Fake "Vista Security Unregistered Version" Pop Ups !!!

View previous topic View next topic Go down

Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by bigblaqq on Thu Apr 15, 2010 5:53 pm

Help !!! I have been infected with the Vista Security Unregistered Version I ikeep getting several different pop ups of this . I so not know how to get rid of it. Here is the first OTL scan I will post the second one in the nest post ..........OTL logfile created on: 4/15/2010 1:32:27 PM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Users\Owner\Downloads
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 53.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 581.48 Gb Total Space | 90.78 Gb Free Space | 15.61% Space Free | Partition Type: NTFS
Drive D: | 14.65 Gb Total Space | 8.17 Gb Free Space | 55.79% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-PC
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/15 13:32:00 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Downloads\OTL.exe
PRC - [2010/04/15 10:17:35 | 000,183,808 | -HS- | M] () -- C:\Users\Owner\AppData\Local\ave.exe
PRC - [2010/04/02 12:03:33 | 000,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2009/12/30 14:55:16 | 001,389,904 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009/10/13 12:26:33 | 000,466,689 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avscan.exe
PRC - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 13:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
PRC - [2003/06/20 00:25:00 | 000,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\MDM.EXE


========== Modules (SafeList) ==========

MOD - [2010/04/15 13:32:00 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Downloads\OTL.exe
MOD - [2009/04/10 23:28:22 | 002,241,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msi.dll
MOD - [2009/04/10 23:28:20 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\comdlg32.dll
MOD - [2008/01/20 22:49:15 | 000,038,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\sfc_os.dll
MOD - [2006/11/02 05:46:13 | 000,004,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\sfc.dll
MOD - [2006/11/02 05:46:07 | 000,015,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msiltcfg.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/09/24 21:26:26 | 001,142,272 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FntCache.dll -- (FontCache)
SRV:64bit: - [2008/01/20 22:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/03/29 21:39:56 | 000,089,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64)
SRV - [2006/11/02 09:34:14 | 000,000,000 | ---D | M] [Unknown | Stopped] -- C:\Windows\SysWOW64\Msdtc -- (MSDTC)
SRV - [2006/11/02 02:35:15 | 000,060,994 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysWOW64\wbem\vds.mof -- (vds)
SRV - [2006/11/02 02:35:15 | 000,055,846 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysWOW64\wbem\vss.mof -- (VSS)
SRV - [2003/06/20 00:25:00 | 000,322,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2009/09/30 20:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2009/08/08 15:07:44 | 000,082,816 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\pcouffin.sys -- (pcouffin)
DRV:64bit: - [2009/04/10 22:39:52 | 000,275,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HdAudio.sys -- (HdAudAddService)
DRV:64bit: - [2008/02/11 19:48:28 | 007,709,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\igdkmd64.sys -- (igfx)
DRV:64bit: - [2008/01/20 22:50:35 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\umpass.sys -- (UMPass)
DRV:64bit: - [2008/01/20 22:46:55 | 000,317,952 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\e1e6032e.sys -- (e1express) Intel(R)
DRV:64bit: - [2008/01/20 22:46:53 | 001,523,712 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\VSTDPV6.SYS -- (VST64_DPV)
DRV:64bit: - [2008/01/20 22:46:53 | 000,724,480 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\VSTCNXT6.SYS -- (winachsf)
DRV:64bit: - [2008/01/20 22:46:53 | 000,392,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\VSTBS26.SYS -- (VST64HWBS2)
DRV - [2009/12/18 06:47:42 | 000,074,880 | ---- | M] (Avira GmbH) [File_System | On_Demand | Stopped] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgntflt.sys -- (avgntflt)
DRV - [2006/09/18 17:36:40 | 000,003,066 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysWOW64\wbem\tcpip.mof -- (Tcpip)
DRV - [2006/09/18 17:35:23 | 000,001,088 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\wbem\mpsdrv.mof -- (mpsdrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = F7 19 F0 44 F3 B6 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.order.1: "Yahoo"
FF - prefs.js..browser.search.order.2: ""
FF - prefs.js..browser.startup.homepage: "http://m.www.yahoo.com/?fr=w3i&type=W3i_SP,151,0_0,StartPage,20100209,6679,0,13,0"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.3.4
FF - prefs.js..extensions.enabledItems: {BFF829B6-B433-42CE-9A19-E459D3E4E483}:3.6.3
FF - prefs.js..extensions.enabledItems: {5835466c-49af-4cbe-b102-a8c8b6313749}:1.0.6
FF - prefs.js..extensions.netassistant.keyword.enabled: false
FF - prefs.js..extensions.netassistant.keyword.original: "http://results.freeze.com/?q="
FF - prefs.js..extensions.netassistant.keyword.url: "http://click.w3i.com/?Programid=132&Elementname=Keyword&Applicationid=#netassistant_id#&Version=#netassistant_version#&Vintage=20100209&Defaultbrowserid=13&Productid=1686&Vendorid=4274&Offerid=6680&searchterm="
FF - prefs.js..keyword.URL: "http://click.w3i.com/?Programid=132&Elementname=Keyword&Applicationid={567834DF-5C91-4688-A7B1-1A3E4A0F4E62}&Version=3.6.3&Vintage=20100209&Defaultbrowserid=13&Productid=1686&Vendorid=4274&Offerid=6680&searchterm="


FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/04/02 12:03:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/04/02 12:03:36 | 000,000,000 | ---D | M]

[2009/06/07 16:55:05 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Mozilla\Extensions
[2010/04/12 13:43:32 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\evnbb5r9.default\extensions
[2009/09/02 20:00:37 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\evnbb5r9.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/31 07:46:36 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/02/26 03:59:11 | 000,000,000 | ---D | M] (Shop to Win) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{5835466c-49af-4cbe-b102-a8c8b6313749}

O1 HOSTS File: ([2006/09/18 17:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll ()
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CarboniteSetupLite] C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NWEReboot] File not found
O4 - HKCU..\Run: [Free Download Manager] C:\Program Files (x86)\Free Download Manager\fdm.exe (FreeDownloadManager.ORG)
O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O8:64bit: - Extra context menu item: Download all with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlall.htm ()
O8:64bit: - Extra context menu item: Download selected with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlselected.htm ()
O8:64bit: - Extra context menu item: Download video with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlfvideo.htm ()
O8:64bit: - Extra context menu item: Download with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dllink.htm ()
O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files (x86)\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dllink.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files (x86)\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files (x86)\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe ()
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe ()
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_19)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.29.103.15 24.29.103.16
O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - Reg Error: Key error. File not found
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files (x86)\Common Files\microsoft shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18:64bit: - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{79604855-5399-11de-9400-00219b118ae3}\Shell - "" = Autorun
O33 - MountPoints2\{79604855-5399-11de-9400-00219b118ae3}\Shell\Open\command - "" = RECYCLER\S-7-7-38-100026873-100016763-100005966-1762.com h:\
O33 - MountPoints2\J\Shell - "" = Autorun
O33 - MountPoints2\J\Shell\Open\command - "" = RECYCLER\S-7-7-38-100026873-100016763-100005966-1762.com h:\
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37:64bit: - HKCU\...exe [@ = secfile] -- "C:\Users\Owner\AppData\Local\ave.exe" /START "%1" %* ()
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = secfile] -- "C:\Users\Owner\AppData\Local\ave.exe" /START "%1" %* ()

========== Files/Folders - Created Within 30 Days ==========

[2010/04/15 12:32:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Error Repair Professional
[2010/04/15 10:27:55 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Malwarebytes
[2010/04/15 10:27:47 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/04/15 10:27:46 | 000,022,104 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/04/15 10:27:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/04/15 10:27:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/04/14 03:21:02 | 004,697,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2010/04/14 03:20:58 | 000,612,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2010/04/14 03:20:58 | 000,420,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\vbscript.dll
[2010/04/14 03:20:51 | 000,220,672 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\SysWow64\l3codecp.acm
[2010/04/14 03:20:51 | 000,181,760 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\SysNative\l3codecp.acm
[2010/04/14 03:20:51 | 000,072,192 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\SysNative\l3codeca.acm
[2010/04/14 03:20:51 | 000,062,464 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\SysWow64\l3codeca.acm
[2010/04/14 03:19:48 | 000,218,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wintrust.dll
[2010/04/14 03:19:48 | 000,172,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wintrust.dll
[2010/04/14 03:19:46 | 000,104,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cabview.dll
[2010/04/14 03:19:46 | 000,098,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\cabview.dll
[2010/04/09 21:12:57 | 000,000,000 | ---D | C] -- C:\Users\Owner\Desktop\PSP
[2010/03/31 07:48:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/03/31 07:48:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2010/03/31 07:47:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Carbonite
[2010/03/31 07:46:35 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2010/03/31 07:46:35 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2010/03/31 07:46:35 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2010/03/31 07:46:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java
[2010/03/30 23:28:38 | 002,334,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iertutil.dll
[2010/03/30 23:28:38 | 001,147,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wininet.dll
[2010/03/30 23:28:38 | 000,916,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wininet.dll
[2010/03/30 23:28:37 | 001,538,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2010/03/30 23:28:37 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2010/03/30 23:28:37 | 001,062,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstime.dll
[2010/03/30 23:28:37 | 000,700,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2010/03/30 23:28:37 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstime.dll
[2010/03/30 23:28:37 | 000,594,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeeds.dll
[2010/03/30 23:28:37 | 000,459,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iedkcs32.dll
[2010/03/30 23:28:37 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iedkcs32.dll
[2010/03/30 23:28:37 | 000,252,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iepeers.dll
[2010/03/30 23:28:37 | 000,243,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\occache.dll
[2010/03/30 23:28:37 | 000,219,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2010/03/30 23:28:37 | 000,206,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\occache.dll
[2010/03/30 23:28:37 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll
[2010/03/30 23:28:37 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ie4uinit.exe
[2010/03/30 23:28:37 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2010/03/30 23:28:37 | 000,162,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2010/03/30 23:28:37 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2010/03/30 23:28:37 | 000,132,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesysprep.dll
[2010/03/30 23:28:37 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll
[2010/03/30 23:28:37 | 000,077,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll
[2010/03/30 23:28:37 | 000,072,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll
[2010/03/30 23:28:37 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedsbs.dll
[2010/03/30 23:28:37 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2010/03/30 23:28:37 | 000,070,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2010/03/30 23:28:37 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2010/03/30 23:28:37 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedsbs.dll
[2010/03/30 23:28:37 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jsproxy.dll
[2010/03/30 23:28:37 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jsproxy.dll
[2010/03/30 23:28:37 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedssync.exe
[2010/03/30 23:28:37 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedssync.exe
[2009/08/08 15:07:44 | 000,082,816 | ---- | C] (VSO Software) -- C:\Users\Owner\AppData\Roaming\pcouffin.sys
[1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/15 13:32:38 | 001,572,864 | -HS- | M] () -- C:\Users\Owner\NTUSER.DAT
[2010/04/15 13:31:52 | 000,010,096 | -HS- | M] () -- C:\Users\Owner\AppData\Local\g0e65To
[2010/04/15 13:31:52 | 000,010,096 | -HS- | M] () -- C:\ProgramData\g0e65To
[2010/04/15 12:35:41 | 000,690,960 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/04/15 12:35:41 | 000,595,446 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/04/15 12:35:41 | 000,101,144 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/04/15 12:29:38 | 000,003,712 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/15 12:29:38 | 000,003,712 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/15 12:29:36 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/15 12:29:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/15 12:28:36 | 000,524,288 | -HS- | M] () -- C:\Users\Owner\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TMContainer00000000000000000001.regtrans-ms
[2010/04/15 12:28:36 | 000,065,536 | -HS- | M] () -- C:\Users\Owner\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TM.blf
[2010/04/15 12:21:10 | 003,737,559 | -H-- | M] () -- C:\Users\Owner\AppData\Local\IconCache.db
[2010/04/15 10:27:52 | 000,000,808 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/15 10:17:35 | 000,183,808 | -HS- | M] () -- C:\Users\Owner\AppData\Local\ave.exe
[2010/04/15 07:51:33 | 000,011,776 | ---- | M] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/14 20:57:21 | 000,000,418 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{315F2767-77C9-4597-8DE0-5351A6AB50E3}.job
[2010/03/31 07:47:17 | 000,001,856 | ---- | M] () -- C:\Users\Public\Desktop\Carbonite Online Backup Setup.lnk
[2010/03/31 07:46:22 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2010/03/31 07:46:22 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2010/03/31 07:46:22 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2010/03/31 07:46:21 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deploytk.dll
[1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/15 10:27:52 | 000,000,808 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/15 10:17:35 | 000,183,808 | -HS- | C] () -- C:\Users\Owner\AppData\Local\ave.exe
[2010/04/15 10:17:35 | 000,010,096 | -HS- | C] () -- C:\Users\Owner\AppData\Local\g0e65To
[2010/04/15 10:17:35 | 000,010,096 | -HS- | C] () -- C:\ProgramData\g0e65To
[2010/03/31 07:47:17 | 000,001,856 | ---- | C] () -- C:\Users\Public\Desktop\Carbonite Online Backup Setup.lnk
[2010/03/10 20:36:52 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/12/17 06:36:52 | 000,363,018 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistMSI668C.txt
[2009/12/17 06:36:52 | 000,011,142 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistUI668C.txt
[2009/11/23 19:00:22 | 000,023,909 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\UserTile.png
[2009/10/03 07:11:23 | 000,365,312 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistMSI1CFE.txt
[2009/10/03 07:11:23 | 000,011,238 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistUI1CFE.txt
[2009/10/01 14:36:12 | 000,363,342 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistMSI552D.txt
[2009/10/01 14:36:12 | 000,011,142 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistUI552D.txt
[2009/08/31 05:28:49 | 000,708,868 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/08/29 17:56:26 | 000,362,954 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistMSI5C0A.txt
[2009/08/29 17:56:26 | 000,011,126 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistUI5C0A.txt
[2009/08/29 17:21:32 | 000,365,642 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistMSI4154.txt
[2009/08/29 17:21:32 | 000,011,238 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistUI4154.txt
[2009/08/08 16:06:01 | 000,001,176 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\vso_ts_preview.xml
[2009/08/08 15:09:12 | 000,000,034 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\pcouffin.log
[2009/08/08 15:07:44 | 000,099,384 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\inst.exe
[2009/08/08 15:07:44 | 000,007,859 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\pcouffin.cat
[2009/08/08 15:07:44 | 000,001,167 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\pcouffin.inf
[2009/08/03 22:07:21 | 000,000,680 | ---- | C] () -- C:\Users\Owner\AppData\Local\d3d9caps.dat
[2009/08/01 14:05:17 | 000,001,952 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2009/07/14 17:58:48 | 000,440,260 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistMSI53B8.txt
[2009/07/14 17:58:47 | 000,012,934 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistUI53B8.txt
[2009/07/12 16:03:54 | 000,000,801 | ---- | C] () -- C:\Windows\ARPR.INI
[2009/06/07 16:55:15 | 000,011,776 | ---- | C] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/06 11:15:08 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/06 11:15:01 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2009/06/06 08:06:35 | 000,000,732 | ---- | C] () -- C:\Users\Owner\AppData\Local\d3d9caps64.dat
[2009/06/06 08:06:34 | 000,000,020 | -HS- | C] () -- C:\Users\Owner\ntuser.ini
[2009/06/06 08:06:33 | 001,572,864 | -HS- | C] () -- C:\Users\Owner\NTUSER.DAT
[2009/06/06 08:06:33 | 000,524,288 | -HS- | C] () -- C:\Users\Owner\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TMContainer00000000000000000002.regtrans-ms
[2009/06/06 08:06:33 | 000,524,288 | -HS- | C] () -- C:\Users\Owner\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TMContainer00000000000000000001.regtrans-ms
[2009/06/06 08:06:33 | 000,262,144 | -H-- | C] () -- C:\Users\Owner\ntuser.dat.LOG1
[2009/06/06 08:06:33 | 000,065,536 | -HS- | C] () -- C:\Users\Owner\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TM.blf
[2009/06/06 08:06:33 | 000,000,000 | -H-- | C] () -- C:\Users\Owner\ntuser.dat.LOG2
[2008/01/20 22:50:05 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2005/04/06 11:27:14 | 000,237,568 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2005/04/06 11:24:40 | 001,216,512 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\SysWow64\OUTLPERF.INI
< End of report >

bigblaqq
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-06-06
OS OS : xp
Points Points : 27847
# Likes # Likes : 0

View user profile

Back to top Go down

Here is the second post

Post by bigblaqq on Thu Apr 15, 2010 5:55 pm

The second post........OTL Extras logfile created on: 4/15/2010 1:32:27 PM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Users\Owner\Downloads
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 53.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 581.48 Gb Total Space | 90.78 Gb Free Space | 15.61% Space Free | Partition Type: NTFS
Drive D: | 14.65 Gb Total Space | 8.17 Gb Free Space | 55.79% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-PC
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.exe [@ = secfile] -- C:\Users\Owner\AppData\Local\ave.exe ()
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = 9F 9E 16 8C DC 5B C8 01 [binary data]
"VistaSp2" = 24 65 17 B4 BB E6 C9 01 [binary data]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02750ED8-443A-4E13-91DF-38BF2D117B7F}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{08919CFF-873E-4427-BB0D-18CB1E7BAE26}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{0CFBE001-2081-40E4-878D-1FE8ECB70729}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{0E01D7AA-C03C-47ED-929F-CE989B1CB3AA}" = rport=10243 | protocol=6 | dir=out | app=system |
"{0E0D23ED-2AE8-4905-8B90-9093D686370A}" = lport=10244 | protocol=6 | dir=in | app=system |
"{14E08D71-457E-46F5-8CFE-64357CF21D0B}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{1FBADB33-7CC1-4C07-AA01-21D2CF9C0B99}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{21D0C47B-771D-465B-814E-BD4B3B9423F8}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=c:\windows\system32\svchost.exe |
"{2E9307EB-BDF8-4575-8536-053CB6B45A4D}" = lport=3390 | protocol=6 | dir=in | app=system |
"{32E533D2-1E5B-4983-A2C0-261BC2D8F6D9}" = lport=10243 | protocol=6 | dir=in | app=system |
"{3346FE05-AE24-4D1E-B149-741E224D8126}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{408322CB-FC2B-4B2F-9B39-399A76D30CC9}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{4124C832-34D9-453A-A60D-F197CFD5C748}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{53F551E8-0C1C-4253-B510-A4C5EC04DA7D}" = rport=138 | protocol=17 | dir=out | app=system |
"{54B97BFB-C163-48DF-9AB9-4CB901CE190D}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{5DD6FB21-9172-44DC-B409-4B801F053505}" = lport=2869 | protocol=6 | dir=in | app=system |
"{64339DDD-D7F4-4F51-ABB2-A68E74B57E9F}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{672E79CC-6503-403C-BD66-0996CA69F833}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{67AFC8CF-7D22-4116-9FC7-255B9969E884}" = lport=3390 | protocol=6 | dir=in | app=system |
"{783F87D4-FEAD-4CD2-A629-B2CE11CA8CC3}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{85CBBE63-A4F0-437A-9BDD-5F838B00E144}" = rport=445 | protocol=6 | dir=out | app=system |
"{8B1CFF0A-3626-4F54-BCAD-A248D3B98EA9}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{9B252538-CFB0-4BB4-9718-2C00D6860132}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{9F824B1E-B57A-4B5C-8D8F-CA4256664317}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A06D7DCF-E868-484A-A160-7AAF191B7DFD}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=c:\windows\system32\svchost.exe |
"{A69421CA-8F30-469E-8B6A-9C660A5C48D9}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{A77CFA45-69CA-4780-B73D-D6B4408ECCC6}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{B197A3C1-DDB5-44EA-87EC-EE62CA799DB1}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{B690850F-F431-46A5-9C18-CEE14DF3633C}" = lport=2869 | protocol=6 | dir=in | app=system |
"{BC347EA5-7195-45B3-A555-EB3E09E80758}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=c:\windows\system32\svchost.exe |
"{BDF7C77A-39DD-44F5-AB04-B3F2475E7424}" = rport=10244 | protocol=6 | dir=out | app=system |
"{C0330969-3BB3-4A74-ACC6-B256068548D6}" = lport=139 | protocol=6 | dir=in | app=system |
"{C937371F-89F0-4AA8-9132-184A9F7093D4}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{C9464799-5CA6-4A6D-9F29-5EB3E563E700}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{CABDF9DD-2E23-4BF9-B30C-21E5A874F848}" = rport=139 | protocol=6 | dir=out | app=system |
"{CE3E1829-40F8-4832-9722-2919ED634F52}" = rport=10244 | protocol=6 | dir=out | app=system |
"{D41FDF77-838D-4D9D-8DF8-FB08783A5064}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{D54E6DD8-370C-4CB0-BA63-98E180773F39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{D974F7B3-1C2D-40D4-902A-73035FBA72C4}" = lport=445 | protocol=6 | dir=in | app=system |
"{D9F2B8E9-71AD-4F38-A789-830BA90BE52D}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=c:\windows\system32\svchost.exe |
"{DA934765-D49E-4510-8840-FC587103911C}" = lport=10244 | protocol=6 | dir=in | app=system |
"{E0078358-AFE5-4879-9F9F-024229DC40C1}" = lport=138 | protocol=17 | dir=in | app=system |
"{EB181DBC-EEE0-41A7-8581-38B3BCCD518D}" = lport=137 | protocol=17 | dir=in | app=system |
"{FDF993F6-D89B-41A0-B18B-A8E7203B2CAD}" = rport=137 | protocol=17 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0D787E97-7B31-45E0-8989-094591A71866}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{0DF0A9DC-A3DC-4CBC-946F-981796BB9B64}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{1C869CD0-59B5-4E1A-8E5C-5E6234716D13}" = protocol=6 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
"{2E5B8AE6-8160-4B20-8514-888E398099CE}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{3001D7C6-1C05-408A-B4FA-FFC8A8311984}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{373D776E-E5AB-4B0B-B15B-0CD1EC7EF6CA}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{378D710D-ECAC-4093-80C1-28004ABF04A4}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{49184067-D311-4326-BEF2-5183DB0B6462}" = protocol=6 | dir=out | svc=upnphost | app=c:\windows\system32\svchost.exe |
"{54440B0A-1FAB-4F49-9107-94ACB4EBF856}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{54F1F2D5-1A7F-41AE-BD17-92B8AE7B7041}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{60427E76-3C0B-4CE5-B4BC-251619EBAF5A}" = protocol=6 | dir=out | app=c:\program files (x86)\windows media player\wmplayer.exe |
"{6521C66A-133F-4F41-A1AB-43E94B8F3D12}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"{662D0C86-33BE-448C-AB3A-D3950D63F82A}" = protocol=6 | dir=out | app=system |
"{898BA216-546D-4CF5-82AD-80C048A0E102}" = protocol=6 | dir=out | svc=upnphost | app=c:\windows\system32\svchost.exe |
"{8D6A4E17-F70B-40B8-BFCD-E1DB3C2EAB0B}" = protocol=17 | dir=in | app=c:\program files\windows media player\wmpnetwk.exe |
"{8E362DA8-69A1-4DA4-990E-027C6C440CCA}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{9AF5A29B-1E71-47B6-B72C-C46A638EE2D2}" = protocol=6 | dir=out | app=c:\program files\windows media player\wmpnetwk.exe |
"{A62B10C8-0342-4ABC-9FCA-23207497E7AA}" = protocol=17 | dir=out | app=c:\program files (x86)\windows media player\wmplayer.exe |
"{AD4786BF-D94A-435B-A79D-DBBFFEB481EF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{B5A4AECC-A750-4F34-8D55-50CA465190DB}" = protocol=17 | dir=in | app=c:\program files (x86)\windows media player\wmplayer.exe |
"{C3B2AC90-9D9D-4D34-A42D-0A856BF60329}" = protocol=6 | dir=out | app=system |
"{C4B564ED-4FA7-450D-A5AA-4A66C18391D7}" = protocol=6 | dir=in | app=c:\program files\windows media player\wmpnetwk.exe |
"{C51047E7-1C77-453B-9E72-ED178205957C}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{C5279686-4F77-453A-8972-332F6BA3BCFC}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{CD43FE14-4242-4C7A-943C-545C451BABF6}" = protocol=17 | dir=out | app=c:\program files\windows media player\wmpnetwk.exe |
"{D0089831-FA23-439B-AF7D-D8185E8C20AF}" = protocol=17 | dir=in | app=c:\program files\windows media player\wmplayer.exe |
"{DE5F7AB0-3011-4AB8-889F-544A716C53FE}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{E3833A06-9E44-47B5-8EDC-09F2BB2C85F5}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{E7A7ADF8-AE7C-4EA6-A03E-195D7589A351}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{EC6A7FC3-31A5-4C01-B660-1BA44002BC65}" = protocol=17 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
"{F012EE0E-DCB6-4E37-9E77-E473E6C43A06}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{FBA9DCE3-71F2-4216-B314-333E75E532F2}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"TCP Query User{A3E7C946-6335-4613-8D56-3F615587899B}C:\program files (x86)\free download manager\fdm.exe" = protocol=6 | dir=in | app=c:\program files (x86)\free download manager\fdm.exe |
"TCP Query User{FB7EF4D5-4B4C-4969-AF50-5F15C10EC062}C:\program files (x86)\free download manager\fdm.exe" = protocol=6 | dir=in | app=c:\program files (x86)\free download manager\fdm.exe |
"UDP Query User{169EACAD-839C-4AF0-A5BE-A6134CA3A2E7}C:\program files (x86)\free download manager\fdm.exe" = protocol=17 | dir=in | app=c:\program files (x86)\free download manager\fdm.exe |
"UDP Query User{7992DF4F-86C1-413A-8E3B-AD577136FA4C}C:\program files (x86)\free download manager\fdm.exe" = protocol=17 | dir=in | app=c:\program files (x86)\free download manager\fdm.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{17E02F38-FF2D-4c3d-83DF-ECE2A1D20A5E}" = AIO_CDB_ToolboxIni64
"{79BF7CB8-1E09-489F-9547-DB3EE8EA3F16}" = Microsoft SQL Server Native Client
"{86177DAE-38B1-49DD-912E-35CB703AB779}" = Microsoft SQL Server VSS Writer
"{9F560BEB-021F-43AC-825F-AA60442D8DE4}" = 64 Bit HP CIO Components Installer
"{C916D86C-AB76-49c7-B0E4-A946E0FD9BC2}" = HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HP Imaging Device Functions" = HP Imaging Device Functions 8.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 8.0
"HPExtendedCapabilities" = HP Customer Participation Program 8.0
"HPOCR" = HP OCR Software 8.0
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0289B35E-DC07-4c7a-9710-BBD686EA4B7D}" = Status
"{0D2E9DCB-9938-475E-B4DD-8851738852FF}" = AIO_Scan
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{179C56A4-F57F-4561-8BBF-F911D26EB435}" = WebReg
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java(TM) 6 Update 19
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{39CB30DB-27F8-4dd4-A294-CB4AE3B584FD}" = Copy
"{49F2B650-2D7B-4F59-B33D-346F63776BD3}" = DocProc
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{67D3F1A0-A1F2-49b7-B9EE-011277B170CD}" = HPProductAssistant
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{76C24F39-B161-498F-BD8B-C64789812D13}_is1" = ConvertXtoDVD 3.7.3.190b
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{95D08F4E-DFC2-4ce3-ACB7-8C8E206217E9}" = MarketResearch
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C2D4047-0E40-499a-AC7A-C4B9BB12FE03}" = TrayApp
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A36CD345-625C-4d6c-B3E2-76E1248CB451}" = SolutionCenter
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1
"{BE77A81F-B315-4666-9BF3-AE70C0ADB057}" = BufferChm
"{BFF829B6-B433-42CE-9A19-E459D3E4E483}" = My.Freeze.com NetAssistant
"{C716522C-3731-4667-8579-40B098294500}" = Toolbox
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{CF097717-F174-4144-954A-FBC4BF301033}" = Nero 7 Ultra Edition
"{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
"{DB3A97C0-EEC1-43FE-AB56-E2EA972CF111}" = 1600
"{E06F04B9-45E6-4AC0-8083-85F7515F40F7}" = UnloadSupport
"{E09575B2-498D-4C8B-A9D2-623F78574F29}" = AIO_CDB_Software
"{E7112940-5F8E-4918-B9FE-251F2F8DC81F}" = AIO_CDB_ProductContext
"{EA79DC46-98B0-4A26-A76F-448A032E5E4D}" = 1600Trb
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}" = HPSSupply
"{EEEB604C-C1A7-4f8c-B03F-56F9C1C9C45F}" = Fax
"{EF1ADA5A-0B1A-4662-8C55-7475A61D8B65}" = DeviceDiscovery
"{FEA5A8ED-93A1-44EE-9A7D-43103DB3F78D}" = 1600_Help
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced RAR Password Recovery" = Advanced RAR Password Recovery (remove only)
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Carbonite Setup Lite" = Carbonite Online Backup Setup
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2007-07-22
"DirectVobSub" = DirectVobSub (remove only)
"DVD Shrink_is1" = DVD Shrink 3.2
"Error Repair Professional_is1" = Error Repair Professional version 4.0.3
"Free Download Manager_is1" = Free Download Manager 3.0
"Intelore - RAR Password Recovery" = RAR Password Recovery v1.1 RC17 (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"PartyPoker" = PartyPoker
"QuickPar" = QuickPar 0.9
"WinAce Archiver" = WinAce Archiver
"WinRAR" = WinRAR
"WinRAR archiver" = WinRAR archiver
"XviD" = XviD MPEG-4 Codec

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"My.Freeze.com NetAssistant" = My.Freeze.com NetAssistant for Firefox

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

bigblaqq
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-06-06
OS OS : xp
Points Points : 27847
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by Belahzur on Thu Apr 15, 2010 7:51 pm

Please download exeHelper from one of the two links.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click on exeHelper.com or exeHelper.scr to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by bigblaqq on Thu Apr 15, 2010 8:33 pm

exeHelper by Raktor
Build 20100414
Run at 16:04:18 on 04/15/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\Users\Owner\AppData\Local\ave.exe
Error deleting C:\Users\Owner\AppData\Local\ave.exe - Set for removal on reboot - PLEASE REBOOT
Checking for bad registry entries...
Resetting filetype association for .exe
Removing HKCR\secfile
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

bigblaqq
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-06-06
OS OS : xp
Points Points : 27847
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by Belahzur on Fri Apr 16, 2010 8:31 pm

Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    O33 - MountPoints2\{79604855-5399-11de-9400-00219b118ae3}\Shell - "" = Autorun
    O33 - MountPoints2\{79604855-5399-11de-9400-00219b118ae3}\Shell\Open\command - "" = RECYCLER\S-7-7-38-100026873-100016763-100005966-1762.com h:\
    O33 - MountPoints2\J\Shell - "" = Autorun
    O33 - MountPoints2\J\Shell\Open\command - "" = RECYCLER\S-7-7-38-100026873-100016763-100005966-1762.com h:\
    [2010/04/15 13:31:52 | 000,010,096 | -HS- | M] () -- C:\Users\Owner\AppData\Local\g0e65To
    [2010/04/15 13:31:52 | 000,010,096 | -HS- | M] () -- C:\ProgramData\g0e65To
    [2010/04/15 10:17:35 | 000,183,808 | -HS- | M] () -- C:\Users\Owner\AppData\Local\ave.exe



  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by bigblaqq on Fri Apr 16, 2010 9:54 pm

I followed instructions and the only thing that happened was a OTL pop up came up that read " fix complete"..click OK to open the fix log... I clicked OK and nothing happened..

bigblaqq
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-06-06
OS OS : xp
Points Points : 27847
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by Belahzur on Sat Apr 17, 2010 12:24 pm

Hmm, please check this folder:
C:\_OTL

Is there a .log file inside that folder?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by bigblaqq on Sat Apr 17, 2010 2:18 pm

I hope this is what you meant...........OTL logfile created on: 4/16/2010 5:12:17 PM - Run 2
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Users\Owner\Downloads
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 49.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 581.48 Gb Total Space | 94.00 Gb Free Space | 16.17% Space Free | Partition Type: NTFS
Drive D: | 14.65 Gb Total Space | 8.17 Gb Free Space | 55.79% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-PC
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/16 17:04:14 | 000,030,212 | -H-- | M] () -- C:\Users\Owner\AppData\Local\Temp\system.exe
PRC - [2010/04/16 17:04:13 | 000,050,004 | -H-- | M] () -- C:\Users\Owner\AppData\Local\Temp\cmd.exe
PRC - [2010/04/16 17:04:13 | 000,030,212 | -H-- | M] () -- C:\Users\Owner\AppData\Local\Temp\services.exe
PRC - [2010/04/16 17:04:13 | 000,030,212 | -H-- | M] () -- C:\Users\Owner\AppData\Local\Temp\lsass.exe
PRC - [2010/04/16 17:04:12 | 000,050,004 | -H-- | M] () -- C:\Users\Owner\AppData\Local\Temp\iexplarer.exe
PRC - [2010/04/16 17:04:12 | 000,050,004 | -H-- | M] () -- C:\Users\Owner\AppData\Local\Temp\hexdump.exe
PRC - [2010/04/16 17:04:12 | 000,030,212 | -H-- | M] () -- C:\Users\Owner\AppData\Local\Temp\taskmgr.exe
PRC - [2010/04/16 17:04:08 | 000,020,001 | -H-- | M] () -- C:\Users\Owner\AppData\Local\Temp\k02plpj.exe
PRC - [2010/04/16 17:04:06 | 000,024,576 | ---- | M] () -- C:\Users\Owner\AppData\Local\Temp\udaw.exe
PRC - [2010/04/16 17:04:06 | 000,022,016 | ---- | M] () -- C:\Users\Owner\AppData\Local\Temp\bqif.exe
PRC - [2010/04/16 17:04:05 | 000,193,536 | -HS- | M] () -- C:\Users\Owner\AppData\Local\ave.exe
PRC - [2010/04/15 13:32:00 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Downloads\OTL.exe
PRC - [2010/04/02 12:03:33 | 000,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2010/03/26 16:43:32 | 002,117,746 | ---- | M] () -- C:\Programs\PartyGaming\PartyGaming.exe
PRC - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
PRC - [2009/04/10 23:28:12 | 000,217,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\WerFault.exe
PRC - [2009/03/02 13:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
PRC - [2003/06/20 00:25:00 | 000,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\MDM.EXE


========== Modules (SafeList) ==========

MOD - [2010/04/15 13:32:00 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Downloads\OTL.exe
MOD - [2009/04/10 23:28:22 | 002,241,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msi.dll
MOD - [2009/04/10 23:28:20 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\comdlg32.dll
MOD - [2008/01/20 22:49:15 | 000,038,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\sfc_os.dll
MOD - [2006/11/02 05:46:13 | 000,004,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\sfc.dll
MOD - [2006/11/02 05:46:07 | 000,015,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msiltcfg.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/09/24 21:26:26 | 001,142,272 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FntCache.dll -- (FontCache)
SRV:64bit: - [2008/01/20 22:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/03/29 21:39:56 | 000,089,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64)
SRV - [2006/11/02 09:34:14 | 000,000,000 | ---D | M] [Unknown | Stopped] -- C:\Windows\SysWOW64\Msdtc -- (MSDTC)
SRV - [2006/11/02 02:35:15 | 000,060,994 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysWOW64\wbem\vds.mof -- (vds)
SRV - [2006/11/02 02:35:15 | 000,055,846 | ---- | M] () [On_Demand | Running] -- C:\Windows\SysWOW64\wbem\vss.mof -- (VSS)
SRV - [2003/06/20 00:25:00 | 000,322,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2009/09/30 20:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2009/08/08 15:07:44 | 000,082,816 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\pcouffin.sys -- (pcouffin)
DRV:64bit: - [2009/04/10 22:39:52 | 000,275,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HdAudio.sys -- (HdAudAddService)
DRV:64bit: - [2008/02/11 19:48:28 | 007,709,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\igdkmd64.sys -- (igfx)
DRV:64bit: - [2008/01/20 22:50:35 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\umpass.sys -- (UMPass)
DRV:64bit: - [2008/01/20 22:46:55 | 000,317,952 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\e1e6032e.sys -- (e1express) Intel(R)
DRV:64bit: - [2008/01/20 22:46:53 | 001,523,712 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\VSTDPV6.SYS -- (VST64_DPV)
DRV:64bit: - [2008/01/20 22:46:53 | 000,724,480 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\VSTCNXT6.SYS -- (winachsf)
DRV:64bit: - [2008/01/20 22:46:53 | 000,392,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\VSTBS26.SYS -- (VST64HWBS2)
DRV - [2009/12/18 06:47:42 | 000,074,880 | ---- | M] (Avira GmbH) [File_System | On_Demand | Stopped] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgntflt.sys -- (avgntflt)
DRV - [2006/09/18 17:36:40 | 000,003,066 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysWOW64\wbem\tcpip.mof -- (Tcpip)
DRV - [2006/09/18 17:35:23 | 000,001,088 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\wbem\mpsdrv.mof -- (mpsdrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = F7 19 F0 44 F3 B6 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.order.1: "Yahoo"
FF - prefs.js..browser.search.order.2: ""
FF - prefs.js..browser.startup.homepage: "http://m.www.yahoo.com/?fr=w3i&type=W3i_SP,151,0_0,StartPage,20100209,6679,0,13,0"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.3.4
FF - prefs.js..extensions.enabledItems: {BFF829B6-B433-42CE-9A19-E459D3E4E483}:3.6.3
FF - prefs.js..extensions.enabledItems: {5835466c-49af-4cbe-b102-a8c8b6313749}:1.0.6
FF - prefs.js..extensions.netassistant.keyword.enabled: false
FF - prefs.js..extensions.netassistant.keyword.original: "http://results.freeze.com/?q="
FF - prefs.js..extensions.netassistant.keyword.url: "http://click.w3i.com/?Programid=132&Elementname=Keyword&Applicationid=#netassistant_id#&Version=#netassistant_version#&Vintage=20100209&Defaultbrowserid=13&Productid=1686&Vendorid=4274&Offerid=6680&searchterm="
FF - prefs.js..keyword.URL: "http://click.w3i.com/?Programid=132&Elementname=Keyword&Applicationid={567834DF-5C91-4688-A7B1-1A3E4A0F4E62}&Version=3.6.3&Vintage=20100209&Defaultbrowserid=13&Productid=1686&Vendorid=4274&Offerid=6680&searchterm="


FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/04/02 12:03:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/04/02 12:03:36 | 000,000,000 | ---D | M]

[2009/06/07 16:55:05 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Mozilla\Extensions
[2010/04/16 14:21:32 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\evnbb5r9.default\extensions
[2009/09/02 20:00:37 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\evnbb5r9.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/31 07:46:36 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/02/26 03:59:11 | 000,000,000 | ---D | M] (Shop to Win) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{5835466c-49af-4cbe-b102-a8c8b6313749}

O1 HOSTS File: ([2006/09/18 17:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll ()
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CarboniteSetupLite] C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NWEReboot] File not found
O4 - HKCU..\Run: [Free Download Manager] C:\Program Files (x86)\Free Download Manager\fdm.exe (FreeDownloadManager.ORG)
O4 - HKCU..\Run: [hf8wefhuaihf8ewfydiujhfdsfdf] C:\Users\Owner\AppData\Local\Temp\k02plpj.exe ()
O4 - HKCU..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\Users\Owner\AppData\Local\Temp\system.exe ()
O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O8:64bit: - Extra context menu item: Download all with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlall.htm ()
O8:64bit: - Extra context menu item: Download selected with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlselected.htm ()
O8:64bit: - Extra context menu item: Download video with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlfvideo.htm ()
O8:64bit: - Extra context menu item: Download with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dllink.htm ()
O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files (x86)\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dllink.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files (x86)\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files (x86)\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe ()
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe ()
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_19)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.29.103.15 24.29.103.16
O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - Reg Error: Key error. File not found
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files (x86)\Common Files\microsoft shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18:64bit: - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{79604855-5399-11de-9400-00219b118ae3}\Shell - "" = Autorun
O33 - MountPoints2\{79604855-5399-11de-9400-00219b118ae3}\Shell\Open\command - "" = RECYCLER\S-7-7-38-100026873-100016763-100005966-1762.com h:\
O33 - MountPoints2\J\Shell - "" = Autorun
O33 - MountPoints2\J\Shell\Open\command - "" = RECYCLER\S-7-7-38-100026873-100016763-100005966-1762.com h:\
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37:64bit: - HKCU\...exe [@ = secfile] -- "C:\Users\Owner\AppData\Local\ave.exe" /START "%1" %* ()
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = secfile] -- "C:\Users\Owner\AppData\Local\ave.exe" /START "%1" %* ()

========== Files/Folders - Created Within 30 Days ==========

[2010/04/15 14:03:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\TrendMicro
[2010/04/15 12:32:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Error Repair Professional
[2010/04/15 10:27:55 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Malwarebytes
[2010/04/15 10:27:47 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/04/15 10:27:46 | 000,022,104 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/04/15 10:27:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/04/15 10:27:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/04/14 03:21:02 | 004,697,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2010/04/14 03:20:58 | 000,612,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2010/04/14 03:20:58 | 000,420,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\vbscript.dll
[2010/04/14 03:20:51 | 000,220,672 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\SysWow64\l3codecp.acm
[2010/04/14 03:20:51 | 000,181,760 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\SysNative\l3codecp.acm
[2010/04/14 03:20:51 | 000,072,192 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\SysNative\l3codeca.acm
[2010/04/14 03:20:51 | 000,062,464 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\SysWow64\l3codeca.acm
[2010/04/14 03:19:48 | 000,218,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wintrust.dll
[2010/04/14 03:19:48 | 000,172,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wintrust.dll
[2010/04/14 03:19:46 | 000,104,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cabview.dll
[2010/04/14 03:19:46 | 000,098,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\cabview.dll
[2010/04/09 21:12:57 | 000,000,000 | ---D | C] -- C:\Users\Owner\Desktop\PSP
[2010/03/31 07:48:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/03/31 07:48:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2010/03/31 07:47:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Carbonite
[2010/03/31 07:46:35 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2010/03/31 07:46:35 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2010/03/31 07:46:35 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2010/03/31 07:46:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java
[2010/03/30 23:28:38 | 002,334,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iertutil.dll
[2010/03/30 23:28:38 | 001,147,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wininet.dll
[2010/03/30 23:28:38 | 000,916,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wininet.dll
[2010/03/30 23:28:37 | 001,538,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2010/03/30 23:28:37 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2010/03/30 23:28:37 | 001,062,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstime.dll
[2010/03/30 23:28:37 | 000,700,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2010/03/30 23:28:37 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstime.dll
[2010/03/30 23:28:37 | 000,594,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeeds.dll
[2010/03/30 23:28:37 | 000,459,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iedkcs32.dll
[2010/03/30 23:28:37 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iedkcs32.dll
[2010/03/30 23:28:37 | 000,252,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iepeers.dll
[2010/03/30 23:28:37 | 000,243,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\occache.dll
[2010/03/30 23:28:37 | 000,219,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2010/03/30 23:28:37 | 000,206,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\occache.dll
[2010/03/30 23:28:37 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll
[2010/03/30 23:28:37 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ie4uinit.exe
[2010/03/30 23:28:37 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2010/03/30 23:28:37 | 000,162,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2010/03/30 23:28:37 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2010/03/30 23:28:37 | 000,132,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesysprep.dll
[2010/03/30 23:28:37 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll
[2010/03/30 23:28:37 | 000,077,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll
[2010/03/30 23:28:37 | 000,072,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll
[2010/03/30 23:28:37 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedsbs.dll
[2010/03/30 23:28:37 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2010/03/30 23:28:37 | 000,070,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2010/03/30 23:28:37 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2010/03/30 23:28:37 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedsbs.dll
[2010/03/30 23:28:37 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jsproxy.dll
[2010/03/30 23:28:37 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jsproxy.dll
[2010/03/30 23:28:37 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedssync.exe
[2010/03/30 23:28:37 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedssync.exe
[2009/08/08 15:07:44 | 000,082,816 | ---- | C] (VSO Software) -- C:\Users\Owner\AppData\Roaming\pcouffin.sys
[1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/16 17:14:16 | 001,572,864 | -HS- | M] () -- C:\Users\Owner\NTUSER.DAT
[2010/04/16 17:06:04 | 000,010,696 | -HS- | M] () -- C:\ProgramData\jrNYi6G
[2010/04/16 17:06:03 | 000,010,696 | -HS- | M] () -- C:\Users\Owner\AppData\Local\jrNYi6G
[2010/04/16 17:04:05 | 000,193,536 | -HS- | M] () -- C:\Users\Owner\AppData\Local\ave.exe
[2010/04/16 16:34:15 | 000,003,712 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/16 16:34:15 | 000,003,712 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/16 16:18:50 | 000,000,418 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{315F2767-77C9-4597-8DE0-5351A6AB50E3}.job
[2010/04/15 19:45:11 | 000,012,800 | ---- | M] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/15 19:42:50 | 000,690,960 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/04/15 19:42:50 | 000,595,446 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/04/15 19:42:50 | 000,101,144 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/04/15 18:34:17 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/15 18:34:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/15 18:33:35 | 000,524,288 | -HS- | M] () -- C:\Users\Owner\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TMContainer00000000000000000001.regtrans-ms
[2010/04/15 18:33:35 | 000,065,536 | -HS- | M] () -- C:\Users\Owner\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TM.blf
[2010/04/15 18:33:27 | 003,740,757 | -H-- | M] () -- C:\Users\Owner\AppData\Local\IconCache.db
[2010/04/15 17:34:05 | 000,010,104 | -HS- | M] () -- C:\Users\Owner\AppData\Local\g0e65To
[2010/04/15 17:34:05 | 000,010,104 | -HS- | M] () -- C:\ProgramData\g0e65To
[2010/04/15 14:03:39 | 000,002,513 | ---- | M] () -- C:\Users\Owner\Desktop\HiJackThis.lnk
[2010/04/15 10:27:52 | 000,000,808 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/31 07:47:17 | 000,001,856 | ---- | M] () -- C:\Users\Public\Desktop\Carbonite Online Backup Setup.lnk
[2010/03/31 07:46:22 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2010/03/31 07:46:22 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2010/03/31 07:46:22 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2010/03/31 07:46:21 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deploytk.dll
[1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/16 17:04:05 | 000,193,536 | -HS- | C] () -- C:\Users\Owner\AppData\Local\ave.exe
[2010/04/16 17:04:05 | 000,010,696 | -HS- | C] () -- C:\Users\Owner\AppData\Local\jrNYi6G
[2010/04/16 17:04:05 | 000,010,696 | -HS- | C] () -- C:\ProgramData\jrNYi6G
[2010/04/15 14:03:09 | 000,002,513 | ---- | C] () -- C:\Users\Owner\Desktop\HiJackThis.lnk
[2010/04/15 10:27:52 | 000,000,808 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/15 10:17:35 | 000,010,104 | -HS- | C] () -- C:\Users\Owner\AppData\Local\g0e65To
[2010/04/15 10:17:35 | 000,010,104 | -HS- | C] () -- C:\ProgramData\g0e65To
[2010/03/31 07:47:17 | 000,001,856 | ---- | C] () -- C:\Users\Public\Desktop\Carbonite Online Backup Setup.lnk
[2010/03/10 20:36:52 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/12/17 06:36:52 | 000,363,018 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistMSI668C.txt
[2009/12/17 06:36:52 | 000,011,142 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistUI668C.txt
[2009/11/23 19:00:22 | 000,023,909 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\UserTile.png
[2009/10/03 07:11:23 | 000,365,312 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistMSI1CFE.txt
[2009/10/03 07:11:23 | 000,011,238 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistUI1CFE.txt
[2009/10/01 14:36:12 | 000,363,342 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistMSI552D.txt
[2009/10/01 14:36:12 | 000,011,142 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistUI552D.txt
[2009/08/31 05:28:49 | 000,708,868 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/08/29 17:56:26 | 000,362,954 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistMSI5C0A.txt
[2009/08/29 17:56:26 | 000,011,126 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistUI5C0A.txt
[2009/08/29 17:21:32 | 000,365,642 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistMSI4154.txt
[2009/08/29 17:21:32 | 000,011,238 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistUI4154.txt
[2009/08/08 16:06:01 | 000,001,176 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\vso_ts_preview.xml
[2009/08/08 15:09:12 | 000,000,034 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\pcouffin.log
[2009/08/08 15:07:44 | 000,099,384 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\inst.exe
[2009/08/08 15:07:44 | 000,007,859 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\pcouffin.cat
[2009/08/08 15:07:44 | 000,001,167 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\pcouffin.inf
[2009/08/03 22:07:21 | 000,000,680 | ---- | C] () -- C:\Users\Owner\AppData\Local\d3d9caps.dat
[2009/08/01 14:05:17 | 000,001,952 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2009/07/14 17:58:48 | 000,440,260 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistMSI53B8.txt
[2009/07/14 17:58:47 | 000,012,934 | ---- | C] () -- C:\Users\Owner\AppData\Local\dd_vcredistUI53B8.txt
[2009/07/12 16:03:54 | 000,000,801 | ---- | C] () -- C:\Windows\ARPR.INI
[2009/06/07 16:55:15 | 000,012,800 | ---- | C] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/06 11:15:08 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/06 11:15:01 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2009/06/06 08:06:35 | 000,000,732 | ---- | C] () -- C:\Users\Owner\AppData\Local\d3d9caps64.dat
[2009/06/06 08:06:34 | 000,000,020 | -HS- | C] () -- C:\Users\Owner\ntuser.ini
[2009/06/06 08:06:33 | 001,572,864 | -HS- | C] () -- C:\Users\Owner\NTUSER.DAT
[2009/06/06 08:06:33 | 000,524,288 | -HS- | C] () -- C:\Users\Owner\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TMContainer00000000000000000002.regtrans-ms
[2009/06/06 08:06:33 | 000,524,288 | -HS- | C] () -- C:\Users\Owner\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TMContainer00000000000000000001.regtrans-ms
[2009/06/06 08:06:33 | 000,262,144 | -H-- | C] () -- C:\Users\Owner\ntuser.dat.LOG1
[2009/06/06 08:06:33 | 000,065,536 | -HS- | C] () -- C:\Users\Owner\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TM.blf
[2009/06/06 08:06:33 | 000,000,000 | -H-- | C] () -- C:\Users\Owner\ntuser.dat.LOG2
[2008/01/20 22:50:05 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2005/04/06 11:27:14 | 000,237,568 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2005/04/06 11:24:40 | 001,216,512 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\SysWow64\OUTLPERF.INI
< End of report >

bigblaqq
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-06-06
OS OS : xp
Points Points : 27847
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by Belahzur on Sat Apr 17, 2010 7:13 pm

Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    O4 - HKCU..\Run: [hf8wefhuaihf8ewfydiujhfdsfdf] C:\Users\Owner\AppData\Local\Temp\k02plpj.exe ()
    O4 - HKCU..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\Users\Owner\AppData\Local\Temp\system.exe ()
    O33 - MountPoints2\{79604855-5399-11de-9400-00219b118ae3}\Shell - "" = Autorun
    O33 - MountPoints2\{79604855-5399-11de-9400-00219b118ae3}\Shell\Open\command - "" = RECYCLER\S-7-7-38-100026873-100016763-100005966-1762.com h:\
    O33 - MountPoints2\J\Shell - "" = Autorun
    O33 - MountPoints2\J\Shell\Open\command - "" = RECYCLER\S-7-7-38-100026873-100016763-100005966-1762.com h:\
    O37 - HKCU\...exe [@ = secfile] -- "C:\Users\Owner\AppData\Local\ave.exe" /START "%1" %* ()
    [2010/04/16 17:06:04 | 000,010,696 | -HS- | M] () -- C:\ProgramData\jrNYi6G
    [2010/04/16 17:06:03 | 000,010,696 | -HS- | M] () -- C:\Users\Owner\AppData\Local\jrNYi6G
    [2010/04/16 17:04:05 | 000,193,536 | -HS- | M] () -- C:\Users\Owner\AppData\Local\ave.exe
    [2010/04/15 17:34:05 | 000,010,104 | -HS- | M] () -- C:\Users\Owner\AppData\Local\g0e65To
    [2010/04/15 17:34:05 | 000,010,104 | -HS- | M] () -- C:\ProgramData\g0e65To


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by bigblaqq on Sat Apr 17, 2010 7:27 pm

========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\hf8wefhuaihf8ewfydiujhfdsfdf deleted successfully.
C:\Users\Owner\AppData\Local\Temp\k02plpj.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\hsf87efjhdsf87f3jfsdi7fhsujfd deleted successfully.
C:\Users\Owner\AppData\Local\Temp\system.exe moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79604855-5399-11de-9400-00219b118ae3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79604855-5399-11de-9400-00219b118ae3}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79604855-5399-11de-9400-00219b118ae3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79604855-5399-11de-9400-00219b118ae3}\ not found.
File C:\RECYCLER\S-7-7-38-100026873-100016763-100005966-1762.com h:\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J\ not found.
File C:\RECYCLER\S-7-7-38-100026873-100016763-100005966-1762.com h:\ not found.
Registry key HKEY_CURRENT_USER\Software\Classes\.exe\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
C:\ProgramData\jrNYi6G moved successfully.
C:\Users\Owner\AppData\Local\jrNYi6G moved successfully.
File C:\Users\Owner\AppData\Local\ave.exe not found.
File C:\Users\Owner\AppData\Local\g0e65To not found.
File C:\ProgramData\g0e65To not found.

OTL by OldTimer - Version 3.2.1.1 log created on 04172010_152633

bigblaqq
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-06-06
OS OS : xp
Points Points : 27847
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by Belahzur on Sat Apr 17, 2010 8:51 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by bigblaqq on Sat Apr 17, 2010 10:20 pm

Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

4/17/2010 6:20:17 PM
mbam-log-2010-04-17 (18-20-17).txt

Scan type: Quick Scan
Objects scanned: 101962
Time elapsed: 3 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Owner\AppData\Local\Temp\iexplore.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\services.exe (Password.Stealer) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

bigblaqq
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-06-06
OS OS : xp
Points Points : 27847
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by Belahzur on Sat Apr 17, 2010 11:17 pm

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by bigblaqq on Sun Apr 18, 2010 12:07 am

Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

4/17/2010 8:07:07 PM
mbam-log-2010-04-17 (20-07-07).txt

Scan type: Quick Scan
Objects scanned: 102039
Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

bigblaqq
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-06-06
OS OS : xp
Points Points : 27847
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by Belahzur on Sun Apr 18, 2010 4:41 pm

Hello.
Did you update? you are 2 versions behind.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by bigblaqq on Sun Apr 18, 2010 5:02 pm

I deleted the copy I had and started new. After the scan was complete I clicked the remove button Here is the log Malwarebytes' Anti-Malware 1.45
[You must be registered and logged in to see this link.]

Database version: 4005

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

4/18/2010 1:01:16 PM
mbam-log-2010-04-18 (13-01-16).txt

Scan type: Quick scan
Objects scanned: 111968
Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 20

Memory Processes Infected:
C:\Users\Owner\AppData\Local\ave.exe (Rogue.MultipleAV) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Owner\AppData\Local\ave.exe" /START "C:\Program Files (x86)\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Owner\AppData\Local\ave.exe" /START "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Owner\AppData\Local\ave.exe" /START "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Owner\AppData\Local\Temp\1528456517.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\2104687077.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\2678327637.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\3251978197.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\avp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\bqif.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\cmd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\drweb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\hexdump.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\iexplarer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\lulnkq.exe (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\mdm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\notepad.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\udaw.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\user.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\wz43mvfqx.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Windows\Temp\clk651.nls (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Users\Owner\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

bigblaqq
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-06-06
OS OS : xp
Points Points : 27847
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by Belahzur on Sun Apr 18, 2010 5:05 pm

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :commands
    [emptytemp]
    [reboot]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by bigblaqq on Sun Apr 18, 2010 5:14 pm

All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mcx1
->Temp folder emptied: 141920 bytes
->Temporary Internet Files folder emptied: 20372610 bytes

User: Owner
->Temp folder emptied: 200940239 bytes
->Temporary Internet Files folder emptied: 33886632 bytes
->Java cache emptied: 43618631 bytes
->FireFox cache emptied: 39641189 bytes
->Flash cache emptied: 143069 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 861184 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 135540823 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 453.00 mb


OTL by OldTimer - Version 3.2.1.1 log created on 04182010_130830

Files\Folders moved on Reboot...
File move failed. C:\Windows\SysNative\SET465.tmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...

bigblaqq
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-06-06
OS OS : xp
Points Points : 27847
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by Belahzur on Sun Apr 18, 2010 6:11 pm

Hello.

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by bigblaqq on Sun Apr 18, 2010 6:19 pm

Thanx to you it is now running without any of those annoying pop ups. Although I have a JAVA update ready to be installed. SHOULD I install. Reason is I believe I got the virus from a Java update. It seemed whener I went to RLSLOG.NET the pop ups would come up .

bigblaqq
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-06-06
OS OS : xp
Points Points : 27847
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake "Vista Security Unregistered Version" Pop Ups !!!

Post by Belahzur on Sun Apr 18, 2010 6:26 pm

It may be a possible bad ad on that website, rlslog is a safe scene release site.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum