe |
    "{748323F4-20B7-40DC-8BE3-88C284C77ABB}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\hydrophobia\hydropc.exe |
    "{7922292E-687C-492E-9E86-B93057A5D728}" = protocol=6 | dir=in | app=e:\program files\bittorrent\bittorrent.exe |
    "{7A2582A3-5385-44EB-849B-24370A3556B8}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\aliens vs predator\avp_launcher.exe |
    "{7A4D787E-BAD4-4891-B801-A03694E4A908}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\arma 2 operation arrowhead\arma2oa.exe |
    "{7A6D8ED5-A2F4-44F9-ADD7-6A21045D926C}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\flight_control_hd\flightcontrol_win32.exe |
    "{7B13FBD5-31F2-4748-8991-E89D7990061C}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\far cry 2\bin\fc2benchmarktool.exe |
    "{7B4236F3-9111-464A-A57A-194376E8D930}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\aliens vs predator\avp.exe |
    "{7B447AEF-0433-468C-9AE1-8862B415B6AC}" = protocol=17 | dir=in | app=g:\steamapps\common\metro 2033\metro2033.exe |
    "{7B9BD128-9168-4931-81EF-BBA0F90C1A1B}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\mountblade warband\mb_warband.exe |
    "{7E1977C6-96F3-4349-BD74-386BD7FE1864}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\king arthur - the role-playing wargame\kingarthur.exe |
    "{7F671C3A-DE1E-4C84-A7CD-C97AFF537D14}" = protocol=6 | dir=in | app=g:\steamapps\common\aliens vs predator\avp_launcher.exe |
    "{7FBC34E5-709E-4C4D-AF0A-11B7E7E4ED2D}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\defensegridtheawakening\defensegrid.exe |
    "{7FF0C673-8454-4797-923C-5B80E09AF26F}" = protocol=6 | dir=in | app=e:\program files\deep silver\s.t.a.l.k.e.r. - clear sky\bin\dedicated\xrengine.exe |
    "{8150BB10-F4F8-45D8-AD7C-DC1361068302}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\two worlds - epic edition\twoworlds.exe |
    "{818AD859-BB81-498B-9FA0-19DBE1BF7288}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\eve online\eve.exe |
    "{81C37F09-0A3B-4023-B284-7399535C5307}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\aliens vs predator\avp_dx11.exe |
    "{81C8BF79-D973-4DA2-9612-09C4F5B07302}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\command and conquer 4 tiberian twilight\cnc4.exe |
    "{81F1BB6B-5F81-4CD1-B670-2B907352D790}" = protocol=6 | dir=in | app=e:\program files\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\dedicated\xr_3da.exe |
    "{838651D0-05D7-4E0B-951C-FA96A4F69726}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\call of duty modern warfare 2\iw4sp.exe |
    "{8402F5DF-9D04-4D92-B28F-9102A2462D14}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\napoleon total war\napoleon.exe |
    "{855CE10A-1233-42A0-8B8D-8EEAEB65BD7E}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\metro 2033\metro2033.exe |
    "{8572703A-C289-454B-821C-17AA772FE2D2}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\theatre of war ii kursk 1943\kursk1943.exe |
    "{85B15F24-FE59-45BD-8536-E334A3ABA4D6}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\call of duty modern warfare 2\iw4sp.exe |
    "{864D0711-C5A5-4CBF-9A7C-577BC0B947E8}" = protocol=17 | dir=in | app=e:\program files\atari\arma\arma_server.exe |
    "{86757440-3BEF-4A21-BE61-455FD63B6F55}" = protocol=17 | dir=in | app=e:\program files\paradox interactive\majesty 2\majesty2.exe |
    "{86E9F52A-22F3-47F5-AF94-AB8BF090AA66}" = protocol=17 | dir=in | app=e:\program files\electronic arts\crytek\crysis\bin64\crysisdedicatedserver.exe |
    "{87BC8901-DA91-4E7B-AFC6-FF5A0BBCF372}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\fear ultimate shooter edition\fearxp\fearxp.exe |
    "{883477B5-F8A4-4357-B52E-F2D4306B8140}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\divinity ii - dragon knight saga\bin\divinity2.exe |
    "{89D7A34E-092B-4756-ACA4-6CC68BA4320B}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\king arthur - the role-playing wargame\kingarthurmulti.exe |
    "{89EA0FD1-DF8B-4BAE-A403-B4B6A658406A}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\aliens vs predator\avp_dx11.exe |
    "{8C4909CB-0389-43AE-9641-85BE4A79F452}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\borderlands\binaries\borderlands.exe |
    "{8C800E1C-53DA-457B-AD2F-9064859887C9}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\aliens vs predator\avp.exe |
    "{8CBB28BE-A4E9-4720-A47B-8944A9E7FA4B}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\total war shogun 2\data\encyclopedia\how_to_play.html |
    "{8D43C496-2CF4-48DE-A346-C725DFC18A5A}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\dragon age origins\bin_ship\daorigins.exe |
    "{8DD03324-31F2-44F5-88AE-30A8C5E359AA}" = protocol=6 | dir=in | app=g:\steamapps\common\eve online\eve.exe |
    "{8F1342FE-509C-497E-914E-331FF74BF417}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\r.u.s.e\ruse.exe |
    "{8F993517-4603-405D-9EF0-E849B3B66CB4}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\theatre of war\missioneditor\missiongen.exe |
    "{8FEABD21-5126-4E86-B40B-22B08C428595}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\medal of honor\binaries\moh.exe |
    "{908D5924-3624-4C1C-B119-B87F032AC1D8}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\operation flashpoint dragon rising\ofdr.exe |
    "{90EC1409-D5E6-4939-9C06-58FBEEF028F9}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\king arthur - the role-playing wargame\kingarthur.exe |
    "{915C0F1A-7256-4362-93AC-187C3A2A8240}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\osmos\osmos.exe |
    "{91DF1DE2-AC73-45D7-8916-C34411241E5C}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\arma 2 operation arrowhead\dlcsetup\baf\datacachepreprocessor.exe |
    "{92B16F60-BEB1-425A-B377-798FEE96A531}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\alice madness returns\binaries\win32\alicemadnessreturns.exe |
    "{9336BB66-F454-403C-AFBA-445EC6419A2C}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\theatre of war\towsetup.exe |
    "{93B9DA6D-FD00-4C4E-9FBD-2BF34F45761A}" = protocol=6 | dir=in | app=g:\steamapps\common\battlefield bad company 2\bfbc2game.exe |
    "{94E67DA8-0105-4692-A937-0538B4F3769F}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\arma 2\arma2.exe |
    "{96E2FB6E-68A2-450B-B70D-729893804CBC}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\napoleon total war\napoleon.exe |
    "{96ECD92F-5D0B-47D0-9CB9-4A61BBB35E44}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\arma 2\arma2.exe |
    "{985B2949-CF8F-4767-BB97-5EB55F5920FA}" = protocol=6 | dir=in | app=g:\steamapps\common\r.u.s.e\ruse.exe |
    "{98CE57DD-8C3A-4722-90FB-A82296EB99B9}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\fallout 3 goty\falloutlauncher.exe |
    "{993D2612-54AE-40BB-B812-0963C7841765}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\fallout 3 goty\falloutlauncher.exe |
    "{99D9E8A7-4048-4622-9172-1C2FFB424F68}" = protocol=17 | dir=in | app=g:\steamapps\common\dragon age origins\daoriginslauncher.exe |
    "{9BAE1145-B5DD-4FCD-AB2F-4B8684B6B208}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\king arthur - the role-playing wargame\kingarthurmulti.exe |
    "{9C4D67EE-8E1C-4847-A690-340D824D2E21}" = protocol=17 | dir=in | app=g:\steamapps\common\two worlds - epic edition\twoworlds_radeon.exe |
    "{9CFD97B9-9E72-4623-B209-95949C362988}" = protocol=6 | dir=in | app=e:\program files\atari\arma\arma.exe |
    "{9D0CF4D3-DBBE-4710-8896-03CD0F142509}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\aliens vs predator\avp_dx11.exe |
    "{9DCBED6A-9E6C-4B68-A52C-E2F942107800}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\men of war\mow_editor.exe |
    "{9E570DFE-C5F5-4C52-A466-3E24FCB5D087}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\battlefield bad company 2\bfbc2game.exe |
    "{A25419AE-212B-4E1F-B668-7ACA5EFECE30}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\dragon age origins\daoriginslauncher.exe |
    "{A2E9A8CD-E7DA-460B-88EE-91B06993D221}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\kane & lynch 2 - dog days\kl2.exe |
    "{A4071AC6-DE95-4DE8-B8A1-1DCB5DC7077A}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\ghost recon advanced warfighter\graw.exe |
    "{A4CAA21D-8CC0-4F61-9B19-E302496A2CDE}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\apox\gameclient\apox.exe |
    "{A4CE532B-F566-477F-8184-45E2BED2F587}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstra.exe |
     
  10. Rangoon

    Rangoon TS Rookie Topic Starter Posts: 20

    Extras.txt (part 2):


    "{A4F50010-15B4-430B-9717-FC07A9BBF8B4}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\the sims 3\support\ea help\electronic_arts_technical_support.htm |
    "{A52A4154-B5CB-4F0F-AFE2-E9F8C9DDCBF2}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\total war shogun 2\shogun2.exe |
    "{A5F2E995-DFDB-4785-B8B9-6197922B7C5C}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\men of war\mow.exe |
    "{A6533D5D-B24D-41DD-B452-7A47D1C8AE9E}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\ghost recon advanced warfighter 2\graw2.exe |
    "{A660147B-7E66-4CF2-94FB-472A183BB177}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\operation flashpoint dragon rising\mission editor\missioneditor.exe |
    "{A71555CB-380C-4D7F-BA38-408A8CF26023}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\men of war red tide\redtide.exe |
    "{A757DA25-A82F-49A1-A496-E2B6C38220D6}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\hydrophobia\hydropc.exe |
    "{A78645B6-0B44-4673-B98A-B067B823D69A}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\sid meier's civilization v sdk\sid meier's civilization v sdk.exe |
    "{A99CB40E-2321-49C1-A8A3-C8D132B6CFB2}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\thief deadly shadows\system\runme.exe |
    "{AC1013B7-0316-41F3-89F6-A74F3219C4DB}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\swkotor\swkotor.exe |
    "{AC3AFD4F-DE37-4925-AEDD-0270BC585F24}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\operation flashpoint dragon rising\mission editor\missioneditor.exe |
    "{AC55FC19-571B-4FEA-B1B6-83E48A092876}" = protocol=6 | dir=in | app=e:\program files\electronic arts\crytek\crysis\bin64\crysis.exe |
    "{ACD41435-25D8-4DE4-A7A1-0A2098741818}" = protocol=6 | dir=in | app=g:\steamapps\common\two worlds - epic edition\twoworlds_radeon.exe |
    "{AD686238-99DB-4DD8-BC4D-34DC52593E4C}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\operation flashpoint dragon rising\mission editor\missioneditor.exe |
    "{ADB953A8-BFDA-4FC7-9444-56E81B474ABB}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\dragon age ultimate edition\docs\ea help\electronic_arts_technical_support.htm |
    "{AE3B2391-5628-47C2-9E89-CC51F30B2C65}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\tom clancys endwar\binaries\endwar.exe |
    "{AE4735FB-6B13-4055-A255-708016C93ABF}" = protocol=17 | dir=in | app=g:\steamapps\common\apox\gameclient\apox.exe |
    "{AFAE0DDD-1669-4CED-ACB5-ADD171170182}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\far cry 2\bin\farcry2.exe |
    "{B002F5AF-D13B-4504-932D-933DFBE79322}" = protocol=6 | dir=in | app=c:\program files (x86)\sierra entertainment\world in conflict\wic.exe |
    "{B00AFA0D-178B-4948-9B92-EE62FC6555BA}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\aliens vs predator\avp_launcher.exe |
    "{B023A1C6-F1DA-47AE-87DB-7030E250D256}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\dragon age origins\docs\ea help\electronic_arts_technical_support.htm |
    "{B0F0187E-B0AC-4D13-BEB2-E6E88E425963}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\mirrors edge\binaries\mirrorsedge.exe |
    "{B16AEA7C-6E37-41B8-8CFF-619832DF7022}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\metro 2033\metro2033.exe |
    "{B2419AC8-40B6-481D-AEAA-41C5F8CB917F}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\left 4 dead 2\left4dead2.exe |
    "{B28A8FB8-E653-4305-8F3D-855301B3F7ED}" = protocol=6 | dir=in | app=e:\program files\paradox interactive\majesty 2\majesty2.exe |
    "{B60FF347-C701-4D34-89B1-5BF0BDAAE0DC}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe |
    "{B63F6E71-3D97-4CBA-87BD-FC28D6DF3999}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\medal of honor\binaries\moh.exe |
    "{B6B18A1B-C1F9-43AB-B2E6-C0076C27689D}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\company of heroes\reliccoh.exe |
    "{B75921CF-2D3A-40DD-A332-9050C008A207}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\left 4 dead 2\left4dead2.exe |
    "{B839BDD9-A5F7-4FA0-92D8-CA074D14F906}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\silent hunter 3\sh3.exe |
    "{B88F7BBE-DE0A-43D7-BA35-06A07344C3AD}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\two worlds - epic edition\twoworlds.exe |
    "{B986A324-23F6-4130-909D-E54CCBF65B97}" = protocol=6 | dir=in | app=g:\steamapps\common\apox\gameclient\apox.exe |
    "{BA112B5C-DDE1-4B9D-954B-1B1E0E2D15A1}" = protocol=17 | dir=in | app=e:\program files\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\dedicated\xr_3da.exe |
    "{BA2300F6-1202-4EA7-9AA9-EC7F87E4A0CC}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\theatre of war\missioneditor\editor.exe |
    "{BAA83953-54AB-4CA7-BA83-13A133403815}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\two worlds - epic edition\twoworlds_radeon.exe |
    "{BB6F2F89-0660-4FF9-979D-CA01424BFD69}" = protocol=6 | dir=in | app=g:\steamapps\common\dragon age origins\bin_ship\daorigins.exe |
    "{BC29AB15-6EC2-4D89-A164-4A1C9616976A}" = protocol=17 | dir=in | app=g:\steamapps\common\r.u.s.e\ruse.exe |
    "{BC7E3A29-6F5C-4218-AD1D-889B1E56479B}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\kane & lynch 2 - dog days\kl2.exe |
    "{BE6B8A1C-FCE6-4D3D-B9DE-588B4ED5116F}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\battlefield bad company 2\bfbc2game.exe |
    "{BFFF0B16-F47E-4DFE-A6AD-411AF5ECA137}" = protocol=17 | dir=in | app=g:\steamapps\common\left 4 dead 2\left4dead2.exe |
    "{C086743B-4FF2-45EE-841D-CFCF8C268E89}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\r.u.s.e\ruse.exe |
    "{C1D927F0-6476-4660-BB63-C3E38F3C8FF9}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\call of juarez - bound in blood\cojbibgame_x86.exe |
    "{C481383F-8828-4F20-884D-DC07722F4769}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\just cause 2\justcause2.exe |
    "{C74B6F0F-CDFB-4E2F-A05F-7931ECA5D24D}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\grand theft auto iv\gtaiv\launchgtaiv.exe |
    "{C8BE3A64-CCA6-465D-85D2-3C9F1C0D1E97}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\theatre of war\tow.exe |
    "{C987FF28-E1A8-41AA-AA7B-6BC150B66328}" = protocol=6 | dir=in | app=c:\program files (x86)\activision\call of duty 4 - modern warfare\iw3mp.exe |
    "{C9AA784A-2DD5-4A09-84EF-89E94C522EAF}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\empire total war\empire.exe |
    "{C9AC4FA1-CE4D-40D4-9262-1471BFCCB761}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\medal of honor\support\ea help\electronic_arts_technical_support.htm |
    "{CA8A6C7F-CCCF-470A-B4EC-8530BBA988FA}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\borderlands\binaries\borderlands.exe |
    "{CB04AA24-9BD9-4880-AE5B-7D1B30EE10EF}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\brothers in arms hells highway\binaries\biahh.exe |
    "{CBD2F6BC-EB53-4F1F-BF5C-ECCB06E149C4}" = protocol=17 | dir=in | app=g:\steamapps\common\grand theft auto iv\gtaiv\launchgtaiv.exe |
    "{CCF128F8-49DB-466F-B9CC-915F1A4595F7}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\mirrors edge\binaries\mirrorsedge.exe |
    "{CD47BF45-86AA-4CE6-9476-812973E48E5E}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\thepolynomial\polynomial.exe |
    "{CD9F328E-229E-4A42-A768-A1F89099FAC7}" = protocol=6 | dir=in | app=g:\steamapps\common\aliens vs predator\avp.exe |
    "{CDAE769D-2D36-4BB4-A377-E7FA6AB1646B}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\r.u.s.e\ruse.exe |
    "{CE74F972-B22C-431D-9FDF-9988CB606B2C}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\arma 2\arma2.exe |
    "{CEF86A80-2E23-43B3-A49F-5BB728AAB240}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\sid meier's civilization v sdk\sid meier's civilization v sdk.exe |
    "{CF37BDD5-423E-417C-9A96-64521838DF9F}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\arma 2 operation arrowhead\dlcsetup\pmc\datacachepreprocessor.exe |
    "{D036D8CF-7BD3-484C-A8FD-9312CBDD5679}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\total war shogun 2\benchmarks\benchmark_current_settings.bat |
    "{D0483193-0A1E-436D-A114-14A9514255A7}" = protocol=17 | dir=in | app=e:\program files\activision\apache air assault\launcher.exe |
    "{D04B5A39-1764-4BB5-9ED6-AB2F0B0CDFC1}" = protocol=6 | dir=in | app=g:\steamapps\common\metro 2033\metro2033.exe |
    "{D0E6AEFA-FE27-4E53-8F51-2099BE8C47FE}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\swkotor\swkotor.exe |
    "{D13D8884-0B6B-42A7-AAB9-AD4D7A82CDBA}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\command and conquer 4 tiberian twilight\cnc4.exe |
    "{D1BAD960-6CED-473B-BF91-61A172F7CF2B}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\tom clancys endwar\binaries\endwar.exe |
    "{D28653E4-60C7-431E-8397-F1746AEA8707}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\fear ultimate shooter edition\fearxp2\fearxp2.exe |
    "{D4569FB6-69EA-4A14-96E0-694D789DF215}" = protocol=6 | dir=in | app=e:\program files\electronic arts\crytek\crysis\bin32\crysisdedicatedserver.exe |
    "{D4679431-6A63-42F5-9288-17645941A700}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\grand theft auto iv\gtaiv\launchgtaiv.exe |
    "{D4F09346-8271-41C3-98DF-63A57B69D384}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\star wars empire at war\runme2.exe |
    "{D5B773B1-1A3C-4E1C-94DF-58198533E1EE}" = protocol=17 | dir=in | app=e:\program files\bittorrent\bittorrent.exe |
    "{D7B6F35D-FE79-48EF-B212-DB1FD1E1F877}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\the sims 3\game\bin\sims3launcher.exe |
    "{D816CAF6-CCE1-4E5F-A907-6655EDB90AEE}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\jade empire\jadeempireconfig.exe |
    "{D8A4FD5E-A239-4641-A0A7-67EE83E271C5}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\company of heroes\reliccoh.exe |
    "{D9E82EF2-E20B-4969-B89C-FA1F8C5DFAF8}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\theatre of war 2 africa 1943\africa1943.exe |
    "{DA08F9AD-EBF5-4AAA-B2E8-D0D2D535AEF8}" = protocol=17 | dir=in | app=g:\steamapps\common\battlefield bad company 2\support\ea help\electronic_arts_technical_support.htm |
    "{DB048FC1-1817-4BB5-B6BA-29D2DD610EB3}" = protocol=17 | dir=in | app=c:\program files (x86)\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\xr_3da.exe |
    "{DC1EA9FB-0D12-4A30-B40B-B9711DA8850A}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\grand theft auto iv\gtaiv\launchgtaiv.exe |
    "{DD562A9A-4082-4E40-8B87-DDF10F9392CF}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\arma 2 operation arrowhead\besetup\setup_battleyearma2oa.exe |
    "{DDAC6445-099C-4117-B4A2-DD66C338103F}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\left 4 dead\left4dead.exe |
    "{DEA2EAE0-B2FE-4CAD-A3AE-FE7A98236B7E}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\two worlds - epic edition\twoworlds.exe |
    "{E0494FAB-8519-4A01-970A-9571DB92933C}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\uplink\uplink.exe |
    "{E1394D37-88E8-47F4-AF32-022F10C3F56B}" = protocol=17 | dir=in | app=c:\program files (x86)\sierra entertainment\world in conflict\wic_online.exe |
    "{E2AF831C-1A90-4935-AF8F-1F46C9C4CCC9}" = protocol=6 | dir=in | app=c:\program files (x86)\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\xr_3da.exe |
    "{E53FAF2A-B39C-439E-B34E-C2A29F9761D2}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\arma 2 operation arrowhead\arma2oa.exe |
    "{E55ECD64-61E5-4B60-9ABA-CD65592A0988}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\divinity ii - dragon knight saga\bin\divinity2.exe |
    "{E5C38140-1818-433A-94F8-921FAFA7D35E}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\command and conquer 4 tiberian twilight\support\ea help\electronic_arts_technical_support.htm |
    "{E6106C60-BCC1-4999-8190-96423EF7EAE7}" = protocol=6 | dir=in | app=c:\program files\bohemia interactive\take on helicopters\takeonh.exe |
    "{E679F03D-C164-4DB3-AEA5-CC71F9ED46DA}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\alice madness returns\binaries\win32\alicemadnessreturns.exe |
    "{E71EB553-11CF-4C2D-AF6B-DB5D5F513346}" = protocol=6 | dir=in | app=c:\program files (x86)\sierra entertainment\world in conflict\wic_ds.exe |
    "{E75A3A8B-4588-45BD-8612-3D36F7FD4539}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\18 wheels of steel american long haul\alh.exe |
    "{E7EB0404-17FC-484B-9ED9-F1FE20B562D6}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\just cause 2\justcause2.exe |
    "{E8608D98-00F2-4482-846C-32FE2C85837C}" = protocol=6 | dir=in | app=g:\steamapps\common\king arthur - the role-playing wargame\kingarthurmulti.exe |
    "{E89B7C60-4D55-43A5-AB46-1D2C3FB14493}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\osmos\osmos.exe |
    "{E8A260EE-6CEA-4C28-BDC4-A5D06B5D8EE2}" = protocol=17 | dir=in | app=g:\steamapps\common\battlefield bad company 2\bfbc2game.exe |
    "{E9DDD8FD-82AB-4F10-AF06-12470288A6DE}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\two worlds - epic edition\twoworlds.exe |
    "{EAEB6794-8D8C-430F-9441-AB3F36511AE8}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\left 4 dead\left4dead.exe |
    "{EB6BF47B-A9F6-4201-A98C-B75A4E784DFF}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\fear ultimate shooter edition\fear.exe |
    "{ED51648E-8E82-4534-BD9A-1ED98C67D3D9}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\king arthur - the role-playing wargame\kingarthurmulti.exe |
    "{EDB5D0C4-E128-4305-A427-2E727012A6B7}" = protocol=6 | dir=in | app=g:\steamapps\common\two worlds - epic edition\twoworlds.exe |
    "{EDDF7FED-0A46-4E06-86B8-8AA302608759}" = protocol=17 | dir=in | app=e:\program files\atari\arma\arma.exe |
    "{EE85E0C2-A008-495C-B2C1-7CF1023E6DE0}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\two worlds - epic edition\twoworlds_radeon.exe |
    "{EFB388F1-E7A5-4C2A-9713-98EB548CA339}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\machinarium\machinarium.exe |
    "{EFCFE9E2-F5B7-4D9B-BB62-F55104CA976C}" = protocol=6 | dir=in | app=g:\steamapps\common\aliens vs predator\avp_dx11.exe |
    "{F06FF34F-12FC-4999-95DD-1248E1AC60D8}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\far cry 2\bin\fc2editor.exe |
    "{F0BE238D-9A95-4D96-8EA1-BB5B3973A88D}" = protocol=17 | dir=in | app=e:\program files\electronic arts\crytek\crysis\bin32\crysisdedicatedserver.exe |
    "{F1765CC5-05FB-4479-996F-896AE1C73F4B}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\f1 2010\f1_2010.exe |
    "{F1B6EA13-0C38-4FCC-AE98-89217B1904B1}" = protocol=6 | dir=in | app=e:\program files\activision\apache air assault\launcher.exe |
    "{F2FF05A3-4B47-4FA7-8A66-E7DAC9149F20}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\the first templar\tft.exe |
    "{F338D08B-E888-453D-9D39-CCF50C99D70B}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\magicka\magicka.exe |
    "{F445DAE6-F438-4269-A5AD-0A8E4F013331}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\call of juarez - bound in blood\cojbibgame_x86.exe |
    "{F4875B65-2C01-4675-A79F-C26170B2AB39}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\theatre of war\missioneditor\editor.exe |
    "{F4ADA052-50DF-4F38-A67C-A0221F0547C9}" = protocol=17 | dir=in | app=g:\steamapps\common\eve online\eve.exe |
    "{F521F2F7-5AA2-453E-B432-7CC124A6EE7C}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\dragon age origins\bin_ship\daorigins.exe |
    "{F5E99BD2-A27B-4E6F-9490-7576AF565C78}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\red faction guerrilla\rfg_launcher.exe |
    "{F635DD5C-D64B-4672-8663-2693AE78EBE7}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\r.u.s.e\ruse.exe |
    "{F6F42191-0B7A-4889-BCFC-F6FFA296EFA2}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\sid meier's civilization v\launcher.exe |
    "{F7517D01-FEF2-4DEA-882C-47A0CB2BAC48}" = protocol=17 | dir=in | app=e:\program files\electronic arts\crytek\crysis\bin32\crysis.exe |
    "{F7703832-A0EA-450B-A59F-441A7A6AA9C9}" = protocol=17 | dir=in | app=g:\steamapps\common\mountblade warband\mb_warband.exe |
    "{F791FC41-D985-4362-A361-A3CF333D5A79}" = protocol=17 | dir=in | app=c:\program files (x86)\thq\s.t.a.l.k.e.r. - shadow of chernobyl\bin\dedicated\xr_3da.exe |
    "{F82F672A-A0E7-4AAF-A3D3-1774F3D4EED5}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\daorigins.exe |
    "{F8613633-8144-4AA3-8CA1-6814FAB84F12}" = protocol=6 | dir=in | app=c:\program files (x86)\sierra entertainment\world in conflict\wic_online.exe |
    "{F8899E28-DB3A-41F2-A5AA-4029949200A4}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\dark sector\ds.exe |
    "{F8EA4518-B26E-473C-9B6A-45C0975903A5}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\men of war red tide\redtide.exe |
    "{F8F8B162-0C08-4BC6-9AF6-020C7D5BE5F9}" = protocol=17 | dir=in | app=c:\program files (x86)\sierra entertainment\world in conflict\wic_ds.exe |
    "{F9BA96B7-41C9-4CFC-9A62-15778D763F4D}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\jade empire\jadeempireconfig.exe |
    "{FA061DF6-D57C-4B91-976E-3FA6063D8179}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\far cry 2\bin\farcry2.exe |
    "{FAFFD4A0-45A5-4178-8772-DAC639E136E2}" = protocol=17 | dir=in | app=g:\steamapps\common\magicka\magicka.exe |
    "{FC36C2C2-7184-4702-941F-D044E67B88EF}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\defensegridtheawakening\defensegrid.exe |
    "{FC5A314E-21D6-4335-B087-629166755133}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\alpha protocol\aplauncher.exe |
    "{FD03432F-88CE-4172-A7A3-443D83E67F2A}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\brothers in arms road to hill 30\system\bia.exe |
    "{FD10355D-AE04-4FCF-8067-7C9C448FA1EE}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\borderlands\binaries\borderlands.exe |
    "{FE7C4B4C-7D86-4D6C-95B6-BD701BE9A73B}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\fear ultimate shooter edition\fearxp2\fearxp2.exe |
    "{FF65A895-9391-4207-84FC-E187EF75A0C1}" = protocol=6 | dir=in | app=g:\program files\steam\steamapps\common\dark sector\ds.exe |
    "{FFEE5671-AC65-4BE1-B5C7-37C4F02DAA49}" = protocol=17 | dir=in | app=g:\program files\steam\steamapps\common\total war shogun 2\shogun2.exe |
    "TCP Query User{17B401A5-1176-4B02-AA81-8020051845E2}C:\program files (x86)\emote\launcher\launcher.exe" = protocol=6 | dir=in | app=c:\program files (x86)\emote\launcher\launcher.exe |
    "TCP Query User{18E1A123-9366-4223-8F52-AD732A9AF8B9}C:\program files (x86)\electronic arts\dead space\dead space.exe" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\dead space\dead space.exe |
    "TCP Query User{385DB453-1599-4337-9DA1-A6A0B7C42185}E:\program files\atari\arma\beta\arma.exe" = protocol=6 | dir=in | app=e:\program files\atari\arma\beta\arma.exe |
    "TCP Query User{3DF75673-7AC8-42F3-8672-606B4615243F}E:\program files\bethesda softworks\fallout 3\fallout3.exe" = protocol=6 | dir=in | app=e:\program files\bethesda softworks\fallout 3\fallout3.exe |
    "TCP Query User{47536B14-0828-40E5-AE4E-CE512F1689C0}C:\program files (x86)\bitcomet\bitcomet.exe" = protocol=6 | dir=in | app=c:\program files (x86)\bitcomet\bitcomet.exe |
    "TCP Query User{8E1A8701-016D-458A-80BB-304ECD36B2C0}C:\program files (x86)\electronic arts\eadm\core.exe" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\eadm\core.exe |
    "TCP Query User{9A57FBF4-8D11-49AD-BD62-EBFDBAA0AE61}C:\program files (x86)\steam\steamapps\common\left 4 dead\left4dead.exe" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\left 4 dead\left4dead.exe |
    "TCP Query User{A9EB2301-1093-47CE-B30C-D04ECB039116}C:\program files (x86)\bethesda softworks\fallout 3\fallout3.exe" = protocol=6 | dir=in | app=c:\program files (x86)\bethesda softworks\fallout 3\fallout3.exe |
    "UDP Query User{1316A8F7-6801-4AF6-87AB-372CD0F27D11}C:\program files (x86)\steam\steamapps\common\left 4 dead\left4dead.exe" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\left 4 dead\left4dead.exe |
    "UDP Query User{1341855A-4C33-4E69-86C5-F9F2AED034BF}C:\program files (x86)\electronic arts\eadm\core.exe" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\eadm\core.exe |
    "UDP Query User{21230A89-435E-4CD5-8D5F-5377974439EA}E:\program files\bethesda softworks\fallout 3\fallout3.exe" = protocol=17 | dir=in | app=e:\program files\bethesda softworks\fallout 3\fallout3.exe |
    "UDP Query User{4F65076A-B878-48C6-8913-D7EB677B155C}C:\program files (x86)\emote\launcher\launcher.exe" = protocol=17 | dir=in | app=c:\program files (x86)\emote\launcher\launcher.exe |
    "UDP Query User{61824E27-36C5-4D95-A8F8-33C8B20D3B71}C:\program files (x86)\bethesda softworks\fallout 3\fallout3.exe" = protocol=17 | dir=in | app=c:\program files (x86)\bethesda softworks\fallout 3\fallout3.exe |
    "UDP Query User{7CD7F0E8-B4E5-4BB6-BFB8-A1B7DE8559D7}C:\program files (x86)\bitcomet\bitcomet.exe" = protocol=17 | dir=in | app=c:\program files (x86)\bitcomet\bitcomet.exe |
    "UDP Query User{905E62C4-F119-46E4-8F9E-2C50B6DD8052}E:\program files\atari\arma\beta\arma.exe" = protocol=17 | dir=in | app=e:\program files\atari\arma\beta\arma.exe |
    "UDP Query User{B4C1B71C-DD00-46DF-9A0A-2142F7607792}C:\program files (x86)\electronic arts\dead space\dead space.exe" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\dead space\dead space.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "{23170F69-40C1-2702-0458-100001000000}" = 7-Zip 4.58 (x64 edition)
    "{23EA8626-1A8A-453A-ACC4-77CED745849A}" = Microsoft .NET Framework 2.0 SDK (x64) - ENU
    "{6CC95B76-D380-46B2-9022-9353938E48BA}" = Logitech GamePanel Software 3.03.133
    "{9B48B0AC-C813-4174-9042-476A887592C7}" = Windows Live ID Sign-in Assistant
    "{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 275.27
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 275.27
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.10.0514
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.3.4
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D3120436-1358-4253-9EB2-257FFE8CE1D9}" = Logitech SetPoint 5.00
    "{D9C50188-12D5-4D3E-8F00-682346C2AA5F}" = Microsoft Xbox 360 Accessories 1.2
    "{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
    "{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}" = Ventrilo Client for Windows x64
    "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 2.0 SDK (x64) - ENU" = Microsoft .NET Framework 2.0 SDK (x64) - ENU
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "NVIDIA Drivers" = NVIDIA Drivers

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{000E79B7-E725-4F01-870A-C12942B7F8E4}" = Crysis(R)
    "{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
    "{02A10468-2F1C-447C-AD8E-4DEDDEA25AE2}" = Medieval II Total War : Kingdoms : Crusades
    "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
    "{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    "{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}" = Microsoft XNA Framework Redistributable 3.1
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 23
    "{2CD2C0DB-81C3-416B-9FA6-589B9235359B}" = OpenOffice.org 2.4
    "{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java(TM) 6 Update 6
    "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
    "{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
    "{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = er100LT
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4CB0307C-565E-4441-86BE-0DF2E4FB828C}" = Microsoft Games for Windows Marketplace
    "{4D87DC92-C328-46EC-A7B4-9C88129DC696}" = Dead Space™
    "{5F4C776F-8CBD-4C4F-892F-B568ABDD70C8}" = GameSpy Comrade
    "{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
    "{6A3F9D74-BB80-4451-8CA1-4B3A857F1359}" = Apple Application Support
    "{6B976ADF-8AE8-434E-B282-A06C7F624D2F}" = Python 2.5.2
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{7353BAE6-5E49-46C4-A9B5-8A269A313789}" = Crysis WARHEAD(R)
    "{75983B66-804C-40D1-BA13-64DAF652A6F1}" = Medieval II Total War : Kingdoms : Americas
    "{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{7AEE1963-7001-4C37-BC20-2FAEB74AA41C}" = Medieval II Total War : Kingdoms : Teutonic
    "{888DD888-82BE-4D85-BCB2-2E042CD3E844}" = Tom Clancy's Splinter Cell Chaos Theory
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
    "{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
    "{97EA42A5-3FAB-4948-B74D-F3C44B13F5CE}" = Crysis WARHEAD(R) Patch
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
    "{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}" = NVIDIA PhysX
    "{bd8defa4-19fa-4964-9692-f1122d8a62d9}}_is1" = Apache: Air Assault 1.0.2.1
    "{BE6E6BF7-6A81-4EC2-AD29-4580025149F1}" = TrackIR4
    "{C0698BDA-0D29-40EE-8570-A31106DF9AB1}" = Medieval II Total War
    "{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CDCA3C32-FCE7-40E8-8CB5-7B0E87ADDFC9}_is1" = Majesty 2: The Fantasy Kingdom Sim - patch v.1.3.336
    "{CEDDEE73-3D36-41C2-AA40-29355D9FBD63}" = Medieval II Total War : Kingdoms : Britannia
    "{D5395E5F-4D45-4665-8F00-234FA33678AF}" = SlimDX Redistributable (March 2009)
    "{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
    "{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty(R) 4 - Modern Warfare(TM)
    "{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
    "{EF7E931D-DC84-471B-8DB6-A83358095474}" = EA Download Manager
    "{F11ADC64-C89E-47F4-A0B3-3665FF859397}" = World in Conflict: Soviet Assault
    "{F138762F-5A1F-4CF0-A5E1-1588EF6088A4}" = The Witcher Enhanced Edition
    "{F2508213-9989-4E85-A078-72BE483917EF}" = Microsoft Games for Windows - LIVE Redistributable
    "{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}" = Vista Codec Package
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "A2BAF Data cache removal" = ARMA 2: British Armed Forces - Data cache removal
    "A2PMC Data cache removal" = ARMA 2: Private Military Company - Data cache removal
    "Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.6
    "Afterburner" = MSI Afterburner 2.1.0
    "ALchemy" = Creative ALchemy
    "Amazon Games & Software Downloader_is1" = Amazon Games & Software Downloader
    "AudioCS" = Creative Audio Control Panel
    "avast" = avast! Free Antivirus
    "AviSynth" = AviSynth 2.5
    "BattlEye" = BattlEye Uninstall
    "BattlEye for OA" = BattlEye for OA Uninstall
    "BitTorrent" = BitTorrent
    "CHControlManager_is1" = CH Control Manager Software
    "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
    "Combat Mission Shock Force_is1" = Combat Mission Shock Force
    "Console Launcher" = Creative Console Launcher
    "Creative Software AutoUpdate" = Creative Software AutoUpdate
    "Creative Sound Blaster Properties x64 Edition" = Creative Sound Blaster Properties x64 Edition
    "Creative Volume Panel" = Volume Panel
    "Crysis WARHEAD(R)" = Crysis WARHEAD(R)
    "Crysis WARHEAD(R) Patch" = Crysis WARHEAD(R) Patch
    "Dungeon Keeper II" = Dungeon Keeper 2
    "Emote-Launcher" = Emote-Launcher (remove only)
    "Fallout Mod Manager_is1" = Fallout Mod Manager 0.11.9
    "Francesco's leveled creatures-items mod_is1" = Francesco's leveled creatures-items mod 4.5b
    "Francesco's optional new items/creatures_is1" = Francesco's optional new items/creatures 4.5
    "Fraps" = Fraps (remove only)
    "Game Booster_is1" = Game Booster
    "Google Chrome" = Google Chrome
    "Graphical Enhancement Resources" = Graphical Enhancement Resources 2.5
    "Graphical Enhancement Textures" = Graphical Enhancement Textures 2.5
    "InstallShield_{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
    "InstallShield_{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
    "InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty(R) 4 - Modern Warfare(TM)
    "InstallShield_{EF7E931D-DC84-471B-8DB6-A83358095474}" = EA Download Manager
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Mozilla Firefox 8.0 (x86 en-US)" = Mozilla Firefox 8.0 (x86 en-US)
    "MpcStar" = MpcStar 3.1
    "Oblivion mod manager_is1" = Oblivion mod manager 1.1.11
    "OpenAL" = OpenAL
    "Pathologic_is1" = Pathologic
    "PC Wizard 2010_is1" = PC Wizard 2010.1.95
    "Precision" = EVGA Precision 1.3.1
    "PunkBusterSvc" = PunkBuster Services
    "RealPlayer 12.0" = RealPlayer
    "S.T.A.L.K.E.R. - Clear Sky_is1" = S.T.A.L.K.E.R. - Clear Sky
    "Steam App 10180" = Call of Duty: Modern Warfare 2
    "Steam App 10500" = Empire: Total War
    "Steam App 10680" = Aliens vs. Predator
    "Steam App 11420" = Clive Barker's Jericho
    "Steam App 12210" = Grand Theft Auto IV
    "Steam App 12520" = 18 Wheels of Steel: American Long Haul
    "Steam App 12830" = Operation Flashpoint: Dragon Rising
    "Steam App 13510" = Tom Clancy's Ghost Recon: Advanced Warfighter 2
    "Steam App 13640" = Tom Clancy's Ghost Recon: Advanced Warfighter
    "Steam App 1500" = Darwinia
    "Steam App 1510" = Uplink
    "Steam App 15100" = Assassin's Creed
    "Steam App 15190" = Brothers in Arms: Road to Hill 30
    "Steam App 15210" = Silent Hunter III
    "Steam App 15390" = Brothers in Arms: Hell's Highway
    "Steam App 16830" = Sid Meier's Civilization V SDK
    "Steam App 17410" = Mirror's Edge
    "Steam App 17450" = Dragon Age: Origins
    "Steam App 18500" = Defense Grid: The Awakening
    "Steam App 1930" = Two Worlds: Epic Edition
    "Steam App 19680" = Alice: Madness Returns
    "Steam App 19800" = Brothers in Arms: Earned in Blood
    "Steam App 19900" = Far Cry 2
    "Steam App 20500" = Red Faction: Guerrilla
    "Steam App 2100" = Dark Messiah Might and Magic Single Player
    "Steam App 21090" = F.E.A.R.
    "Steam App 21690" = Resident Evil 5
    "Steam App 21800" = Tom Clancy's EndWar
    "Steam App 21970" = R.U.S.E
    "Steam App 21980" = Call of Juarez: Bound in Blood
    "Steam App 22200" = Zeno Clash
    "Steam App 22370" = Fallout 3 - Game of the Year Edition
    "Steam App 24400" = King Arthur - The Role-playing Wargame
    "Steam App 24960" = Battlefield: Bad Company 2
    "Steam App 27000" = The Path
    "Steam App 28000" = Kane & Lynch 2: Dog Days
    "Steam App 29180" = Osmos
    "Steam App 29900" = Dark Sector
    "Steam App 3130" = Men of War: Red Tide
    "Steam App 32370" = Star Wars: Knights of the Old Republic
    "Steam App 32470" = Star Wars: Empire at War Gold
    "Steam App 33220" = Tom Clancy's Splinter Cell: Conviction
    "Steam App 33900" = ARMA 2
    "Steam App 33930" = ARMA 2: Operation Arrowhead
    "Steam App 34010" = Alpha Protocol
    "Steam App 34030" = Napoleon: Total War
    "Steam App 34330" = Total War: SHOGUN 2
    "Steam App 34830" = Sniper: Ghost Warrior
    "Steam App 35140" = Batman: Arkham Asylum GOTY Edition
    "Steam App 39540" = Spellforce: Platinum Edition
    "Steam App 39690" = ArcaniA – Gothic 4
    "Steam App 40300" = Risen
    "Steam App 40400" = AI War: Fleet Command
    "Steam App 40700" = Machinarium
    "Steam App 42670" = Singularity
    "Steam App 42910" = Magicka
    "Steam App 43110" = Metro 2033
    "Steam App 44310" = F1 2010™
    "Steam App 4560" = Company of Heroes
    "Steam App 46290" = Theatre of War
    "Steam App 46340" = Theatre of War 2: Africa 1943
    "Steam App 46360" = Theatre of War 2: Kursk 1943
    "Steam App 47700" = Command and Conquer 4: Tiberian Twilight
    "Steam App 47790" = Medal of Honor(TM) Single Player
    "Steam App 47810" = Dragon Age: Origins - Ultimate Edition
    "Steam App 47890" = The Sims(TM) 3
    "Steam App 48210" = The Settlers 7: Paths to a Kingdom - Gold Edition
    "Steam App 48700" = Mount and Blade: Warband
    "Steam App 50130" = Mafia II
    "Steam App 550" = Left 4 Dead 2
    "Steam App 57680" = The First Templar
    "Steam App 58540" = Divinity II - The Dragon Knight Saga
    "Steam App 62000" = Flight Control HD
    "Steam App 65600" = Gothic 3 Forsaken Gods Enhanced Edition
    "Steam App 65700" = ARMA 2: British Armed Forces
    "Steam App 65720" = ARMA 2: Private Military Company
    "Steam App 67000" = The Polynomial
    "Steam App 6980" = Thief: Deadly Shadows
    "Steam App 7110" = Jade Empire: Special Edition
    "Steam App 7670" = BioShock
    "Steam App 7830" = Men of War
    "Steam App 80000" = APOX
    "Steam App 8190" = Just Cause 2
    "Steam App 8500" = EVE Online: Incarna
    "Steam App 8930" = Sid Meier's Civilization V
    "Steam App 92000" = Hydrophobia: Prophecy
    "Steam App 9480" = Saints Row 2
    "Steam App 9870" = Ghostbusters: The Video Game
    "SystemRequirementsLab" = System Requirements Lab
    "Take On Helicopters" = Take On Helicopters
    "The Witcher - FCR & Flash Mod_is1" = FCR v1.3 final or Flash Mod v1.01
    "The Witcher - Scabbard Mod_is1" = Scabbar Mod ver 1.03
    "TweakOblivion_is1" = Oblivion - TweakOblivion 5.10 (Build:370)
    "UDPixel" = UDPixel.exe
    "Unofficial Shivering Isles Patch_is1" = Unofficial Shivering Isles Patch v1.4.0
    "VLC media player" = VLC media player 1.1.9
    "wxPython2.8-ansi-py25_is1" = wxPython 2.8.7.1 (ansi) for Python 2.5
    "yuPlay клиент_is1" = yuPlay client 0.7.19

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-1787995230-711523803-3076010400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Stainless_Steel_6.0_Part1of2" = Stainless_Steel_6.0_Part1of2

    ========== Last 10 Event Log Errors ==========

    Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

    < End of report >


    Thanks again for your time and insight.

    EDIT: You asked about the computer. It seems to be doing well, actually. I haven't noticed any browser redirects. But I also haven't really been using the computer much while awaiting an "all clear" from you. But at this point, it's clearly better than it was. I have noticed no misbehavior! :)
     
  11. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Good :)

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      [6 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
      [2 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
      [14 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ] 
      [2011/08/14 09:08:57 | 000,012,082 | -H-- | C] () -- C:\Users\Jeff\AppData\Local\050dhxf3unx808x
      [2011/08/14 09:08:57 | 000,012,082 | -H-- | C] () -- C:\ProgramData\050dhxf3unx808x
      [2011/08/14 08:41:42 | 000,000,120 | -H-- | C] () -- C:\Users\Jeff\AppData\Local\Wsajirux.dat
      [2011/08/14 08:41:42 | 000,000,000 | -H-- | C] () -- C:\Users\Jeff\AppData\Local\Kronadod.bin
      @Alternate Data Stream - 498 bytes -> C:\ProgramData\TEMP:05EE1EEF
      @Alternate Data Stream - 168 bytes -> C:\Users\Jeff\Desktop\2009_IRS_Interest_and_Penalties.jpg:3or4kl4x13tuuug3 Byamue2s4b
      @Alternate Data Stream - 168 bytes -> C:\Users\Jeff\Desktop\PilotInsurance_2011.jpg:3or4kl4x13tuuug3Byamue2s4b
      @Alternate Data Stream - 168 bytes -> C:\Users\Jeff\Desktop\Beethoven.jpg:3or4kl4x13tuuug3Byamue2s4b
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ===================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
     
  12. Rangoon

    Rangoon TS Rookie Topic Starter Posts: 20

    Here is what OTL came up with. But one concern: OTL deleted many files from my desktop. Some of them were simply scans of documents. Others PDFs. Why did it delete them? Can they be retrieved?

    EDIT: Nope, it just reset my folder options. Those files had been hidden by the infection, so they were made invisible again. Nevermind. :) I just changed my folder options back again.

    I'll do the next steps right now.


    All processes killed
    ========== OTL ==========
    C:\Windows\1C4551A64743409391E41477CD655043.TMP\WiseCustomCalla.dll deleted successfully.
    C:\Windows\1C4551A64743409391E41477CD655043.TMP folder deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCall.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla18.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla21.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla22.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla23.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla24.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla25.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla26.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla27.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla33.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla35.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla36.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla37.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla38.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla39.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla41.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla42.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla43.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla44.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla46.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla47.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla48.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla49.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla50.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla51.dll deleted successfully.
    C:\Windows\4C271126C2954828A9015910AE0C258B.TMP folder deleted successfully.
    C:\Windows\506DDFBE983F4BC384B865F423B2D798.TMP\WiseCustomCalla.dll deleted successfully.
    C:\Windows\506DDFBE983F4BC384B865F423B2D798.TMP folder deleted successfully.
    C:\Windows\95FC26FB19FD4A96BBB1B1062E8648F5.TMP\WiseCustomCalla.dll deleted successfully.
    C:\Windows\95FC26FB19FD4A96BBB1B1062E8648F5.TMP folder deleted successfully.
    C:\Windows\B83FC356B7C0441F8A4DD71E088E7974.TMP\WiseCustomCalla.dll deleted successfully.
    C:\Windows\B83FC356B7C0441F8A4DD71E088E7974.TMP folder deleted successfully.
    C:\Windows\msdownld.tmp folder deleted successfully.
    C:\Windows\SysWow64\tmp9E41.tmp deleted successfully.
    C:\Windows\SysWow64\tmp9EDE.tmp deleted successfully.
    File delete failed. C:\Windows\SysNative\SET1812.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Windows\SysNative\SET1872.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Windows\SysNative\SET2529.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Windows\SysNative\SET25AC.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Windows\SysNative\SET3DE2.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Windows\SysNative\SET3E14.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Windows\SysNative\SET5858.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Windows\SysNative\SET61A7.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Windows\SysNative\SET6237.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Windows\SysNative\SET6269.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Windows\SysNative\SET95B5.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Windows\SysNative\SET967F.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Windows\SysNative\SET9695.tmp scheduled to be deleted on reboot.
    File delete failed. C:\Windows\SysNative\SET96A1.tmp scheduled to be deleted on reboot.
    C:\Users\Jeff\AppData\Local\050dhxf3unx808x moved successfully.
    C:\ProgramData\050dhxf3unx808x moved successfully.
    C:\Users\Jeff\AppData\Local\Wsajirux.dat moved successfully.
    C:\Users\Jeff\AppData\Local\Kronadod.bin moved successfully.
    ADS C:\ProgramData\TEMP:05EE1EEF deleted successfully.
    Unable to delete ADS C:\Users\Jeff\Desktop\2009_IRS_Interest_and_Penalties.jpg:3or4kl4x13tuuug3 Byamue2s4b .
    ADS C:\Users\Jeff\Desktop\PilotInsurance_2011.jpg:3or4kl4x13tuuug3Byamue2s4b deleted successfully.
    ADS C:\Users\Jeff\Desktop\Beethoven.jpg:3or4kl4x13tuuug3Byamue2s4b deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Jeff
    ->Temp folder emptied: 44476 bytes
    ->Temporary Internet Files folder emptied: 4083698 bytes
    ->Java cache emptied: 124439086 bytes
    ->FireFox cache emptied: 277200171 bytes
    ->Google Chrome cache emptied: 350136556 bytes
    ->Flash cache emptied: 2106084 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 2646147 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 606360 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 154197728 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 19489400 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33438 bytes
    RecycleBin emptied: 81311446 bytes

    Total Files Cleaned = 969.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Jeff
    ->Flash cache emptied: 0 bytes

    User: Public

    User: UpdatusUser

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.31.0 log created on 10252011_204922

    Files\Folders moved on Reboot...
    File move failed. C:\Windows\SysNative\SET1812.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET1872.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET2529.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET25AC.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET3DE2.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET3E14.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET5858.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET61A7.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET6237.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET6269.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET95B5.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET967F.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET9695.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET96A1.tmp scheduled to be moved on reboot.
    C:\Users\Jeff\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
     
  13. Rangoon

    Rangoon TS Rookie Topic Starter Posts: 20

    Security Check log:


    Results of screen317's Security Check version 0.99.24
    Windows Vista x64 (UAC is disabled!)
    Out of date service pack!!
    Internet Explorer 8 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    avast! Free Antivirus
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 23
    Java(TM) 6 Update 6
    Java(TM) 6 Update 7
    Out of date Java installed!
    Adobe Flash Player 11.0.1.152
    Adobe Reader X (10.1.1)
    Mozilla Firefox (x86 en-US..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast AvastUI.exe
    ``````````End of Log````````````
     
  14. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Update Internet Explorer to version 9.

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
     
  15. Rangoon

    Rangoon TS Rookie Topic Starter Posts: 20

    Thanks, Broni.

    I updated IE to version 9 through Windows Updater.

    I downloaded the latest Offline Installer for Java and it installed fine. There were no pre-checked, non-Java options (it was just the Oracle window and had zero options for anything except installation location).

    In my system tray, there was a Java icon which alerted me about an update for Java. I allowed it to install the latest version. However, at the very end, I received this error:

    "Installer: Wrapper.CreateFile failed with error 5: Access is denied."

    More to come....
     
  16. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    As long as the latest Java installed you're fine.
     
  17. Rangoon

    Rangoon TS Rookie Topic Starter Posts: 20

    Okay, good.

    I just removed the old versions of Java. Should I run OTL or Security Check once more now that I've made those updates? If not, I think the only thing I have left to do before I'm caught up with your instructions is run the ESET Online Scanner.

    Thanks!
     
  18. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Go ahead with Eset.
     
  19. Rangoon

    Rangoon TS Rookie Topic Starter Posts: 20

    Hi Broni,

    ESET found no threats.
     
  20. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  21. Rangoon

    Rangoon TS Rookie Topic Starter Posts: 20

    Glad to hear everything is looking good, Broni. I don't recall ever seeing exactly what my system had contracted. Did you see anything identifiable? Or what type of infection?

    Here is my OTL log from the system restore reset. I'll work on the next steps in order.

    Thank you!



    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Jeff
    ->Temp folder emptied: 1007490 bytes
    ->Temporary Internet Files folder emptied: 36136347 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 203921792 bytes
    ->Flash cache emptied: 3029 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 2646147 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
    RecycleBin emptied: 160350 bytes

    Total Files Cleaned = 233.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Jeff
    ->Flash cache emptied: 0 bytes

    User: Public

    User: UpdatusUser

    Total Flash Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.31.0 log created on 10262011_195740

    Files\Folders moved on Reboot...
    C:\Users\Jeff\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File move failed. C:\Windows\SysNative\SET1812.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET1872.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET2529.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET25AC.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET3DE2.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET3E14.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET5858.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET61A7.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET6237.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET6269.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET95B5.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET967F.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET9695.tmp scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\SET96A1.tmp scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
     
  22. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    You were not infected with anything serious.

    Good luck!
     
  23. Rangoon

    Rangoon TS Rookie Topic Starter Posts: 20

    Hi Broni,

    This may be not be something you can help with, but now each time I try to run Windows Update and search for new updates, I get this error:

    "An error occurred while checking for new updates for your computer."

    Code 80070005" etc.

    I can't find anything helpful with this code. I have found many threads on it, but nothing that has helped me. I tried the automated fixit utility from Microsoft specifically designed to fix issues with Windows Update, but that didn't help. So I think I'm up to date, but don't know for sure at this point.

    A few other questions while I continue through your most recent list of instructions:

    1. Is MBAM quick scan really just fine? Or should I run the full scan whenever time allows?

    2. I always get "Windows Security" alerts. It complains that:

    - Windows Firewall is turned off. I am using Avast now, and have a router with the Tomato firmware's firewall operating.

    - (it used to complain that) Windows Defender is turned off. But now it doesn't because Avast is on. Defender is redundant, right?

    3. Should I also run the Windows Malicious Software Removal Tool from time to time?

    4. What do you know about that "unhide.exe" program for reversing the effects of these infections that hide all the files. I'm tempted to use that over just literally forcing all files on my computer to unhide (therefore even the ones that are supposed to be hidden). Any thoughts?

    Thanks so much once again!
     
  24. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    As for Windows updates create new topic in Windows forum.

    1. Usually "Quick scan" is sufficient. If you want to run full scan once in a while that's fine.
    2. Is Windows firewall on, or off?
    Windows Defender is worthless.
    3. Same as Windows Defender
    4. "UnHide" is used to fix a specific infection aftermath. Don't use it for any other purposes.
    Personally I keep "hidden" files visible, but I keep system files hidden (it's safer that way).
    You can set those in Windows Explorer "Folder options".
     
  25. Rangoon

    Rangoon TS Rookie Topic Starter Posts: 20

    Windows Firewall is turned off (so the security alert is reading accurately). Just want to make sure it's fine to keep that off while I'm using the router's firewall and Avast.

    I always have kept the same folder options that you mentioned (show hidden files but not system). As a symptom of the infection in my original post, all of my personal files (games, pictures, other documents, etc.) were hidden. So you would say that unhide.exe would be safe to use in my case? Or am I better off just manually unhiding everything on all of my drives?

    Before your latest reply, it just so happened I ran a full scan with MBAM. When I came back, it had found four problematic files. They were all in my Risen (game) folder. Any insight?

    Here is the log:


    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8015

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 9.0.8112.16421

    10/27/2011 9:50:03 PM
    mbam-log-2011-10-27 (21-50-03).txt

    Scan type: Full scan (C:\|E:\|G:\|)
    Objects scanned: 1003187
    Time elapsed: 1 hour(s), 33 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    g:\program files\Steam\steamapps\common\risen\bin\Engine.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    g:\program files\Steam\steamapps\common\risen\bin\Game.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    g:\program files\Steam\steamapps\common\risen\bin\Risen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    g:\program files\Steam\steamapps\common\risen\bin\scripts\script_game.dll (Trojan.Agent) -> Quarantined and deleted successfully.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.