Win32 Nuqel.e Banker Fox.a for Vista

View previous topic View next topic Go down

Win32 Nuqel.e Banker Fox.a for Vista

Post by Voosetick on 5th May 2010, 6:30 pm

Hello, Today I received a fake anti virus security alert from a program called "Antispyware Soft" as well as messages saying I have threats from Win32/Nuqel.e and Banker Fox.a. I have tried to download several Spy ware programs such as Spyware Doctor and others. The main problem is i cannot even open the programs at all. It says application cannot be executed because the program is infected. My computer came with a anti virus program called Bullguard. I am contemplating buying that program in full but I am worried that i wont be able to open the program. Please if you could respond back to me with some HELP! Thank you

Voosetick
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium
Points Points : 24193
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 Nuqel.e Banker Fox.a for Vista

Post by Belahzur on 5th May 2010, 7:53 pm

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32 Nuqel.e Banker Fox.a for Vista

Post by Voosetick on 5th May 2010, 8:57 pm

Hey thanks anyways but I ended up running in Safe mode and downloading Malware Bytes and it took the fake programs. The key for Vista safe mode though was to completely shut off your computer by holding the button down for 5 seconds and THEN PRESSING F8 took me a couple restarts to realize that F8 would only get me to a boot screen therefore had to completely shut off. I have one more question though should I delete the registry files that were found and quarantine? Overall the Malware seemed to get the job done

Voosetick
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium
Points Points : 24193
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 Nuqel.e Banker Fox.a for Vista

Post by Belahzur on 5th May 2010, 9:54 pm

Please run OTL now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32 Nuqel.e Banker Fox.a for Vista

Post by Voosetick on 5th May 2010, 11:03 pm

OTL logfile created on: 5/5/2010 6:43:26 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Andrew\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 59.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 576.17 Gb Total Space | 282.60 Gb Free Space | 49.05% Space Free | Partition Type: NTFS
Drive D: | 19.99 Gb Total Space | 13.03 Gb Free Space | 65.16% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANDREW-PC
Current User Name: Andrew
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/05 18:42:16 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Andrew\Downloads\OTL.exe
PRC - [2010/04/29 14:31:08 | 000,390,952 | ---- | M] (Valve Corporation) -- C:\Program Files\Common Files\Steam\SteamService.exe
PRC - [2010/04/27 16:35:41 | 001,238,352 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\Steam.exe
PRC - [2009/10/22 20:18:57 | 000,030,192 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2009/05/07 16:46:53 | 000,718,152 | ---- | M] (BullGuard Software) -- C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
PRC - [2009/05/07 14:11:16 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/05/28 17:06:02 | 006,144,000 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2008/01/20 22:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe


========== Modules (SafeList) ==========

MOD - [2010/05/05 18:42:16 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Andrew\Downloads\OTL.exe
MOD - [2009/04/11 02:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2008/01/20 22:24:37 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/04/29 14:31:08 | 000,390,952 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/10/22 20:18:57 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-093009-130223)
SRV - [2009/09/24 21:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/05/07 16:47:07 | 000,058,696 | ---- | M] (BullGuard Ltd.) [Auto | Running] -- C:\Program Files\BullGuard Software\BullGuard\BsMailProxy.dll -- (BsMailProxy)
SRV - [2009/05/07 16:46:55 | 000,107,848 | ---- | M] (BullGuard Ltd.) [Auto | Running] -- C:\Program Files\BullGuard Software\BullGuard\BsFileScan.dll -- (BsFileScan)
SRV - [2009/05/07 16:46:53 | 000,718,152 | ---- | M] (BullGuard Software) [Auto | Running] -- C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe -- (BGLiveSvc)
SRV - [2009/05/07 16:46:43 | 000,083,272 | ---- | M] (BullGuard, Ltd.) [Auto | Running] -- C:\Program Files\BullGuard Software\BullGuard\BsMain.dll -- (BgMainSvc)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2010/04/27 16:45:59 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/05/07 16:46:57 | 000,050,896 | ---- | M] (BullGuard Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\BdFileSpy.sys -- (BdFileSpy)
DRV - [2009/04/11 00:42:54 | 000,073,216 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/06/03 02:22:55 | 003,695,104 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2008/06/02 19:11:40 | 002,147,544 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/05/28 18:54:20 | 000,022,072 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\usbfilter.sys -- (usbfilter)
DRV - [2008/04/28 09:26:42 | 000,014,352 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AtiPcie.sys -- (AtiPcie) ATI PCI Express (3GIO)
DRV - [2008/04/18 14:33:46 | 000,175,632 | ---- | M] (AMD Technologies Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\ahcix86s.sys -- (ahcix86s)
DRV - [2008/02/14 15:56:02 | 000,118,784 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/01/20 22:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 22:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 22:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 22:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 22:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 22:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 22:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 22:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 22:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 22:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2008/01/20 22:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 22:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 22:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 22:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 22:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 22:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 22:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 22:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 22:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 22:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 22:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 22:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 22:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 22:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 22:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/10/11 21:40:14 | 000,010,632 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdide.sys -- (amdide)
DRV - [2007/05/16 07:07:58 | 000,016,984 | ---- | M] (BullGuard Ltd.) [Kernel | On_Demand | Running] -- C:\Program Files\BullGuard Software\BullGuard\Reconn.sys -- (Reconn)
DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 04:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 04:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 04:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [You must be registered and logged in to see this link.] [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 70 57 7A 3F 18 59 CA 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "DAEMON Search"
FF - prefs.js..browser.startup.homepage: "http://www.daemon-search.com/startpage"

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 14:32:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/15 17:25:36 | 000,000,000 | ---D | M]

[2009/05/07 16:51:51 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Mozilla\Extensions
[2010/05/05 13:33:22 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\ojuxz6hq.default\extensions
[2009/09/04 00:23:18 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\ojuxz6hq.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/27 16:46:37 | 000,002,059 | ---- | M] () -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\ojuxz6hq.default\searchplugins\daemon-search.xml
[2010/01/27 19:09:37 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [BullGuard] C:\Program Files\BullGuard Software\BullGuard\bullguard.exe (BullGuard Software)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [toolbar_eula_launcher] C:\Program Files\GoogleEULA\EULALauncher.exe ( )
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [BullGuard] C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe (BullGuard Software)
O4 - HKCU..\Run: [Chatango] C:\Program Files\Chatango\Chatango.exe (Pear Media, LLC)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.105.28.11 68.105.29.11
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{4285c3db-967f-11de-98d9-0021851b309a}\Shell - "" = AutoRun
O33 - MountPoints2\{4285c3db-967f-11de-98d9-0021851b309a}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found
O33 - MountPoints2\{5ad3261f-523e-11df-8b5f-0021851b309a}\Shell - "" = AutoRun
O33 - MountPoints2\{5ad3261f-523e-11df-8b5f-0021851b309a}\Shell\AutoRun\command - "" = J:\Install.exe -- File not found
O33 - MountPoints2\{d4e75493-8da9-11de-b177-0021851b309a}\Shell\AutoRun\command - "" = J:\setup.exe -- File not found
O33 - MountPoints2\J\Shell - "" = AutoRun
O33 - MountPoints2\J\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/05 15:37:12 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Roaming\Malwarebytes
[2010/05/05 14:38:37 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/05/05 14:38:34 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/05/05 14:38:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/05/05 14:38:33 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/05 13:26:01 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/05/05 11:38:46 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Local\rjjwxlkin
[2010/05/05 11:38:31 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Blue Sky Black Death Slow Burning Lights
[2010/04/27 17:47:43 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Documents\GTA San Andreas User Files
[2010/04/27 17:36:15 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
[2010/04/27 17:03:37 | 000,000,000 | ---D | C] -- C:\Program Files\Rockstar Games
[2010/04/27 16:45:06 | 000,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Lite
[2010/04/27 16:44:31 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Roaming\DAEMON Tools Lite
[2010/04/27 16:44:23 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite
[2010/04/27 16:38:59 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Roaming\Nero
[2010/04/19 17:34:32 | 000,000,000 | ---D | C] -- C:\Program Files\Chatango
[2010/04/15 17:16:37 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/04/14 20:02:35 | 000,220,672 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codecp.acm
[2010/04/14 20:02:35 | 000,062,464 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codeca.acm
[2010/04/14 20:02:07 | 003,600,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010/04/14 20:02:07 | 003,548,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010/04/14 20:01:39 | 000,420,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2010/04/13 14:31:42 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch

========== Files - Modified Within 30 Days ==========

[2010/05/05 18:50:32 | 005,767,168 | -HS- | M] () -- C:\Users\Andrew\NTUSER.DAT
[2010/05/05 18:44:03 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/05 18:39:15 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/05 18:39:15 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/05 18:20:29 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/05 16:46:10 | 000,595,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/05 16:46:10 | 000,101,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/05 16:46:08 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/05 16:39:18 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/05 16:39:16 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/05 16:37:47 | 000,524,288 | -HS- | M] () -- C:\Users\Andrew\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/05/05 16:37:47 | 000,065,536 | -HS- | M] () -- C:\Users\Andrew\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/05/05 16:37:44 | 002,528,738 | -H-- | M] () -- C:\Users\Andrew\AppData\Local\IconCache.db
[2010/05/05 15:47:43 | 000,007,512 | ---- | M] () -- C:\Users\Andrew\AppData\Local\d3d9caps.dat
[2010/05/05 14:38:40 | 000,000,822 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/04 23:39:50 | 000,084,072 | ---- | M] () -- C:\Users\Andrew\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/05/04 23:38:44 | 000,331,480 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/28 13:02:04 | 000,186,368 | ---- | M] () -- C:\Users\Andrew\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/27 17:03:36 | 000,001,691 | ---- | M] () -- C:\Users\Andrew\Desktop\GTA San Andreas.lnk
[2010/04/27 16:46:25 | 000,001,739 | ---- | M] () -- C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
[2010/04/27 16:45:59 | 000,691,696 | ---- | M] () -- C:\Windows\System32\drivers\sptd.sys
[2010/04/27 16:37:39 | 000,000,790 | ---- | M] () -- C:\Users\Public\Desktop\Steam.lnk
[2010/04/27 16:24:40 | 4231,110,656 | ---- | M] () -- C:\Users\Andrew\hlm-gtasa.iso
[2010/04/15 17:25:51 | 000,001,891 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/04/15 17:15:45 | 272,203,271 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/04/14 14:58:00 | 000,138,696 | ---- | M] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010/04/12 18:33:54 | 000,013,516 | ---- | M] () -- C:\Users\Andrew\harpoon1.jpg
[2010/04/12 18:14:46 | 000,093,344 | ---- | M] () -- C:\Users\Andrew\AppData\Roaming\UserTile.png
[2010/04/12 18:14:21 | 000,029,664 | ---- | M] () -- C:\Users\Andrew\blog.jpg

========== Files Created - No Company Name ==========

[2010/05/05 14:38:40 | 000,000,822 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/27 17:03:36 | 000,001,691 | ---- | C] () -- C:\Users\Andrew\Desktop\GTA San Andreas.lnk
[2010/04/27 16:46:25 | 000,001,739 | ---- | C] () -- C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
[2010/04/27 16:45:58 | 000,691,696 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2010/04/26 16:11:29 | 4231,110,656 | ---- | C] () -- C:\Users\Andrew\hlm-gtasa.iso
[2010/04/15 17:15:45 | 272,203,271 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/04/12 18:33:54 | 000,013,516 | ---- | C] () -- C:\Users\Andrew\harpoon1.jpg
[2010/04/12 18:14:46 | 000,093,344 | ---- | C] () -- C:\Users\Andrew\AppData\Roaming\UserTile.png
[2010/04/12 18:14:21 | 000,029,664 | ---- | C] () -- C:\Users\Andrew\blog.jpg
[2010/03/28 16:04:34 | 000,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/10/24 00:04:41 | 000,138,696 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2009/09/24 00:21:39 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/31 19:39:22 | 000,028,672 | ---- | C] () -- C:\Windows\System32\InsDrvZD.dll
[2009/08/31 19:39:22 | 000,015,872 | ---- | C] () -- C:\Windows\System32\InsDrvZD64.dll
[2009/05/12 15:22:11 | 000,021,840 | ---- | C] () -- C:\Windows\System32\SIntfNT.dll
[2009/05/12 15:22:11 | 000,017,212 | ---- | C] () -- C:\Windows\System32\SIntf32.dll
[2009/05/12 15:22:10 | 000,012,067 | ---- | C] () -- C:\Windows\System32\SIntf16.dll
[2008/06/02 23:35:17 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DFC5A2B2
< End of report >

Voosetick
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium
Points Points : 24193
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 Nuqel.e Banker Fox.a for Vista

Post by Voosetick on 5th May 2010, 11:04 pm

OTL Extras logfile created on: 5/5/2010 6:43:26 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Andrew\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 59.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 576.17 Gb Total Space | 282.60 Gb Free Space | 49.05% Space Free | Partition Type: NTFS
Drive D: | 19.99 Gb Total Space | 13.03 Gb Free Space | 65.16% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANDREW-PC
Current User Name: Andrew
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~4\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0C6CED1B-E627-4831-A71B-CFCB4CAC213D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{0CDF39D6-90FE-49BF-8394-7B1ABF1FA74D}" = lport=137 | protocol=17 | dir=in | app=system |
"{152E8DC3-3E45-44F0-B33F-01B3333A8279}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{190F82ED-CC1C-4AAF-88EE-279F962CD3F8}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{32A62677-3BB8-4DD8-A7A3-6C1E5DD452AE}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{4409B439-D934-4682-B9D0-4F4F392CB5C9}" = lport=2869 | protocol=6 | dir=in | app=system |
"{5894187F-E2D0-4D9F-ABF1-35777DCECD18}" = lport=2869 | protocol=6 | dir=in | app=system |
"{6544863D-1881-4753-91AA-26C16EA275BA}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{8408807F-2FEB-4D9C-A07D-9781716991D9}" = lport=10243 | protocol=6 | dir=in | app=system |
"{8690ECDF-EA1E-43D8-A3D9-E39540A35A3C}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{94654BD2-48CC-45DE-A0FF-7D6BECCF8030}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{982B95A4-05BD-45B5-B693-68113A8E440E}" = rport=138 | protocol=17 | dir=out | app=system |
"{A32A9D3A-016C-4E06-8E34-478ECD4A36F1}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{A5B3445C-4D00-477D-8EC8-568D714B28B2}" = lport=138 | protocol=17 | dir=in | app=system |
"{AB102BE5-56C1-4F5E-874A-D8524057DD24}" = lport=139 | protocol=6 | dir=in | app=system |
"{ABF27AE8-E1B9-4AF5-B812-F75DCD5BF47F}" = rport=137 | protocol=17 | dir=out | app=system |
"{B17A1ADB-0CCB-4DAA-808B-BB459206121F}" = lport=445 | protocol=6 | dir=in | app=system |
"{B46FAB80-C2E6-45DC-B650-01664B82C8B4}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{C80DD28C-BE39-4FBD-881E-F22D53FCA71D}" = rport=139 | protocol=6 | dir=out | app=system |
"{CF8EA303-E89F-4C53-A4FB-70766B644051}" = rport=10243 | protocol=6 | dir=out | app=system |
"{F9151902-6FB0-42E0-BB82-0EC1B422276C}" = rport=445 | protocol=6 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0A9F1AE1-20B5-41E5-B3CE-EFF54176C6B3}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{0E740039-86EC-4D11-9494-DF0EDCDB8C88}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{0EFFE26B-0946-4550-A0FC-E155596ACFE4}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{164A1B1F-32EF-4BB9-BA96-F949235FE969}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{1CB556C9-E5EE-4811-8991-C4F660CD8AB5}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\far cry 2\bin\fc2editor.exe |
"{1D02AEDA-8B38-49C7-9E7A-475706A4DF5D}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{1D4EA692-A088-4E7B-A524-B905DB4C8A26}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\far cry 2\bin\farcry2.exe |
"{1D8DD4D4-17EC-468B-A038-1CA8284E31B5}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{28039EA8-0155-46DF-91D6-1CF634922F24}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{28CC9AB3-513B-4DAB-B24D-1142B22AC608}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{2E0E6610-9DFE-4BFA-9B37-07CB17AFC8E7}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{310A3160-F62D-43E4-BA23-AB325AC02898}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{35217839-7AA1-4CAB-8FB4-F3DEA4C2C9BA}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{35727444-A154-46A2-816E-B3BD33B05056}" = protocol=6 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
"{36ACC908-B3D8-4D79-86D1-E72EC356206C}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{450747E4-290F-488E-A11F-7B8308CAAB8D}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\far cry 2\bin\fc2editor.exe |
"{5035148B-58C7-434F-9472-C088BB7182C9}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{5705A5F6-AD71-4A10-A728-F93DFFCB69D8}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{573956FB-78B5-45B6-8F10-26CF42C15CD6}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{580CCA04-5D88-47C1-B21B-A00D47FDB07D}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{599CDA7F-45A8-4441-898C-EA825AB7B813}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\far cry 2\bin\fc2serverlauncher.exe |
"{5E547703-C500-485A-B5CD-344F3AE7F925}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{639D16D5-CD21-482C-81CB-E8D6A2CC6EC0}" = protocol=17 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
"{64313237-0415-44D1-807F-28B291701798}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{6465B4BB-EE91-4B67-BEE7-57221E01E8B8}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{6E096B3E-7691-4BF8-AD41-0A1B11A9E29F}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{75DFBD58-DCEC-4ADA-B44F-53CBFE3039EA}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\mushy51\counter-strike\hl.exe |
"{7B216AD6-5364-40DB-B799-5A1C120CF1B8}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{7DA6FBDF-BA7A-44EB-AC31-B84D85C517BC}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{82406C12-F693-40E2-A5FB-284ABE46C473}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{82A786D3-B1BB-4AE8-A40B-0ADEDA2CD5C0}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{88CD35AD-D6D7-41E4-8C87-EC2624337515}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{A695C3C7-290D-4A01-870D-F69B01F55D52}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\far cry 2\bin\farcry2.exe |
"{A885FBC1-2F22-46FE-A8DD-E70D28B0B08D}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{AD94FCD4-9657-44B6-804E-073F79FCF2E1}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{AE2792C2-E6D1-4CC1-B0E3-B7EE783B498A}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\far cry 2\bin\fc2benchmarktool.exe |
"{BF019E08-5921-4036-9D03-B43654F97E58}" = protocol=6 | dir=out | app=system |
"{CA2C6F8B-16D3-4B14-96D9-7C820FC82589}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{CAB8E068-914D-4CEF-AB17-1B79135CFABD}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{D256079D-131F-43EA-82DC-8955A88E3FFB}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\mushy51\counter-strike\hl.exe |
"{D9742B93-F198-493C-8758-098FEFA6B768}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\far cry 2\bin\fc2serverlauncher.exe |
"{E184E35A-4AEF-4FE1-99A8-7022E74AA3A7}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{F9E55AC0-9C7D-487D-B1B8-1254404D25E8}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\far cry 2\bin\fc2benchmarktool.exe |
"{FFAF51EF-DE5D-4368-B5B4-3018A1D70FDB}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"TCP Query User{32721371-86CD-426C-8C50-272F5B8CB1DD}C:\program files\steam\steamapps\mushy51\team fortress classic\hl.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\mushy51\team fortress classic\hl.exe |
"TCP Query User{45987E59-808E-47E2-85F7-CB86EB4C1EAF}C:\program files\steam\steamapps\mushy51\half-life blue shift\hl.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\mushy51\half-life blue shift\hl.exe |
"TCP Query User{7A2D1ABD-B822-4DF0-A679-CA98E4E8D0B8}C:\program files\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"TCP Query User{86533452-D67A-4558-A40E-9026FB23DCCC}C:\program files\steam\steamapps\mushy51\counter-strike\hl.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\mushy51\counter-strike\hl.exe |
"TCP Query User{B0E87454-C71E-42B5-B419-BA8343C977A3}C:\program files\steam\steamapps\mushy51\day of defeat\hl.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\mushy51\day of defeat\hl.exe |
"TCP Query User{CC49F601-3AD5-4AF5-94B8-BA18BAE3E1FB}C:\program files\steam\steamapps\mushy51\half-life\hl.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\mushy51\half-life\hl.exe |
"TCP Query User{D176FAB1-4DED-4CB4-A051-45BE6CF4D849}C:\program files\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"TCP Query User{E0F63BAE-5084-4C76-B6DF-57116D9A0527}C:\program files\steam\steamapps\mushy51\opposing force\hl.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\mushy51\opposing force\hl.exe |
"TCP Query User{F4739F36-54D0-4110-964A-4CDA43036AEF}C:\program files\steam\steamapps\mushy51\ricochet\hl.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\mushy51\ricochet\hl.exe |
"UDP Query User{3469941D-A639-4B35-BBDE-FD0EAB678333}C:\program files\steam\steamapps\mushy51\half-life\hl.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\mushy51\half-life\hl.exe |
"UDP Query User{3AD7B8E8-D89F-409B-9078-9E45F30CDD8F}C:\program files\steam\steamapps\mushy51\team fortress classic\hl.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\mushy51\team fortress classic\hl.exe |
"UDP Query User{4F121D7B-864A-4755-B7DD-76DDB78458B5}C:\program files\steam\steamapps\mushy51\counter-strike\hl.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\mushy51\counter-strike\hl.exe |
"UDP Query User{4F8EED1F-371C-4E63-89AA-CE3B28F494CD}C:\program files\steam\steamapps\mushy51\day of defeat\hl.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\mushy51\day of defeat\hl.exe |
"UDP Query User{52A07F91-B954-42C5-95AB-E7B0F62C1026}C:\program files\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"UDP Query User{93B53C0E-2E30-4166-A9B9-A3AFFC929708}C:\program files\steam\steamapps\mushy51\ricochet\hl.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\mushy51\ricochet\hl.exe |
"UDP Query User{ADBE0C09-82F7-4AA8-BCC6-7FA984FF4570}C:\program files\steam\steamapps\mushy51\opposing force\hl.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\mushy51\opposing force\hl.exe |
"UDP Query User{C6A0DA55-64E1-4EB7-AA6A-BC2AF83CD4EF}C:\program files\steam\steamapps\mushy51\half-life blue shift\hl.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\mushy51\half-life blue shift\hl.exe |
"UDP Query User{EFD9AA84-4872-4589-8447-2BD036E6DFC7}C:\program files\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{11AFE21E-B193-430D-B57A-DFF7815BB962}" = Ulead PhotoImpact 12
"{135281A7-41FE-6F26-39F5-7293F8483A86}" = Catalyst Control Center InstallProxy
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{254DEDB1-5217-61E2-EF3C-C9828787F131}" = Catalyst Control Center Graphics Previews Common
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 18
"{2F1DF23C-87AF-0585-D1CF-7C08821227F1}" = CCC Help English
"{34AB2CEB-2221-DD43-85ED-5E3DEB16FAA9}" = Catalyst Control Center Core Implementation
"{35A9D14E-95B4-95C4-54E4-15F1F96309E3}" = Catalyst Control Center Graphics Full Existing
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{40738138-34A4-7712-6DA7-14E6C57DC7C0}" = ccc-utility
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{47948554-90C6-4AAC-8CFA-D23CE11C1033}" = Nero 8 Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}" = Junk Mail filter update
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{58B94766-15FC-4981-C513-4AF079EA649A}" = ccc-core-static
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{60EE17A0-83DB-FF42-9802-945DD31442A1}" = Catalyst Control Center HydraVision Full
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{800044FB-83FE-4AC9-4653-07C36EA99FE7}" = Catalyst Control Center Graphics Full New
"{862F113B-F914-4FCF-C254-C145B8815138}" = ATI Catalyst Install Manager
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9FE501EC-B1FC-A431-D175-56AAADE0D10E}" = Catalyst Control Center Graphics Light
"{A3AB35FA-943E-4799-99DC-46EFD59E998F}" = AMD USB Audio Driver Filter
"{A793EFFB-57E0-7B33-7A7F-E75D8F17F11A}" = Skins
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D417C96A-FCC7-4590-A1BB-FAF73F5BC98E}" = GTA San Andreas
"{E7006876-AAE7-1D93-5BAE-980020148184}" = Catalyst Control Center Graphics Previews Vista
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F439D7AF-03F3-4F8E-AEC4-571BFE977C61}" = iTunes
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"7-Zip" = 7-Zip 4.65
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"ASIO4ALL" = ASIO4ALL
"BullGuard" = BullGuard 7.0 for Vista
"Chatango" = Chatango Message Catcher
"Diablo II" = Diablo II
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"FL Studio 9" = FL Studio 9
"Free Audio CD Burner_is1" = Free Audio CD Burner version 1.2
"Free Studio_is1" = Free Studio version 4.2
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.2
"Google Chrome" = Google Chrome
"Google Desktop" = Google Desktop
"Hardcore" = Hardcore
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"IL Download Manager" = IL Download Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"PoiZone" = PoiZone
"PunkBusterSvc" = PunkBuster Services
"Sawer" = Sawer
"Steam App 10" = Counter-Strike
"Steam App 130" = Half-Life: Blue Shift
"Steam App 19900" = Far Cry 2
"Steam App 20" = Team Fortress Classic
"Steam App 30" = Day of Defeat
"Steam App 40" = Deathmatch Classic
"Steam App 50" = Half-Life: Opposing Force
"Steam App 60" = Ricochet
"Toxic Biohazard" = Toxic Biohazard
"Uninstall_is1" = Uninstall 1.0.0.1
"WinLiveSuite_Wave3" = Windows Live Essentials

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/4/2010 4:40:58 PM | Computer Name = Andrew-PC | Source = Application Hang | ID = 1002
Description = The program hl.exe version 1.1.1.1 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Problem Reports and Solutions control panel. Process
ID: 14bc Start Time: 01cabbdac24225a0 Termination Time: 268

Error - 3/5/2010 10:03:48 PM | Computer Name = Andrew-PC | Source = EventSystem | ID = 4621
Description =

Error - 3/5/2010 10:06:37 PM | Computer Name = Andrew-PC | Source = WinMgmt | ID = 10
Description =

Error - 3/6/2010 9:26:15 PM | Computer Name = Andrew-PC | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.1.3685, time stamp 0x4b68deea,
faulting module xul.dll, version 1.9.1.3685, time stamp 0x4b68ddb4, exception code
0xc0000005, fault offset 0x00092eaa, process id 0x10e4, application start time 0x01cabd9447f04aa0.

Error - 3/11/2010 2:18:59 AM | Computer Name = Andrew-PC | Source = EventSystem | ID = 4621
Description =

Error - 3/11/2010 12:51:50 PM | Computer Name = Andrew-PC | Source = WinMgmt | ID = 10
Description =

Error - 3/13/2010 7:11:03 PM | Computer Name = Andrew-PC | Source = Application Error | ID = 1000
Description = Faulting application javaw.exe, version 6.0.180.7, time stamp 0x4b2aa6d3,
faulting module java.dll, version 6.0.180.7, time stamp 0x4b2ad748, exception code
0xc0000005, fault offset 0x00004e46, process id 0x1688, application start time 0x01cac302724c89d0.

Error - 3/16/2010 4:03:41 PM | Computer Name = Andrew-PC | Source = Application Hang | ID = 1002
Description = The program hl.exe version 1.1.1.1 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Problem Reports and Solutions control panel. Process
ID: 14f0 Start Time: 01cac542ff26d990 Termination Time: 212

Error - 3/16/2010 5:45:10 PM | Computer Name = Andrew-PC | Source = Application Hang | ID = 1002
Description = The program hl.exe version 1.1.1.1 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Problem Reports and Solutions control panel. Process
ID: 148c Start Time: 01cac5511d54a5b0 Termination Time: 33

Error - 3/16/2010 5:48:17 PM | Computer Name = Andrew-PC | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 9/22/2009 9:05:24 PM | Computer Name = Andrew-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 9/22/2009 9:11:10 PM | Computer Name = Andrew-PC | Source = HTTP | ID = 15016
Description =

Error - 9/22/2009 9:12:35 PM | Computer Name = Andrew-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 9/23/2009 11:28:24 AM | Computer Name = Andrew-PC | Source = HTTP | ID = 15016
Description =

Error - 9/23/2009 11:29:50 AM | Computer Name = Andrew-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 9/23/2009 1:50:57 PM | Computer Name = Andrew-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 9/23/2009 1:53:55 PM | Computer Name = Andrew-PC | Source = BROWSER | ID = 8032
Description =

Error - 9/24/2009 11:31:43 AM | Computer Name = Andrew-PC | Source = HTTP | ID = 15016
Description =

Error - 9/24/2009 11:32:32 AM | Computer Name = Andrew-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 9/25/2009 11:09:25 AM | Computer Name = Andrew-PC | Source = Service Control Manager | ID = 7011
Description =


< End of report >

Voosetick
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium
Points Points : 24193
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 Nuqel.e Banker Fox.a for Vista

Post by Belahzur on 6th May 2010, 9:22 pm

Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    [2010/05/05 11:38:46 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Local\rjjwxlkin



  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32 Nuqel.e Banker Fox.a for Vista

Post by Voosetick on 7th May 2010, 1:25 am

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
C:\Users\Andrew\AppData\Local\rjjwxlkin folder moved successfully.

OTL by OldTimer - Version 3.2.4.1 log created on 05062010_212403

Voosetick
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium
Points Points : 24193
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 Nuqel.e Banker Fox.a for Vista

Post by Belahzur on 7th May 2010, 4:59 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32 Nuqel.e Banker Fox.a for Vista

Post by Voosetick on 8th May 2010, 10:35 pm

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4052

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

5/8/2010 6:34:00 PM
mbam-log-2010-05-08 (18-34-00).txt

Scan type: Quick scan
Objects scanned: 115780
Time elapsed: 9 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Voosetick
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium
Points Points : 24193
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 Nuqel.e Banker Fox.a for Vista

Post by Belahzur on 8th May 2010, 11:26 pm

Hello.

I see that you are running µTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight the following:

    µTorrent
    Java(TM) 6 Update 18

  • Click on the Uninstall/Change button at the top.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32 Nuqel.e Banker Fox.a for Vista

Post by Voosetick on 9th May 2010, 6:21 am

Yep I completely got the virus from downloading a file using Utorrent.
For some reason when I click on the ESET scanner link I keep getting:
Invalid URL
The requested URL "/onlinescan/", is invalid.

Reference #9.1fe0d748.1273385854.4ea09af1

but...... I got it to open like 2 minutes before and now somehow its not working? Do you think they would be doing maintenance it is kinda late here. 2:18am Eastern US. Either way I will try tomorrow. Your so helpful and its really amazing you keep up with so many people and continue to help me out

Voosetick
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium
Points Points : 24193
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 Nuqel.e Banker Fox.a for Vista

Post by Belahzur on 9th May 2010, 2:42 pm

Please use the Internet Explorer browser, and do an online scan with [You must be registered and logged in to see this link.]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

    **Note**

    To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum