GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Fake Anti Virus

View previous topic View next topic Go down

Fake Anti Virus

Post by TheBlackScepter on Sat May 15, 2010 11:45 am

My computer, a Windows Vista, got infected with a virus that seems to block programs from accessing, saying that the object is infected and wants to initiate my antivirus software. This also blocks anti virus programs. It will even pop up windows of porn sites. Now, I restarted my computer and was able to activate AntiMalware Bytes, it scanned, and picked up one infection. I removed it, but it still seems to be there. Funnily, the virus will not block my Avast antivirus software and it has eliminated some infections too.

Am I doing the right thing? Is there a better way to eliminate it? I have school papers due in a few days, so I wanna have this issue resolved quickly if possible. My girlfriend recommended you guys, so I could really use some help.

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Sat May 15, 2010 4:43 pm

The virus seems to be some form of the Antispyware Soft program, as it is the 'anti-virus' program they want me to run to 'get rid of' the problems. The viruses it claims to read are "win32, Nugel.E, and Banker Fox.A".

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by Belahzur on Sat May 15, 2010 9:07 pm

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Sat May 15, 2010 10:06 pm

Here is the data

OTL logfile created on: 5/15/2010 5:55:13 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Nick F\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free
6.00 Gb Paging File | 4.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 139.23 Gb Total Space | 61.81 Gb Free Space | 44.39% Space Free | Partition Type: NTFS
Drive D: | 9.81 Gb Total Space | 1.68 Gb Free Space | 17.10% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NICKF-PC
Current User Name: Nick F
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/15 17:43:59 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Nick F\Downloads\OTL.exe
PRC - [2010/04/20 23:24:01 | 002,064,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/04/20 23:23:58 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/04/03 12:04:10 | 000,319,792 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2010/04/01 10:08:24 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2010/03/14 09:11:34 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/03/14 09:11:29 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/03/14 09:09:50 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/03/14 09:09:49 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/11/10 16:39:26 | 005,244,216 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2009/09/28 10:05:10 | 000,240,976 | ---- | M] (Microsoft Corp.) -- C:\Program Files\MSN Toolbar\Platform\4.0.0316.3\mswinext.exe
PRC - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2009/08/18 11:29:22 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/08/07 17:15:06 | 000,242,048 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/07/17 11:12:14 | 000,288,080 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
PRC - [2009/07/09 13:07:14 | 000,049,968 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe
PRC - [2009/04/10 23:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/02/26 15:24:50 | 000,097,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
PRC - [2009/02/25 14:26:00 | 000,037,888 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2009/02/05 13:08:45 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/02/05 13:08:40 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/02/05 13:08:26 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/02/05 13:06:04 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/02/05 13:01:25 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/11/06 15:22:18 | 000,266,240 | ---- | M] () -- C:\Program Files\HP\Button Manager\BM.exe
PRC - [2008/11/06 10:33:00 | 000,041,264 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aolsoftware.exe
PRC - [2008/10/15 01:04:34 | 000,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
PRC - [2008/06/16 08:03:20 | 000,075,008 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
PRC - [2008/05/21 14:33:32 | 000,530,944 | ---- | M] (ArcSoft, Inc.) -- C:\Program Files\ArcSoft\Magic-i 3\Magic-i.exe
PRC - [2008/04/25 16:15:26 | 000,361,808 | ---- | M] () -- C:\WINDOWS\SMINST\BLService.exe
PRC - [2008/01/20 19:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2007/12/14 16:58:30 | 000,241,664 | ---- | M] () -- C:\Program Files\Philips\Philips SPC230NC Webcam\TrayMin230.exe
PRC - [2007/12/14 09:39:22 | 000,455,336 | ---- | M] () -- C:\Program Files\Lexmark 5000 Series\lxdmmon.exe
PRC - [2007/12/14 09:39:19 | 000,025,256 | ---- | M] () -- C:\Program Files\Lexmark 5000 Series\lxdmamon.exe
PRC - [2007/12/10 15:55:26 | 000,323,584 | ---- | M] (PixArt Imaging Incorporation) -- C:\WINDOWS\Philips\SPC230NC\Monitor.exe
PRC - [2007/12/07 07:37:36 | 000,598,696 | ---- | M] ( ) -- C:\WINDOWS\System32\lxdmcoms.exe
PRC - [2007/03/14 15:42:48 | 000,321,088 | ---- | M] (Pure Networks, Inc.) -- C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
PRC - [2007/03/14 15:42:48 | 000,321,088 | ---- | M] (Pure Networks, Inc.) -- C:\Program Files\Pure Networks\Network Magic\nmapp.exe
PRC - [2007/01/04 14:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/11/13 15:02:08 | 000,076,544 | ---- | M] (ArcSoft, Inc.) -- C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe


========== Modules (SafeList) ==========

MOD - [2010/05/15 17:43:59 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Nick F\Downloads\OTL.exe
MOD - [2010/03/14 09:11:33 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
MOD - [2009/04/10 23:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2008/01/20 19:24:37 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/03/14 09:11:29 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/03/14 09:09:50 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/09/24 18:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\FntCache.dll -- (FontCache)
SRV - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/08/07 17:15:06 | 000,242,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/02/05 13:08:40 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/02/05 13:08:26 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/02/05 13:06:04 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/02/05 13:01:25 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/04/25 16:15:26 | 000,361,808 | ---- | M] () [Auto | Running] -- C:\WINDOWS\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2008/01/20 19:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/07 07:37:36 | 000,598,696 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxdmcoms.exe -- (lxdm_device)
SRV - [2007/12/07 07:37:27 | 000,098,984 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\spool\DRIVERS\W32X86\3\\lxdmserv.exe -- (lxdmCATSCustConnectService)
SRV - [2007/03/14 15:42:48 | 000,321,088 | ---- | M] (Pure Networks, Inc.) [Auto | Running] -- C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe -- (nmservice)
SRV - [2007/03/14 15:42:22 | 000,012,800 | ---- | M] (Pure Networks, Inc.) [On_Demand | Stopped] -- C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe -- (nmraapache)
SRV - [2007/01/04 14:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/11/13 15:02:08 | 000,076,544 | ---- | M] (ArcSoft, Inc.) [Auto | Running] -- C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe -- (MgiSvr)


========== Driver Services (SafeList) ==========

DRV - [2010/04/20 23:23:59 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/03/14 09:11:33 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/14 09:09:49 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/07/23 21:01:00 | 009,791,072 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/04/10 21:42:54 | 000,073,216 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2009/02/05 13:07:23 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/02/05 13:07:12 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/02/05 13:06:59 | 000,051,792 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2009/02/05 13:06:20 | 000,051,376 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/02/05 13:06:10 | 000,023,152 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2008/05/03 05:39:00 | 000,042,528 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\nvhda32v.sys -- (NVHDA)
DRV - [2008/04/27 12:07:44 | 000,909,824 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\athr.sys -- (athr)
DRV - [2008/04/24 15:51:46 | 000,014,848 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2008/04/17 11:05:16 | 000,199,344 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/04/17 07:07:46 | 000,203,776 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/01/29 06:55:00 | 001,042,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/01/20 19:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 19:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 19:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 19:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 19:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 19:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 19:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 19:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 19:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 19:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2008/01/20 19:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 19:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 19:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 19:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 19:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 19:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 19:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 19:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 19:23:22 | 000,200,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)
DRV - [2008/01/20 19:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 19:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 19:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 19:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 19:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 19:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 19:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/12/31 16:19:50 | 000,461,056 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\SPC230NC.SYS -- (SPC230NC)
DRV - [2007/10/31 18:51:26 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2007/10/31 18:47:54 | 000,208,896 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2007/10/31 18:47:08 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2007/10/17 16:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/09/26 14:28:46 | 000,008,576 | ---- | M] (PixArt Imaging Incorporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\PAEAFLT.sys -- (PAEAFLT.sys)
DRV - [2007/07/11 10:30:22 | 000,007,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\HpqRemHid.sys -- (HpqRemHid)
DRV - [2007/07/02 16:08:14 | 000,017,664 | ---- | M] (ArcSoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\ArcSoftVirtualCapture.sys -- (ARCSOFTVIRTUALCAPTURE)
DRV - [2007/06/18 17:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/03/23 11:01:12 | 000,025,792 | ---- | M] (Pure Networks, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\pnarp.sys -- (pnarp)
DRV - [2006/11/10 16:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\afc.sys -- (Afc)
DRV - [2006/11/02 02:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 02:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 02:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 02:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 02:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 02:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 02:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 02:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 02:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 02:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 02:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 01:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 01:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 01:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 01:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 01:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 01:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 00:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 00:30:53 | 000,464,384 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\BCMWL6.SYS -- (BCM43XV)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.cscc.edu/"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.5.3
FF - prefs.js..extensions.enabledItems: {27182e60-b5f3-411c-b545-b44205977502}:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313


FF - HKLM\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2009/10/09 23:15:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/01/16 23:27:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/04 09:23:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/04 09:23:42 | 000,000,000 | ---D | M]

[2010/04/02 19:54:03 | 000,000,000 | ---D | M] -- C:\Users\Nick F\AppData\Roaming\Mozilla\Extensions
[2010/04/02 19:54:03 | 000,000,000 | ---D | M] -- C:\Users\Nick F\AppData\Roaming\Mozilla\Extensions\celtx@celtx.com
[2010/05/14 14:07:02 | 000,000,000 | ---D | M] -- C:\Users\Nick F\AppData\Roaming\Mozilla\Firefox\Profiles\l4fjkkx4.default\extensions
[2010/04/27 21:36:32 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Nick F\AppData\Roaming\Mozilla\Firefox\Profiles\l4fjkkx4.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/18 17:01:12 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Nick F\AppData\Roaming\Mozilla\Firefox\Profiles\l4fjkkx4.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/04/27 21:36:32 | 000,000,000 | ---D | M] -- C:\Users\Nick F\AppData\Roaming\Mozilla\Firefox\Profiles\l4fjkkx4.default\extensions\personas@christopher.beard
[2010/03/03 16:18:30 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2006/09/18 14:41:30 | 000,000,761 | ---- | M]) - C:\WINDOWS\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (AIM Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O2 - BHO: (MSN Toolbar BHO) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0316.3\npwinext.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (AIM Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0316.3\npwinext.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [Lexmark 5000 Series Fax Server] C:\Program Files\Lexmark 5000 Series\fm3032.exe ()
O4 - HKLM..\Run: [lxdmamon] C:\Program Files\Lexmark 5000 Series\lxdmamon.exe ()
O4 - HKLM..\Run: [lxdmmon.exe] C:\Program Files\Lexmark 5000 Series\lxdmmon.exe ()
O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSN Toolbar] C:\Program Files\MSN Toolbar\Platform\4.0.0316.3\mswinext.exe (Microsoft Corp.)
O4 - HKLM..\Run: [nmapp] C:\Program Files\Pure Networks\Network Magic\nmapp.exe (Pure Networks, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SPC_Monitor] C:\WINDOWS\Philips\SPC230NC\Monitor.exe (PixArt Imaging Incorporation)
O4 - HKLM..\Run: [SPC230NC_Monitor] C:\WINDOWS\Philips\SPC230NC\Monitor.exe (PixArt Imaging Incorporation)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKCU..\Run: [close delete] C:\ProgramData\Burn Deaf Deaf.qfc File not found
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [tgiuxtca] C:\Users\Nick F\AppData\Local\kkdwqrlei\lmdjtdatssd.exe ()
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - HKCU..\Run: [way math bike enc] C:\ProgramData\funk jugs option.ubu File not found
O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - Startup: C:\Users\Nick F\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O8 - Extra context menu item: &AIM Toolbar Search - C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp3.dll (Pure Networks, Inc.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Nick F\AppData\Roaming\Microsoft\Windows Live Photo Gallery\Windows Live Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Nick F\AppData\Roaming\Microsoft\Windows Live Photo Gallery\Windows Live Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/06/24 23:20:48 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{68d6e2fa-432d-11de-bbc3-001f1645c259}\Shell - "" = AutoRun
O33 - MountPoints2\{68d6e2fa-432d-11de-bbc3-001f1645c259}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/15 00:01:54 | 000,000,000 | ---D | C] -- C:\Users\Nick F\AppData\Local\kkdwqrlei
[2010/05/03 15:45:57 | 000,000,000 | ---D | C] -- C:\Users\Nick F\AppData\Roaming\Real
[2009/12/27 23:18:07 | 000,434,176 | ---- | C] ( ) -- C:\Windows\System32\lxdmhcp.dll
[2009/12/27 23:18:07 | 000,356,352 | ---- | C] ( ) -- C:\Windows\System32\lxdminpa.dll
[2009/12/27 23:18:06 | 000,950,272 | ---- | C] ( ) -- C:\Windows\System32\lxdmusb1.dll
[2009/12/27 23:18:06 | 000,339,968 | ---- | C] ( ) -- C:\Windows\System32\lxdmiesc.dll
[2009/12/27 23:18:05 | 001,200,128 | ---- | C] ( ) -- C:\Windows\System32\lxdmserv.dll
[2009/12/27 23:18:05 | 000,647,168 | ---- | C] ( ) -- C:\Windows\System32\lxdmpmui.dll
[2009/12/27 23:18:05 | 000,053,248 | ---- | C] ( ) -- C:\Windows\System32\lxdmprox.dll
[2009/12/27 23:18:04 | 000,565,248 | ---- | C] ( ) -- C:\Windows\System32\lxdmlmpm.dll
[2009/12/27 23:18:02 | 000,663,552 | ---- | C] ( ) -- C:\Windows\System32\lxdmhbn3.dll
[2009/12/27 23:17:59 | 000,860,160 | ---- | C] ( ) -- C:\Windows\System32\lxdmcomc.dll
[2009/12/27 23:17:59 | 000,364,544 | ---- | C] ( ) -- C:\Windows\System32\lxdmcomm.dll

========== Files - Modified Within 30 Days ==========

[2010/05/15 17:56:05 | 003,145,728 | -HS- | M] () -- C:\Users\Nick F\ntuser.dat
[2010/05/15 17:54:06 | 000,000,246 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini
[2010/05/15 17:52:35 | 000,031,966 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/05/15 17:52:26 | 000,031,966 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/05/15 17:52:25 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/15 17:52:13 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/15 17:52:12 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/15 17:51:59 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/15 17:51:53 | 2951,020,544 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/15 17:50:27 | 000,524,288 | -HS- | M] () -- C:\Users\Nick F\ntuser.dat{9abde0d2-8786-11de-b2b5-001f1645c259}.TMContainer00000000000000000001.regtrans-ms
[2010/05/15 17:50:27 | 000,065,536 | -HS- | M] () -- C:\Users\Nick F\ntuser.dat{9abde0d2-8786-11de-b2b5-001f1645c259}.TM.blf
[2010/05/15 17:49:50 | 060,032,049 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2010/05/15 17:49:24 | 003,791,406 | -H-- | M] () -- C:\Users\Nick F\AppData\Local\IconCache.db
[2010/05/15 17:48:24 | 000,000,512 | ---- | M] () -- C:\Users\Nick F\Desktop\OTL - Shortcut.lnk
[2010/05/14 23:39:49 | 000,011,483 | ---- | M] () -- C:\Users\Nick F\Documents\Super Smash Bros1.celtx
[2010/05/12 15:41:33 | 000,037,472 | ---- | M] () -- C:\Users\Nick F\AppData\Roaming\wklnhst.dat
[2010/05/12 07:40:47 | 000,000,326 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForNick F.job
[2010/05/07 15:34:13 | 000,002,671 | ---- | M] () -- C:\Users\Nick F\Desktop\Character Creation Utility.lnk
[2010/05/01 22:01:14 | 000,000,680 | ---- | M] () -- C:\Users\Nick F\AppData\Local\d3d9caps.dat
[2010/04/30 08:29:35 | 000,008,409 | ---- | M] () -- C:\Users\Nick F\Documents\LOG SAVER.odt
[2010/04/28 21:53:33 | 000,331,776 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/04/21 11:39:50 | 000,017,368 | ---- | M] () -- C:\Users\Nick F\Documents\Cutscene~Echoes of Soleanna Intro.rtf
[2010/04/21 11:39:24 | 000,023,261 | ---- | M] () -- C:\Users\Nick F\Documents\Cutscene~Echoes of Soleanna Intro.odt
[2010/04/20 23:23:59 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2010/04/18 09:43:20 | 000,015,344 | ---- | M] () -- C:\Users\Nick F\Documents\Guardians MOVIE.celtx
[2010/04/18 00:58:29 | 000,062,464 | ---- | M] () -- C:\Users\Nick F\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2010/05/15 17:48:24 | 000,000,512 | ---- | C] () -- C:\Users\Nick F\Desktop\OTL - Shortcut.lnk
[2010/05/14 23:39:49 | 000,011,483 | ---- | C] () -- C:\Users\Nick F\Documents\Super Smash Bros1.celtx
[2010/04/21 11:32:52 | 000,017,368 | ---- | C] () -- C:\Users\Nick F\Documents\Cutscene~Echoes of Soleanna Intro.rtf
[2010/04/21 04:19:32 | 000,023,261 | ---- | C] () -- C:\Users\Nick F\Documents\Cutscene~Echoes of Soleanna Intro.odt
[2010/04/18 09:43:19 | 000,015,344 | ---- | C] () -- C:\Users\Nick F\Documents\Guardians MOVIE.celtx
[2009/12/27 23:25:39 | 000,348,160 | ---- | C] () -- C:\Windows\System32\lxdmcoin.dll
[2009/12/27 23:22:07 | 000,045,056 | ---- | C] () -- C:\Windows\System32\LXDMPMON.DLL
[2009/12/27 23:22:07 | 000,032,768 | ---- | C] () -- C:\Windows\System32\LXDMFXPU.DLL
[2009/12/27 23:21:47 | 000,069,632 | ---- | C] () -- C:\Windows\System32\lxdmoem.dll
[2009/12/27 23:18:23 | 000,000,060 | -H-- | C] () -- C:\Windows\System32\lxdmrwrd.ini
[2009/12/27 23:18:08 | 000,348,160 | ---- | C] () -- C:\Windows\System32\lxdminst.dll
[2009/12/27 23:18:02 | 000,208,896 | ---- | C] () -- C:\Windows\System32\lxdmgrd.dll
[2009/10/22 10:24:51 | 000,178,176 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2009/10/22 10:24:50 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
[2009/10/22 10:24:44 | 000,881,664 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/10/22 10:24:43 | 000,205,824 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/10/22 10:24:42 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2009/10/22 10:24:38 | 000,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2009/10/22 10:24:37 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/09/24 13:12:48 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/09/17 15:11:47 | 000,000,021 | ---- | C] () -- C:\Windows\atid.ini
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/08 12:35:32 | 000,000,842 | ---- | C] () -- C:\Windows\System32\SPC230NC.INI
[2007/05/22 15:59:37 | 000,692,224 | ---- | C] () -- C:\Windows\System32\lxdmdrs.dll
[2007/05/22 07:10:11 | 000,065,536 | ---- | C] () -- C:\Windows\System32\lxdmcaps.dll
[2007/04/17 07:17:05 | 000,069,632 | ---- | C] () -- C:\Windows\System32\lxdmcnv4.dll
[2006/11/02 05:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/07/31 22:53:18 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxdmvs.dll
[2006/03/09 02:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 487 bytes -> C:\ProgramData\TEMP:05EE1EEF
< End of report >

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Sat May 15, 2010 10:06 pm

OTL Extras logfile created on: 5/15/2010 5:55:13 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Nick F\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free
6.00 Gb Paging File | 4.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 139.23 Gb Total Space | 61.81 Gb Free Space | 44.39% Space Free | Partition Type: NTFS
Drive D: | 9.81 Gb Total Space | 1.68 Gb Free Space | 17.10% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NICKF-PC
Current User Name: Nick F
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"AutoUpdateDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{11EA80CF-0B0D-49A8-959D-EFF5E7248766}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{1B645610-E7EC-43A9-A627-065E5A7C79A5}" = lport=67 | protocol=17 | dir=in | name=dhcp discovery service |
"{2B962293-9744-4283-9D55-30ABC0D8A08E}" = rport=137 | protocol=17 | dir=out | app=system |
"{456D2967-2FDD-4095-89CD-7F9F0AE7E6F2}" = rport=138 | protocol=17 | dir=out | app=system |
"{51314FBC-09BF-41C4-9B92-94B86E57E0A8}" = lport=138 | protocol=17 | dir=in | app=system |
"{644DED8B-403A-4DE3-9944-49E6B97E02F4}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{65B8C994-50D4-4430-AB62-61C9AA71EDAA}" = lport=6182 | protocol=17 | dir=in | name=miri |
"{6BD169A3-F712-4138-9ECB-632B5E3E1C06}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{7DEF0628-0BB4-4306-9EB8-F898FEC7F14C}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{965ED3CA-8A34-432A-A3D7-7088F005C558}" = lport=67 | protocol=17 | dir=in | name=dhcp discovery service |
"{9EEC9DBE-C96B-41CD-B956-24655D200993}" = rport=445 | protocol=6 | dir=out | app=system |
"{A2DBA84D-1022-46F3-A149-B7358BB20BDC}" = lport=137 | protocol=17 | dir=in | app=system |
"{AAA9A975-880E-41A1-A7E6-E118CE616C08}" = lport=445 | protocol=6 | dir=in | app=system |
"{CD126F8A-6ADA-4924-B17B-01334A84E90D}" = lport=2869 | protocol=6 | dir=in | app=system |
"{DE706A68-0A6C-4CC2-9A43-80FB010D1E16}" = lport=139 | protocol=6 | dir=in | app=system |
"{F0BB74BE-80F7-4354-A73F-AEA43BEA3C3F}" = rport=139 | protocol=6 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0685ED02-714B-4033-8981-1129968FE43B}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{0A41CA73-3E00-4A89-B97E-92CCB6751B3D}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{0E637ABF-C427-44A5-8BFC-95F47862C70C}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{114E9D26-CD1D-4D07-AE43-A8F25536BBFE}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{11D9147F-A6E9-4BD9-9C6C-D5D0F583CC2E}" = dir=in | app=c:\program files\common files\hp\digital imaging\bin\hpqphotocrm.exe |
"{1378A3D2-157A-46A2-8CE7-DCE7CC4062FF}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{1BFB6D00-29E4-4186-B18A-1E915BAC37D4}" = protocol=17 | dir=in | app=c:\program files\lexmark 5000 series\lxdmfax.exe |
"{2A862BF3-90A8-4314-AC6E-6A3A1C931A2D}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{309AD940-59E0-44BB-9748-636ED3DDAF54}" = protocol=17 | dir=in | app=c:\program files\lexmark 5000 series\lxdmmon.exe |
"{3238950B-A61F-4E1B-86FF-EF3C323F0208}" = dir=in | app=c:\program files\avg\avg8\avgnsx.exe |
"{34141166-ECF9-4A77-AC84-31292729B403}" = protocol=6 | dir=in | app=c:\program files\lexmark 5000 series\frun.exe |
"{3B2BDC59-02DF-48EC-A223-2A0826C91E7F}" = protocol=6 | dir=in | app=c:\program files\lexmark 5000 series\lxdmfax.exe |
"{3BC569BB-E319-40DC-910E-A0F78C078787}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{3E659E5F-BE1A-45E9-A8A8-641CFBD1A99E}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{41A19507-B05B-4E11-82E8-EDD49F8D3455}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqsudi.exe |
"{43502D9C-7C43-4A3E-B868-A61335224167}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpse.exe |
"{48C8FAFD-5FA5-4453-828D-46D53937F4DC}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{4C7E3AB7-4DAA-4934-BF2C-2F7DC2253A0F}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdmpswx.exe |
"{50A14F53-C095-4B30-84BD-DE7D6B96906B}" = protocol=6 | dir=in | app=c:\program files\pure networks\network magic\nmsrvc.exe |
"{511FF2B7-BBAA-4B55-8D78-8ABC863C13BC}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{51A7D2AD-81F2-45D8-BFB2-A9A3BF826F81}" = dir=in | app=c:\program files\avg\avg8\avgupd.exe |
"{52006E0B-7A28-446A-AA76-66BD29705837}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{567C74A9-E306-4E6F-AFF1-6D342937DEE3}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpsapp.exe |
"{58FA51C8-7556-479E-AC78-D4BDC2CA4286}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{594B66DA-4A7B-4E91-990E-AA2D9D1BBBD1}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{5E40EE8F-3D48-431F-B53F-63F2AB05762D}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{61F37CC8-9338-4592-99C1-AE113615825B}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdmpswx.exe |
"{66962F71-F57D-4045-A140-13F748A868A5}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{6804F69F-EEDC-4F76-8A7A-9606155DA6F8}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{6C3E3196-48B5-4DE5-AC1E-9A1AA8A97370}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{78946C39-7433-4430-8B05-9EAF59BB895A}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{7B31993C-7345-4C38-92A8-6325CEB10AE4}" = protocol=17 | dir=in | app=c:\program files\lexmark 5000 series\lxdmamon.exe |
"{7F4D8051-C7E3-4DF6-9C37-B8335F4705C5}" = protocol=17 | dir=in | app=c:\program files\pure networks\network magic\nmsrvc.exe |
"{8D1FF389-46BC-4504-860F-ED36C290DF72}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{8FEBE8B0-8C5A-4E56-B24F-69224D01FB84}" = protocol=17 | dir=in | app=c:\program files\aim6\aim6.exe |
"{902C1511-41EA-4F94-8EAA-2178A9826391}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{99750CE0-318F-482D-B432-79312FD1FE72}" = protocol=6 | dir=in | app=c:\program files\lexmark 5000 series\lxdmmon.exe |
"{9A6803D7-5B01-4801-9146-A17B554A482F}" = dir=in | app=c:\program files\avg\avg8\avgemc.exe |
"{9C5523DF-532E-43BD-B20D-5E0C17414C39}" = protocol=6 | dir=in | app=c:\program files\lexmark 5000 series\lxdmamon.exe |
"{A31BCDF5-4256-4A9B-8BFA-EAE125E49A68}" = dir=in | app=c:\program files\hp\digital imaging\smart web printing\smartwebprintexe.exe |
"{A8EEE264-26EF-4A2A-B65F-16FD45A18992}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{AD2E9C17-3034-47E3-AD6B-7A2A46F573E0}" = protocol=17 | dir=in | app=c:\program files\lexmark 5000 series\frun.exe |
"{ADA792BB-98B8-4036-8044-3B9513557D6A}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |
"{B0C72387-179A-4CC3-A0F1-C2FBAE03795B}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |
"{B24925A0-4EB7-40E2-8EDD-A3B9A5D0C849}" = protocol=6 | dir=in | app=c:\program files\aim6\aim6.exe |
"{BDB2C357-6A1C-4EB4-AAE9-EC3793B757B5}" = protocol=6 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{C8975BEB-F69D-4B28-B5C3-898D76F32385}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{CCA1AF45-A0AA-46CD-AEB1-A60D9345B758}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{D136F867-9CB9-408C-B1C4-A59AC652FDDD}" = protocol=17 | dir=in | app=c:\windows\system32\lxdmcoms.exe |
"{D5CB56C2-FDC3-4F28-9ADB-D5B622DE74DB}" = dir=in | app=c:\program files\hp\hp software update\hpwucli.exe |
"{DA200504-B81E-4025-97C3-19D9D14D0002}" = protocol=6 | dir=in | app=c:\windows\system32\lxdmcoms.exe |
"{F02B4A96-DE85-4E20-8C1D-D596A99A15A5}" = protocol=17 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{F62D5B55-BBCB-48B8-BDD1-4FDB0EC0EEB7}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"TCP Query User{47FAD432-EEF9-40E3-9C45-20ED28E3239C}C:\program files\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"TCP Query User{AED22BF7-825A-49F1-B5D5-7D4229FFB9E7}C:\program files\philips\intelligent agent\philips intelligent agent.exe" = protocol=6 | dir=in | app=c:\program files\philips\intelligent agent\philips intelligent agent.exe |
"TCP Query User{B3493865-87B9-421D-AEB5-10CE593A4625}C:\program files\lexmark 5000 series\lxdmmon.exe" = protocol=6 | dir=in | app=c:\program files\lexmark 5000 series\lxdmmon.exe |
"UDP Query User{0F222FA8-3D2A-4F32-B067-C609B5D3EC47}C:\program files\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"UDP Query User{6A821181-2509-4468-9C2A-CF95F2E83DFD}C:\program files\lexmark 5000 series\lxdmmon.exe" = protocol=17 | dir=in | app=c:\program files\lexmark 5000 series\lxdmmon.exe |
"UDP Query User{710E5D44-4099-4FA1-8F09-5D2F87F361FB}C:\program files\philips\intelligent agent\philips intelligent agent.exe" = protocol=17 | dir=in | app=c:\program files\philips\intelligent agent\philips intelligent agent.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05F350C6-FA6A-40D0-A130-FB941B39152C}" = Philips SPC230NC Webcam
"{06E74B9B-631F-4378-BF3A-40D868450C05}" = HPPhotoSmartPhotobookHolidayPack1
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = MSN Toolbar
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{091D12F7-A074-4AFE-8401-072E8494D873}" = Clouded Horizons Character Creation Utility
"{12A76360-388E-4B27-ABEB-D5FC5378DD2A}" = HPPhotoSmartPhotobookWebPack1
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{172AEB5E-CBB2-4CDD-A4CF-388600825839}" = HPPhotoSmartPhotobookPlayfulPack1
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}" = Adobe Shockwave Player
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{2656D0AB-9EA4-4C58-A117-635F3CED8B93}" = Microsoft UI Engine
"{26A24AE4-039D-4CA4-87B4-2F83216016F0}" = Java(TM) 6 Update 16
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2BB67266-D1A3-4CCC-8EB2-16770AB1FB76}" = ArcSoft WebCam Companion 2
"{31216452-5540-4C96-B754-94890A63D5AB}" = HP Help and Support
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{340F521E-3576-4E1A-B75C-EB0ACF751379}" = HP Wireless Assistant
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 D3
"{35F83303-C0C0-46B7-B8A8-ADA7C2AC5645}" = muvee autoProducer 6.1
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{415B2719-AD3A-4944-B404-C472DB6085B3}" = Cisco EAP-FAST Module
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 3.7
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CACFCD9-F71B-413A-8DF5-1A6419D5CDC6}" = Cards_Calendar_OrderGift_DoMorePlugout
"{51F96AEC-D902-4434-A0DC-B9692A21AE7C}" = MobileMe Control Panel
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{5DAA9C36-8F8B-462F-8CCA-E205BC3751F5}" = HP Active Support Library
"{61BEA823-ECAF-49F1-8378-A59B3B8AD247}" = Microsoft Default Manager
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ADD0603-16EF-400D-9F9E-486432835002}" = OpenOffice.org 3.2
"{719842F9-FF69-4BA6-A6FE-52244575E0B3}" = ArcSoft VideoImpression 2
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89E052B2-5CA5-4B7A-AF0C-28CA2836B030}" = HPPhotoSmartPhotobookModernPack1
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{98177940-C048-4831-A279-F3888B1E2C7F}" = InstallMgr
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{A07840FC-CE63-4CB8-8030-EF4B9805925A}" = HPPhotoSmartDiscLabel_PaperLabel
"{A67BB21E-D419-45BB-AB86-7D87D14BBCE2}" = Safari
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A8AC89BA-D8CB-4372-9743-1C54D23286B0}" = MSN Toolbar
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{AC95121F-1576-45B8-82F7-3911D27882E6}" = HPPhotoSmartPhotobookScrapbookPack1
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{ADFB9653-F44C-460C-BF58-189CC552DFFE}" = hpphotosmartdisclabelplugin
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4E91E95-A5BA-4E50-A465-DB7EFEB176E8}" = HPPhotoSmartDiscLabel_PrintOnDisc
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{B640E7CC-7091-4A24-AE76-2140065D2054}" = HP User Guides 0110
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C27C82E4-9C53-4D76-9ED3-A01A3D5EE679}" = HP Customer Experience Enhancements
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C3FAEA0F-82B6-45E2-9A3D-4E49BE6C9451}" = MSN Toolbar Platform
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{CA634931-0CC3-4067-ABCC-7182E1DC23B7}" = HP Button Manager
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CECB7782-F35F-45CE-97C0-74BBBDC51C22}" = Webcam Video Viewer
"{D31612BB-C6D7-4142-96AE-16DB062354CF}" = HP Webcam User's Guide
"{D5773BFA-5967-4A1C-AD0F-FFFD0D13FC36}" = Network Magic
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DD3C88A0-C53C-41D0-A21B-6D021981D23E}" = HPPhotoSmartDiscLabelContent1
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{EE5BC0BB-9EDA-423C-8276-48857B735D68}" = Prince of Persia Warrior Within
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{f32502b5-5b64-4882-bf61-77f23edcac4f}" = HP Total Care Advisor
"{F636EE9A-F9EC-4606-BCFA-77DD0E210788}" = HPPhotoSmartDiscLabel_Tattoo
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F8A3C1B6-D2E0-4CE1-80A2-555D6F71C639}" = Microsoft Search Enhancement Pack
"{FA3B34BE-4246-4062-90A3-34CBBEA12B72}" = HPTCSSetup
"{FAB046D7-C187-4648-A1A9-FC875F7E3FCE}" = ArcSoft Magic-i 3
"{FB26A501-6BA6-459B-89AA-9736730752FB}" = VoiceOver Kit
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"ActivePoint" = Microsoft® PowerPoint® Animation Player
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AIM Toolbar" = AIM Toolbar
"AIM_6" = AIM 6
"AIMTunes" = AIMTunes
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.5
"Ask.com Search Assistant" = Ask.com Search Assistant 1.0.2
"Audacity_is1" = Audacity 1.2.6
"avast!" = avast! Antivirus
"AVG9Uninstall" = AVG Free 9.0
"CCleaner" = CCleaner
"Celtx (2.7)" = Celtx (2.7)
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDAUDIO_HERMOSA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"Fraps" = Fraps
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 5.2.0
"Lexmark 5000 Series" = Lexmark 5000 Series
"Magic DVD Ripper_is1" = Magic DVD Ripper V5.4.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Messenger Plus! Live" = Messenger Plus! Live
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"NVIDIA Drivers" = NVIDIA Drivers
"Philips Intelligent Agent_is1" = Philips Intelligent Agent
"SlingMedia.QPSlingPlayer_is1" = QuickPlay SlingPlayer 0.4.6
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Star Wars DroidWorks" = Star Wars DroidWorks
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"WildTangent hp Master Uninstall" = My HP Games
"Winamp" = Winamp
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 5/15/2010 3:06:49 PM | Computer Name = NickF-PC | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::ExtractSelectedFiles()
chestGetFile() failed: 5.

Error - 5/15/2010 3:06:49 PM | Computer Name = NickF-PC | Source = avast! | ID = 33554522
Description = Error in aswChestS: chest s_RestoreFile Error 5.

Error - 5/15/2010 3:06:49 PM | Computer Name = NickF-PC | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestRestoreFile Error 5.

Error - 5/15/2010 3:06:49 PM | Computer Name = NickF-PC | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestGetFile Error 5.

Error - 5/15/2010 3:06:49 PM | Computer Name = NickF-PC | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::ExtractSelectedFiles()
chestGetFile() failed: 5.

Error - 5/15/2010 3:06:49 PM | Computer Name = NickF-PC | Source = avast! | ID = 33554522
Description = Error in aswChestS: chest s_RestoreFile Error 5.

Error - 5/15/2010 3:06:49 PM | Computer Name = NickF-PC | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestRestoreFile Error 5.

Error - 5/15/2010 3:06:49 PM | Computer Name = NickF-PC | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestGetFile Error 5.

Error - 5/15/2010 3:06:49 PM | Computer Name = NickF-PC | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::ExtractSelectedFiles()
chestGetFile() failed: 5.

Error - 5/15/2010 6:10:33 PM | Computer Name = NickF-PC | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\WINDOWS\System32\rtutils.dll failed, 00000005.

[ Application Events ]
Error - 11/4/2009 11:21:51 PM | Computer Name = NickF-PC | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 7.0.6001.18319 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 1204 Start Time: 01ca5dbb6ab06918 Termination Time: 0

Error - 11/4/2009 11:22:52 PM | Computer Name = NickF-PC | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 7.0.6001.18319 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 15c Start Time: 01ca5dc71d8e8988 Termination Time: 47

Error - 11/5/2009 12:47:14 AM | Computer Name = NickF-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 11/5/2009 12:59:20 AM | Computer Name = NickF-PC | Source = Application Error | ID = 1000
Description = Faulting application OfficeLiveSignIn.exe, version 2.0.2313.0, time
stamp 0x491c0a79, faulting module OfficeLiveSignIn.exe, version 2.0.2313.0, time
stamp 0x491c0a79, exception code 0xc0000005, fault offset 0x00003ce7, process id
0x1430, application start time 0x01ca5dd4a4d5a0b8.

Error - 11/5/2009 2:34:08 AM | Computer Name = NickF-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 11/5/2009 2:34:08 AM | Computer Name = NickF-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 11/5/2009 2:08:08 PM | Computer Name = NickF-PC | Source = WinMgmt | ID = 10
Description =

Error - 11/5/2009 11:22:08 PM | Computer Name = NickF-PC | Source = Application Error | ID = 1000
Description = Faulting application Explorer.EXE, version 6.0.6001.18164, time stamp
0x4907e242, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0xffffb9ba, process id 0xb70, application start time
0x01ca5e42de6b733b.

Error - 11/6/2009 1:53:41 PM | Computer Name = NickF-PC | Source = WinMgmt | ID = 10
Description =

Error - 11/6/2009 2:23:28 PM | Computer Name = NickF-PC | Source = VSS | ID = 8194
Description =

[ System Events ]
Error - 5/15/2010 8:24:17 PM | Computer Name = NickF-PC | Source = DCOM | ID = 10010
Description =

Error - 5/15/2010 8:34:26 PM | Computer Name = NickF-PC | Source = DCOM | ID = 10010
Description =

Error - 5/15/2010 8:35:37 PM | Computer Name = NickF-PC | Source = DCOM | ID = 10010
Description =

Error - 5/15/2010 8:36:13 PM | Computer Name = NickF-PC | Source = DCOM | ID = 10010
Description =

Error - 5/15/2010 8:40:23 PM | Computer Name = NickF-PC | Source = DCOM | ID = 10010
Description =

Error - 5/15/2010 8:40:43 PM | Computer Name = NickF-PC | Source = DCOM | ID = 10010
Description =

Error - 5/15/2010 8:50:38 PM | Computer Name = NickF-PC | Source = Service Control Manager | ID = 7016
Description =

Error - 5/15/2010 8:53:38 PM | Computer Name = NickF-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 5/15/2010 8:53:38 PM | Computer Name = NickF-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 5/15/2010 8:53:38 PM | Computer Name = NickF-PC | Source = Service Control Manager | ID = 7000
Description =


< End of report >

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by Belahzur on Sat May 15, 2010 10:37 pm

Hello.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O4 - HKCU..\Run: [close delete] C:\ProgramData\Burn Deaf Deaf.qfc File not found
    O4 - HKCU..\Run: [tgiuxtca] C:\Users\Nick F\AppData\Local\kkdwqrlei\lmdjtdatssd.exe ()
    O4 - HKCU..\Run: [way math bike enc] C:\ProgramData\funk jugs option.ubu File not found
    [2010/05/15 00:01:54 | 000,000,000 | ---D | C] -- C:\Users\Nick F\AppData\Local\kkdwqrlei



  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Sat May 15, 2010 10:43 pm

here it is


========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\close delete deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\tgiuxtca deleted successfully.
C:\Users\Nick F\AppData\Local\kkdwqrlei\lmdjtdatssd.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\way math bike enc deleted successfully.
C:\Users\Nick F\AppData\Local\kkdwqrlei folder moved successfully.

OTL by OldTimer - Version 3.2.4.1 log created on 05152010_184230

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by Belahzur on Sat May 15, 2010 10:45 pm

Download [You must be registered and logged in to see this link.]

Double-click Lop S&D.exe
Choose the language, then choose Option 2 (Fix + Hosts)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Sat May 15, 2010 10:52 pm

here



--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft® Windows Vista™ Home Premium ( v6.0.6002 ) Service Pack 2
X86-based PC ( Multiprocessor Free : AMD Athlon Dual-Core QL-60 )
BIOS : PhoenixBIOS 4.0 Release 6.1
USER : Nick F ( Administrator )
BOOT : Normal boot
C:\ (Local Disk) - NTFS - Total:139 Go (Free:61 Go)
D:\ (Local Disk) - NTFS - Total:9 Go (Free:1 Go)
E:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [2] ( Sat 05/15/2010|18:47 )

[ UAC => 1 ]


\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ FIX

Deleted! - C:\ProgramData\cast dale way math\Readme long.dat
Deleted! - C:\ProgramData\funk jugs option.ubuls
Deleted! - C:\ProgramData\Burn Deaf Deaf.084mbj
Deleted! - C:\ProgramData\Burn Deaf Deaf.qfcwvm
Deleted! - C:\ProgramData\Burn Deaf Deaf.vgxo3w
Deleted! - C:\ProgramData\Burn Deaf Deaf.8znf159
Deleted! - C:\ProgramData\Burn Deaf Deaf.nvtncel
Deleted! - C:\ProgramData\cast dale way math
-
[ Hosts file ] .. Restored!

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Deleted! - C:\PROGRA~2\Viewpoint

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


--------------------\\ Listing folders in Local

[05/17/2009|10:43] C:\Users\NICKF~1\AppData\Local\ Adobe
[09/17/2009|05:47] C:\Users\NICKF~1\AppData\Local\ AIM Toolbar
[05/28/2009|05:57] C:\Users\NICKF~1\AppData\Local\ AOL
[05/28/2009|05:57] C:\Users\NICKF~1\AppData\Local\ AOL OCP
[09/22/2009|10:40] C:\Users\NICKF~1\AppData\Local\ Apple
[04/04/2010|09:03] C:\Users\NICKF~1\AppData\Local\ Apple Computer
[03/05/2009|05:56] C:\Users\NICKF~1\AppData\Local\ Application Data
[12/25/2009|07:22] C:\Users\NICKF~1\AppData\Local\ ArcSoft
[03/05/2009|06:07] C:\Users\NICKF~1\AppData\Local\0 AtStart.txt
[05/01/2010|10:01] C:\Users\NICKF~1\AppData\Local\680 d3d9caps.dat
[04/18/2010|12:58] C:\Users\NICKF~1\AppData\Local\62,464 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[12/26/2009|08:33] C:\Users\NICKF~1\AppData\Local\6 desktop.ini
[03/05/2009|06:07] C:\Users\NICKF~1\AppData\Local\0 DSwitch.txt
[03/03/2010|06:52] C:\Users\NICKF~1\AppData\Local\81,208 GDIPFONTCACHEV1.DAT
[04/02/2010|07:53] C:\Users\NICKF~1\AppData\Local\ Greyfirst
[08/25/2009|08:35] C:\Users\NICKF~1\AppData\Local\ Hewlett-Packard
[03/05/2009|05:56] C:\Users\NICKF~1\AppData\Local\ History
[05/15/2010|05:49] C:\Users\NICKF~1\AppData\Local\3,791,406 IconCache.db
[02/08/2010|03:29] C:\Users\NICKF~1\AppData\Local\ MagicSoftware
[03/21/2010|08:59] C:\Users\NICKF~1\AppData\Local\ Microsoft
[04/13/2010|10:10] C:\Users\NICKF~1\AppData\Local\ Microsoft Games
[01/06/2010|12:13] C:\Users\NICKF~1\AppData\Local\ Mozilla
[03/05/2009|06:07] C:\Users\NICKF~1\AppData\Local\0 QSwitch.txt
[03/07/2010|08:29] C:\Users\NICKF~1\AppData\Local\ QuickPlay
[05/15/2010|06:47] C:\Users\NICKF~1\AppData\Local\ Temp
[03/05/2009|05:56] C:\Users\NICKF~1\AppData\Local\ Temporary Internet Files
[03/05/2009|05:54] C:\Users\NICKF~1\AppData\Local\ VirtualStore
[01/05/2010|07:05] C:\Users\NICKF~1\AppData\Local\ Yahoo

--------------------\\ Scheduled Tasks located in C:\Windows\Tasks

[05/12/2010 07:40 AM][--a------] C:\Windows\tasks\HPCeeScheduleForNick F.job
[05/15/2010 05:52 PM][--ah-----] C:\Windows\tasks\SA.DAT
[05/15/2010 05:50 PM][--a------] C:\Windows\tasks\SCHEDLGU.TXT

--------------------\\ Listing Folders in C:\ProgramData

[06/24/2008|11:34] C:\ProgramData\ {174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[04/04/2010|09:29] C:\ProgramData\ {429CAD59-35B1-4DBC-BB6D-1DB246563521}
[03/05/2010|06:52] C:\ProgramData\ {755AC846-7372-4AC8-8550-C52491DAA8BD}
[12/27/2009|11:21] C:\ProgramData\ 5000 Series
[09/17/2009|03:10] C:\ProgramData\ acccore
[09/03/2009|07:18] C:\ProgramData\ Adobe
[09/17/2009|03:11] C:\ProgramData\ AIM Toolbar
[03/05/2009|05:59] C:\ProgramData\ AOL
[09/17/2009|03:11] C:\ProgramData\ AOL Downloads
[05/28/2009|05:59] C:\ProgramData\ AOL OCP
[09/22/2009|10:40] C:\ProgramData\ Apple
[03/05/2010|06:51] C:\ProgramData\ Apple Computer
[11/02/2006|06:02] C:\ProgramData\ Application Data
[12/25/2009|07:22] C:\ProgramData\ ArcSoft
[02/11/2009|11:48] C:\ProgramData\ Atheros
[12/15/2009|06:54] C:\ProgramData\ avg9
[08/10/2009|10:04] C:\ProgramData\ CyberLink
[11/02/2006|06:02] C:\ProgramData\ Desktop
[11/02/2006|06:02] C:\ProgramData\ Documents
[11/02/2006|06:02] C:\ProgramData\ Favorites
[04/25/2009|06:06] C:\ProgramData\ flag jugs second
[08/11/2009|08:34] C:\ProgramData\ Hewlett-Packard
[06/24/2008|11:36] C:\ProgramData\ HP
[01/16/2010|11:28] C:\ProgramData\736 hpzinstall.log
[03/26/2010|01:15] C:\ProgramData\ Lx_cats
[03/26/2010|01:14] C:\ProgramData\158 lxdm
[08/21/2009|12:36] C:\ProgramData\ Malwarebytes
[01/21/2010|11:46] C:\ProgramData\ Messenger Plus!
[06/29/2009|08:00] C:\ProgramData\ Microsoft
[05/15/2010|03:03] C:\ProgramData\ Microsoft Help
[06/24/2008|11:20] C:\ProgramData\ muvee Technologies
[04/03/2010|09:47] C:\ProgramData\ NVIDIA
[05/15/2010|05:52] C:\ProgramData\31,966 nvModes.001
[05/15/2010|05:52] C:\ProgramData\31,966 nvModes.dat
[01/23/2010|11:15] C:\ProgramData\ Office Genuine Advantage
[07/30/2009|07:36] C:\ProgramData\ Philips
[08/07/2009|11:02] C:\ProgramData\ POPWWPROFILES
[03/25/2009|07:12] C:\ProgramData\ Pure Networks
[11/02/2006|06:02] C:\ProgramData\ Start Menu
[03/03/2010|04:18] C:\ProgramData\ Sun
[07/18/2009|08:19] C:\ProgramData\ Symantec
[04/14/2010|06:43] C:\ProgramData\ TEMP
[11/02/2006|06:02] C:\ProgramData\ Templates
[04/13/2010|10:11] C:\ProgramData\ WildTangent
[10/26/2009|02:10] C:\ProgramData\ WLInstaller
[07/30/2009|07:09] C:\ProgramData\ Xerox
[12/17/2009|03:03] C:\ProgramData\ Yahoo!
[04/14/2010|02:32] C:\ProgramData\ Yahoo! Companion

--------------------\\ Listing Folders in C:\Program Files

[12/27/2009|11:20] C:\Program Files\ Abbyy FineReader 6.0 Sprint
[06/24/2008|11:34] C:\Program Files\ Activation Assistant for the 2007 Microsoft Office suites
[09/03/2009|07:18] C:\Program Files\ Adobe
[09/17/2009|03:11] C:\Program Files\ AIM Toolbar
[09/17/2009|03:16] C:\Program Files\ AIM6
[09/17/2009|03:12] C:\Program Files\ AIMTunes
[07/19/2009|09:58] C:\Program Files\ Alwil Software
[04/10/2009|11:27] C:\Program Files\ Amazon
[09/22/2009|10:40] C:\Program Files\ Apple Software Update
[12/25/2009|07:21] C:\Program Files\ ArcSoft
[04/23/2009|08:35] C:\Program Files\ Ask Search Assistant
[02/11/2009|11:49] C:\Program Files\ Atheros
[03/13/2009|01:36] C:\Program Files\ Audacity
[12/15/2009|06:54] C:\Program Files\ AVG
[06/24/2008|11:52] C:\Program Files\ AWS
[04/04/2010|09:17] C:\Program Files\ Bonjour
[03/07/2009|12:52] C:\Program Files\ CCleaner
[04/02/2010|07:52] C:\Program Files\ Celtx
[02/11/2009|11:48] C:\Program Files\ Cisco
[12/25/2009|07:16] C:\Program Files\ Common Files
[02/11/2009|11:56] C:\Program Files\ CONEXANT
[06/24/2008|11:50] C:\Program Files\ CyberLink
[05/09/2009|01:17] C:\Program Files\ Flex Designs, Ltd
[06/30/2009|09:49] C:\Program Files\ Hewlett-Packard
[06/24/2008|10:05] C:\Program Files\ Hewlett-Packard Company
[12/25/2009|07:23] C:\Program Files\ HP
[06/24/2008|10:44] C:\Program Files\ HP Games
[03/26/2010|07:06] C:\Program Files\ InstallShield Installation Information
[11/23/2009|12:58] C:\Program Files\ Internet Explorer
[04/04/2010|09:28] C:\Program Files\ iPod
[04/04/2010|09:29] C:\Program Files\ iTunes
[12/04/2009|04:31] C:\Program Files\ Java
[03/03/2010|04:41] C:\Program Files\ JRE
[10/22/2009|10:26] C:\Program Files\ K-Lite Codec Pack
[12/27/2009|11:22] C:\Program Files\ Lexmark 5000 Series
[02/25/2010|02:04] C:\Program Files\ Lucas Learning
[02/08/2010|03:28] C:\Program Files\ MagicDVDRipper
[01/25/2010|12:45] C:\Program Files\ Malwarebytes' Anti-Malware
[04/29/2010|09:40] C:\Program Files\ Messenger Plus! Live
[03/05/2009|04:11] C:\Program Files\ Microsoft
[11/02/2006|05:37] C:\Program Files\ Microsoft Games
[03/08/2009|08:06] C:\Program Files\ Microsoft Office
[01/20/2010|12:11] C:\Program Files\ Microsoft Silverlight
[03/05/2009|04:12] C:\Program Files\ Microsoft SQL Server Compact Edition
[03/05/2009|04:10] C:\Program Files\ Microsoft Sync Framework
[06/09/2009|11:26] C:\Program Files\ Microsoft Works
[06/24/2008|11:32] C:\Program Files\ Microsoft.NET
[03/11/2010|10:32] C:\Program Files\ Movie Maker
[04/02/2010|12:10] C:\Program Files\ Mozilla Firefox
[11/02/2006|05:37] C:\Program Files\ MSBuild
[10/09/2009|11:14] C:\Program Files\ MSN Toolbar
[10/09/2009|11:15] C:\Program Files\ MSN Toolbar Installer
[03/05/2009|07:51] C:\Program Files\ MSXML 4.0
[06/24/2008|11:20] C:\Program Files\ muvee Technologies
[02/11/2009|11:55] C:\Program Files\ NetWaiting
[03/05/2009|06:00] C:\Program Files\ Online Services
[03/03/2010|04:46] C:\Program Files\ OpenOffice.org 3
[07/30/2009|07:36] C:\Program Files\ Philips
[03/25/2009|07:13] C:\Program Files\ Pure Networks
[04/04/2010|09:23] C:\Program Files\ QuickTime
[11/02/2006|05:37] C:\Program Files\ Reference Assemblies
[04/04/2010|09:02] C:\Program Files\ Safari
[02/11/2009|11:53] C:\Program Files\ Synaptics
[11/14/2009|02:06] C:\Program Files\ Thomson
[08/03/2009|12:05] C:\Program Files\ Ubisoft
[11/02/2006|06:01] C:\Program Files\ Uninstall Information
[04/03/2010|05:36] C:\Program Files\ uTorrent
[03/05/2009|05:59] C:\Program Files\ Viewpoint
[03/06/2009|06:27] C:\Program Files\ Winamp
[11/23/2009|12:58] C:\Program Files\ Windows Calendar
[11/23/2009|12:58] C:\Program Files\ Windows Collaboration
[11/23/2009|12:58] C:\Program Files\ Windows Defender
[11/23/2009|12:58] C:\Program Files\ Windows Journal
[09/01/2009|04:25] C:\Program Files\ Windows Live
[08/11/2009|10:37] C:\Program Files\ Windows Live Safety Center
[03/05/2009|04:04] C:\Program Files\ Windows Live SkyDrive
[05/13/2010|10:51] C:\Program Files\ Windows Mail
[11/23/2009|12:58] C:\Program Files\ Windows Media Player
[11/02/2006|05:37] C:\Program Files\ Windows NT
[11/23/2009|12:58] C:\Program Files\ Windows Photo Gallery
[11/23/2009|08:08] C:\Program Files\ Windows Portable Devices
[11/23/2009|12:58] C:\Program Files\ Windows Sidebar
[05/09/2009|05:43] C:\Program Files\ WinRAR
[10/22/2009|10:14] C:\Program Files\ XP Codec Pack
[12/17/2009|03:03] C:\Program Files\ Yahoo!

--------------------\\ Listing Folders in C:\Program Files\Common Files

[09/03/2009|07:18] C:\Program Files\Common Files\ Adobe
[03/05/2009|05:58] C:\Program Files\Common Files\ AOL
[04/04/2010|09:28] C:\Program Files\Common Files\ Apple
[12/25/2009|07:17] C:\Program Files\Common Files\ ArcSoft
[06/24/2008|11:32] C:\Program Files\Common Files\ DESIGNER
[06/24/2008|11:36] C:\Program Files\Common Files\ HP
[06/24/2008|11:55] C:\Program Files\Common Files\ InstallShield
[03/03/2010|04:18] C:\Program Files\Common Files\ Java
[12/15/2009|06:53] C:\Program Files\Common Files\ microsoft shared
[06/24/2008|11:20] C:\Program Files\Common Files\ muvee Technologies
[11/09/2009|12:59] C:\Program Files\Common Files\ PowerPoint Animation Player
[03/25/2009|07:13] C:\Program Files\Common Files\ Pure Networks Shared
[03/06/2009|06:26] C:\Program Files\Common Files\ PX Storage Engine
[11/02/2006|04:18] C:\Program Files\Common Files\ Services
[09/17/2009|03:11] C:\Program Files\Common Files\ Software Update Utility
[11/02/2006|04:18] C:\Program Files\Common Files\ SpeechEngines
[07/18/2009|08:21] C:\Program Files\Common Files\ Symantec Shared
[11/23/2009|12:58] C:\Program Files\Common Files\ System
[03/05/2009|03:50] C:\Program Files\Common Files\ Windows Live

--------------------\\ Process

( 103 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-15 18:48:20
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections


No other infections found !

[F:167][D:9]-> C:\Users\NICKF~1\AppData\Local\Temp
[F:22][D:1]-> C:\Users\NICKF~1\AppData\Roaming\MICROS~1\Windows\Cookies
[F:637][D:7]-> C:\Users\NICKF~1\AppData\Local\MICROS~1\Windows\TEMPOR~1\content.IE5
[F:33][D:2]-> C:\$Recycle.Bin

1 - "C:\Lop SD\LopR_1.txt" - Sat 05/15/2010|18:50 - Option : [2]

--------------------\\ Scan completed at 18:50:15
[ UAC => 1 ]

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by Belahzur on Sat May 15, 2010 11:00 pm

Hello.
Lets do some tidying up here and remove some stuff.

I see that you are running µTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

You are also running two antivirus', I see from the uninstall list you have Avast installed, along with AVG. This is a bad idea as they can conflict and cause more problems. I would recommend that you remove AVG to avoid conflict and other future problems.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight the following:

    µTorrent
    Adobe Reader 8.1.3
    Ask.com Search Assistant 1.0.2
    AVG Free 9.0
    Java(TM) 6 Update 5
    Java(TM) 6 Update 16
    Java(TM) 6 Update 18
    Viewpoint Media Player

  • Click on the Uninstall/Change button at the top.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Sat May 15, 2010 11:03 pm

I already have downloaded MalwareBytes-Anti Malware prior to this virus attack. I understand uTorrent, but why AVG? It's been helpful before.

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by Belahzur on Sat May 15, 2010 11:05 pm

Hello.
Re-read my post, look at my instructions carefully.

You are also running two antivirus', I see from the uninstall list you have Avast installed, along with AVG. This is a bad idea as they can conflict and cause more problems. I would recommend that you remove AVG to avoid conflict and other future problems.

AVG is known for lots of false positives, so I would rather AVG is removed and keep avast rather than the other way around.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Sat May 15, 2010 11:06 pm

Alright, thank you very much for your time to helping me fix this problem.

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by Belahzur on Sat May 15, 2010 11:09 pm

Who installed Messenger Plus on this machine? regardless of who, but they caused this infection. Messenger Plus has "sponsors" which causes this infection, there is an option not to install the sponsors, but whoever installed Messenger Plus didn't read the screen given.

Standing by for MBAM log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Sat May 15, 2010 11:10 pm

I did. I installed it. Is there anyway to remove the sponsors without removing the program?

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by Belahzur on Sat May 15, 2010 11:11 pm

Yes, already did that with LOP S&D, it removed the files, there is some leftovers to pick up soon, just I need an MBAM log first.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Sat May 15, 2010 11:13 pm

Is this something on my end to get or on your end?

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by Belahzur on Sat May 15, 2010 11:22 pm

Yours - I gave you the instructions here:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Sun May 16, 2010 1:23 am

Malwarebytes' Anti-Malware 1.44
Database version: 3689
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

5/15/2010 9:22:42 PM
mbam-log-2010-05-15 (21-22-42).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 293862
Time elapsed: 1 hour(s), 36 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.FakeAV) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by Belahzur on Sun May 16, 2010 8:09 pm

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Sun May 16, 2010 8:48 pm

here are the logs


Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4052

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

5/16/2010 1:48:02 PM
mbam-log-2010-05-16 (13-48-02).txt

Scan type: Quick scan
Objects scanned: 121420
Time elapsed: 9 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by Belahzur on Sun May 16, 2010 8:58 pm

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Sun May 16, 2010 9:41 pm

here

ComboFix 10-05-16.01 - Nick F 05/16/2010 14:09:41.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1601 [GMT -7:00]
Running from: c:\users\Nick F\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AbaleZip.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))
.

2010-05-16 21:21 . 2010-05-16 21:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-16 19:13 . 2010-04-20 23:45 607472 ----a-w- c:\programdata\Yahoo!\YUpdater\yupdater.exe
2010-05-16 01:47 . 2010-05-16 01:50 -------- d-----w- C:\Lop SD
2010-05-16 01:42 . 2010-05-16 01:42 -------- d-----w- C:\_OTL
2010-05-12 14:50 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-16 20:36 . 2009-08-21 19:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-16 19:13 . 2008-06-25 06:52 -------- d-----w- c:\program files\Yahoo!
2010-05-16 19:07 . 2009-02-11 18:58 31966 ----a-w- c:\programdata\nvModes.dat
2010-05-16 02:34 . 2008-06-25 07:03 -------- d-----w- c:\program files\Java
2010-05-16 02:08 . 2009-07-04 18:52 -------- d-----w- c:\program files\uTorrent
2010-05-16 02:08 . 2009-07-04 18:51 -------- d-----w- c:\users\Nick F\AppData\Roaming\uTorrent
2010-05-16 01:47 . 2009-03-06 00:59 -------- d-----w- c:\program files\Viewpoint
2010-05-16 01:09 . 2009-12-04 23:44 1 ----a-w- c:\users\Nick F\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-15 10:03 . 2008-06-25 06:30 -------- d-----w- c:\programdata\Microsoft Help
2010-05-13 17:51 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 22:41 . 2009-03-09 04:04 37472 ----a-w- c:\users\Nick F\AppData\Roaming\wklnhst.dat
2010-05-02 05:01 . 2009-03-28 19:16 680 ----a-w- c:\users\Nick F\AppData\Local\d3d9caps.dat
2010-04-30 04:40 . 2009-03-06 01:24 -------- d-----w- c:\program files\Messenger Plus! Live
2010-04-29 22:39 . 2009-08-21 19:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-08-21 19:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 01:49 . 2010-03-03 04:18 1335048 ----a-w- c:\windows\Help\OEM\scripts\SamsungHDDFW1HC.exe
2010-04-14 21:32 . 2009-03-06 00:47 -------- d-----w- c:\programdata\Yahoo! Companion
2010-04-14 05:11 . 2008-06-25 05:39 -------- d-----w- c:\programdata\WildTangent
2010-04-08 23:48 . 2010-04-28 03:36 18184 ----a-w- c:\windows\Help\OEM\scripts\HPHC_BUY_BATTERY.exe
2010-04-08 23:48 . 2010-03-24 03:15 17160 ----a-w- c:\windows\Help\OEM\scripts\HPHCDisableObject.exe
2010-04-07 00:52 . 2010-04-28 03:36 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_Launch.exe
2010-04-04 16:29 . 2010-04-04 16:28 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-04 16:29 . 2010-03-06 01:51 -------- d-----w- c:\program files\iTunes
2010-04-04 16:28 . 2010-04-04 16:28 -------- d-----w- c:\program files\iPod
2010-04-04 16:28 . 2009-09-22 17:41 -------- d-----w- c:\program files\Common Files\Apple
2010-04-04 16:23 . 2010-04-04 16:22 -------- d-----w- c:\program files\QuickTime
2010-04-04 16:17 . 2010-04-04 16:16 -------- d-----w- c:\program files\Bonjour
2010-04-04 16:10 . 2010-04-04 16:10 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-04 16:02 . 2010-04-04 16:02 -------- d-----w- c:\program files\Safari
2010-04-04 15:58 . 2010-04-04 15:58 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-04 04:47 . 2009-02-11 19:02 -------- d-----w- c:\programdata\NVIDIA
2010-04-03 02:53 . 2010-04-03 02:53 -------- d-----w- c:\users\Nick F\AppData\Roaming\Greyfirst
2010-04-03 02:52 . 2010-04-03 02:52 -------- d-----w- c:\program files\Celtx
2010-03-27 02:06 . 2008-06-25 05:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-27 02:03 . 2009-12-26 02:22 2485883 ----a-w- c:\programdata\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2010-03-26 20:15 . 2009-12-28 07:11 -------- d-----w- c:\programdata\Lx_cats
2010-03-09 16:25 . 2010-03-31 14:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-03-31 14:19 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-04 17:33 . 2010-04-14 21:10 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 01:52 . 2009-03-06 01:05 81208 ----a-w- c:\users\Nick F\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-03 23:18 . 2009-08-09 05:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-23 11:10 . 2010-04-14 21:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:10 . 2010-04-14 21:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:10 . 2010-04-14 21:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-20 23:06 . 2010-03-11 17:14 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 17:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 17:14 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-18 14:07 . 2010-04-14 21:08 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-18 14:07 . 2010-04-14 21:10 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 14:07 . 2010-04-14 21:10 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 13:30 . 2010-04-14 21:08 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-02-18 11:28 . 2010-04-14 21:08 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-05-11 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-04-02 468264]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 321088]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"SPC_Monitor"="c:\windows\Philips\SPC230NC\Monitor.exe" [2007-12-10 323584]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SPC230NC_Monitor"="c:\windows\Philips\SPC230NC\Monitor.exe" [2007-12-10 323584]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0316.3\mswinext.exe" [2009-09-28 240976]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"lxdmmon.exe"="c:\program files\Lexmark 5000 Series\lxdmmon.exe" [2007-12-14 455336]
"lxdmamon"="c:\program files\Lexmark 5000 Series\lxdmamon.exe" [2007-12-14 25256]
"Lexmark 5000 Series Fax Server"="c:\program files\Lexmark 5000 Series\fm3032.exe" [2007-12-14 307880]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\users\Nick F\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2009-12-25 266240]
Magic-i.lnk - c:\program files\ArcSoft\Magic-i 3\Magic-i.exe [2009-12-25 530944]
TrayMin230.lnk - c:\program files\Philips\Philips SPC230NC Webcam\TrayMin230.exe [2009-7-30 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):9b,5e,bc,5c,78,6c,ca,01

R3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\DRIVERS\PAEAFLT.sys [2007-09-26 8576]
R3 SPC230NC;Philips SPC230NC Webcam;c:\windows\system32\DRIVERS\SPC230NC.SYS [2007-12-31 461056]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-02-05 51792]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-25 361808]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-03 42528]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-12 c:\windows\Tasks\HPCeeScheduleForNick F.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-06-25 03:03]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = 127.0.0.1:5555
uInternet Settings,ProxyOverride =
FF - ProfilePath - c:\users\Nick F\AppData\Roaming\Mozilla\Firefox\Profiles\l4fjkkx4.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe
AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-16 14:21
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-16 14:26:59
ComboFix-quarantined-files.txt 2010-05-16 21:26

Pre-Run: 67,170,816,000 bytes free
Post-Run: 67,178,115,072 bytes free

- - End Of File - - EDE8E4AB2E0E316DEEADC12E5D0D84FC

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by Belahzur on Mon May 17, 2010 9:40 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    DDS::
    uStart Page = about:blank
    uInternet Settings,ProxyServer = 127.0.0.1:5555
    uInternet Settings,ProxyOverride =

    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Mon May 17, 2010 10:21 pm

here


ComboFix 10-05-16.02 - Nick F 05/17/2010 17:50:41.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1738 [GMT -7:00]
Running from: c:\users\Nick F\Desktop\ComboFix.exe
Command switches used :: c:\users\Nick F\Desktop\CFscript.txt.lnk
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))
.

2010-05-18 01:02 . 2010-05-18 01:02 -------- d-----w- c:\users\Nick F\AppData\Local\temp
2010-05-18 01:02 . 2010-05-18 01:02 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-05-18 01:02 . 2010-05-18 01:02 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-18 01:02 . 2010-05-18 01:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-17 15:36 . 2010-05-17 15:36 -------- d-----w- c:\program files\iPod
2010-05-17 15:30 . 2010-05-17 15:30 -------- d-----w- c:\program files\Bonjour
2010-05-17 15:23 . 2010-05-17 15:23 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-16 19:13 . 2010-04-20 23:45 607472 ----a-w- c:\programdata\Yahoo!\YUpdater\yupdater.exe
2010-05-16 01:47 . 2010-05-16 01:50 -------- d-----w- C:\Lop SD
2010-05-16 01:42 . 2010-05-16 01:42 -------- d-----w- C:\_OTL
2010-05-12 14:50 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-18 00:23 . 2009-03-28 19:16 680 ----a-w- c:\users\Nick F\AppData\Local\d3d9caps.dat
2010-05-18 00:23 . 2009-02-11 18:58 31966 ----a-w- c:\programdata\nvModes.dat
2010-05-17 23:46 . 2009-12-04 23:44 1 ----a-w- c:\users\Nick F\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-17 15:38 . 2010-03-06 01:51 -------- d-----w- c:\program files\iTunes
2010-05-17 15:36 . 2009-09-22 17:41 -------- d-----w- c:\program files\Common Files\Apple
2010-05-16 20:36 . 2009-08-21 19:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-16 19:13 . 2008-06-25 06:52 -------- d-----w- c:\program files\Yahoo!
2010-05-16 02:34 . 2008-06-25 07:03 -------- d-----w- c:\program files\Java
2010-05-16 02:08 . 2009-07-04 18:52 -------- d-----w- c:\program files\uTorrent
2010-05-16 02:08 . 2009-07-04 18:51 -------- d-----w- c:\users\Nick F\AppData\Roaming\uTorrent
2010-05-16 01:47 . 2009-03-06 00:59 -------- d-----w- c:\program files\Viewpoint
2010-05-15 10:03 . 2008-06-25 06:30 -------- d-----w- c:\programdata\Microsoft Help
2010-05-13 17:51 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 22:41 . 2009-03-09 04:04 37472 ----a-w- c:\users\Nick F\AppData\Roaming\wklnhst.dat
2010-05-06 17:36 . 2009-10-03 17:57 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-30 04:40 . 2009-03-06 01:24 -------- d-----w- c:\program files\Messenger Plus! Live
2010-04-29 22:39 . 2009-08-21 19:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-08-21 19:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 01:49 . 2010-03-03 04:18 1335048 ----a-w- c:\windows\Help\OEM\scripts\SamsungHDDFW1HC.exe
2010-04-14 21:32 . 2009-03-06 00:47 -------- d-----w- c:\programdata\Yahoo! Companion
2010-04-14 05:11 . 2008-06-25 05:39 -------- d-----w- c:\programdata\WildTangent
2010-04-08 23:48 . 2010-04-28 03:36 18184 ----a-w- c:\windows\Help\OEM\scripts\HPHC_BUY_BATTERY.exe
2010-04-08 23:48 . 2010-03-24 03:15 17160 ----a-w- c:\windows\Help\OEM\scripts\HPHCDisableObject.exe
2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-07 00:52 . 2010-04-28 03:36 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_Launch.exe
2010-04-04 16:29 . 2010-04-04 16:28 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-04 16:23 . 2010-04-04 16:22 -------- d-----w- c:\program files\QuickTime
2010-04-04 16:02 . 2010-04-04 16:02 -------- d-----w- c:\program files\Safari
2010-04-04 15:58 . 2010-04-04 15:58 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-04 04:47 . 2009-02-11 19:02 -------- d-----w- c:\programdata\NVIDIA
2010-04-03 02:53 . 2010-04-03 02:53 -------- d-----w- c:\users\Nick F\AppData\Roaming\Greyfirst
2010-04-03 02:52 . 2010-04-03 02:52 -------- d-----w- c:\program files\Celtx
2010-03-27 02:06 . 2008-06-25 05:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-27 02:03 . 2009-12-26 02:22 2485883 ----a-w- c:\programdata\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2010-03-26 20:15 . 2009-12-28 07:11 -------- d-----w- c:\programdata\Lx_cats
2010-03-09 16:25 . 2010-03-31 14:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-03-31 14:19 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-04 17:33 . 2010-04-14 21:10 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 01:52 . 2009-03-06 01:05 81208 ----a-w- c:\users\Nick F\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-03 23:18 . 2009-08-09 05:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-23 11:10 . 2010-04-14 21:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:10 . 2010-04-14 21:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:10 . 2010-04-14 21:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-20 23:06 . 2010-03-11 17:14 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 17:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 17:14 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-18 14:07 . 2010-04-14 21:08 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-18 14:07 . 2010-04-14 21:10 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 14:07 . 2010-04-14 21:10 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 13:30 . 2010-04-14 21:08 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-02-18 11:28 . 2010-04-14 21:08 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-05-11 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-04-02 468264]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 321088]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"SPC_Monitor"="c:\windows\Philips\SPC230NC\Monitor.exe" [2007-12-10 323584]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SPC230NC_Monitor"="c:\windows\Philips\SPC230NC\Monitor.exe" [2007-12-10 323584]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0316.3\mswinext.exe" [2009-09-28 240976]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"lxdmmon.exe"="c:\program files\Lexmark 5000 Series\lxdmmon.exe" [2007-12-14 455336]
"lxdmamon"="c:\program files\Lexmark 5000 Series\lxdmamon.exe" [2007-12-14 25256]
"Lexmark 5000 Series Fax Server"="c:\program files\Lexmark 5000 Series\fm3032.exe" [2007-12-14 307880]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\users\Nick F\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2009-12-25 266240]
Magic-i.lnk - c:\program files\ArcSoft\Magic-i 3\Magic-i.exe [2009-12-25 530944]
TrayMin230.lnk - c:\program files\Philips\Philips SPC230NC Webcam\TrayMin230.exe [2009-7-30 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):9b,5e,bc,5c,78,6c,ca,01

R3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\DRIVERS\PAEAFLT.sys [2007-09-26 8576]
R3 SPC230NC;Philips SPC230NC Webcam;c:\windows\system32\DRIVERS\SPC230NC.SYS [2007-12-31 461056]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-02-05 51792]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-25 361808]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-03 42528]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-12 c:\windows\Tasks\HPCeeScheduleForNick F.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-06-25 03:03]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = 127.0.0.1:5555
uInternet Settings,ProxyOverride = ;*.local
FF - ProfilePath - c:\users\Nick F\AppData\Roaming\Mozilla\Firefox\Profiles\l4fjkkx4.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-17 18:02
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Nick F\AppData\Roaming\Microsoft\Windows\Cookies\nick_f@purenetworks[2].txt

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5128)
c:\program files\Pure Networks\Network Magic\nmrsrc.dll
.
Completion time: 2010-05-17 18:08:12
ComboFix-quarantined-files.txt 2010-05-18 01:08
ComboFix2.txt 2010-05-16 21:26

Pre-Run: 67,698,438,144 bytes free
Post-Run: 67,684,704,256 bytes free

- - End Of File - - C3C3013BE86E7043C1F6331D364084F7

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by Belahzur on Tue May 18, 2010 10:24 pm

Hello.
You ran Combofix normal without using my script, so please use my provided script and post the new report.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Wed May 19, 2010 4:18 pm

I accidentally forgot to save it on the desktop, fixed that and reran the program.

ComboFix 10-05-17.05 - Nick F 05/19/2010 11:56:35.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1712 [GMT -7:00]
Running from: c:\users\Nick F\Desktop\ComboFix.exe
Command switches used :: c:\users\Nick F\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19 )))))))))))))))))))))))))))))))
.

2010-05-19 19:07 . 2010-05-19 19:08 -------- d-----w- c:\users\Nick F\AppData\Local\temp
2010-05-19 19:07 . 2010-05-19 19:07 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-05-19 19:07 . 2010-05-19 19:07 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-19 19:07 . 2010-05-19 19:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-17 15:36 . 2010-05-17 15:36 -------- d-----w- c:\program files\iPod
2010-05-17 15:30 . 2010-05-17 15:30 -------- d-----w- c:\program files\Bonjour
2010-05-17 15:23 . 2010-05-17 15:23 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-16 19:13 . 2010-04-20 23:45 607472 ----a-w- c:\programdata\Yahoo!\YUpdater\yupdater.exe
2010-05-16 01:47 . 2010-05-16 01:50 -------- d-----w- C:\Lop SD
2010-05-16 01:42 . 2010-05-16 01:42 -------- d-----w- C:\_OTL
2010-05-12 14:50 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 18:47 . 2009-02-11 18:58 31966 ----a-w- c:\programdata\nvModes.dat
2010-05-19 03:08 . 2009-12-04 23:44 1 ----a-w- c:\users\Nick F\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-18 17:54 . 2009-12-28 07:11 -------- d-----w- c:\programdata\Lx_cats
2010-05-18 00:23 . 2009-03-28 19:16 680 ----a-w- c:\users\Nick F\AppData\Local\d3d9caps.dat
2010-05-17 15:38 . 2010-03-06 01:51 -------- d-----w- c:\program files\iTunes
2010-05-17 15:36 . 2009-09-22 17:41 -------- d-----w- c:\program files\Common Files\Apple
2010-05-16 20:36 . 2009-08-21 19:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-16 19:13 . 2008-06-25 06:52 -------- d-----w- c:\program files\Yahoo!
2010-05-16 02:34 . 2008-06-25 07:03 -------- d-----w- c:\program files\Java
2010-05-16 02:08 . 2009-07-04 18:52 -------- d-----w- c:\program files\uTorrent
2010-05-16 02:08 . 2009-07-04 18:51 -------- d-----w- c:\users\Nick F\AppData\Roaming\uTorrent
2010-05-16 01:47 . 2009-03-06 00:59 -------- d-----w- c:\program files\Viewpoint
2010-05-15 10:03 . 2008-06-25 06:30 -------- d-----w- c:\programdata\Microsoft Help
2010-05-13 17:51 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 22:41 . 2009-03-09 04:04 37472 ----a-w- c:\users\Nick F\AppData\Roaming\wklnhst.dat
2010-05-06 17:36 . 2009-10-03 17:57 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-30 04:40 . 2009-03-06 01:24 -------- d-----w- c:\program files\Messenger Plus! Live
2010-04-29 22:39 . 2009-08-21 19:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-08-21 19:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 01:49 . 2010-03-03 04:18 1335048 ----a-w- c:\windows\Help\OEM\scripts\SamsungHDDFW1HC.exe
2010-04-14 21:32 . 2009-03-06 00:47 -------- d-----w- c:\programdata\Yahoo! Companion
2010-04-14 05:11 . 2008-06-25 05:39 -------- d-----w- c:\programdata\WildTangent
2010-04-08 23:48 . 2010-04-28 03:36 18184 ----a-w- c:\windows\Help\OEM\scripts\HPHC_BUY_BATTERY.exe
2010-04-08 23:48 . 2010-03-24 03:15 17160 ----a-w- c:\windows\Help\OEM\scripts\HPHCDisableObject.exe
2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-07 00:52 . 2010-04-28 03:36 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_Launch.exe
2010-04-04 16:29 . 2010-04-04 16:28 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-04 16:23 . 2010-04-04 16:22 -------- d-----w- c:\program files\QuickTime
2010-04-04 16:02 . 2010-04-04 16:02 -------- d-----w- c:\program files\Safari
2010-04-04 15:58 . 2010-04-04 15:58 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-04 04:47 . 2009-02-11 19:02 -------- d-----w- c:\programdata\NVIDIA
2010-04-03 02:53 . 2010-04-03 02:53 -------- d-----w- c:\users\Nick F\AppData\Roaming\Greyfirst
2010-04-03 02:52 . 2010-04-03 02:52 -------- d-----w- c:\program files\Celtx
2010-03-27 02:06 . 2008-06-25 05:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-27 02:03 . 2009-12-26 02:22 2485883 ----a-w- c:\programdata\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2010-03-09 16:25 . 2010-03-31 14:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-03-31 14:19 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-04 17:33 . 2010-04-14 21:10 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 01:52 . 2009-03-06 01:05 81208 ----a-w- c:\users\Nick F\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-03 23:18 . 2009-08-09 05:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-23 11:10 . 2010-04-14 21:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:10 . 2010-04-14 21:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:10 . 2010-04-14 21:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-20 23:06 . 2010-03-11 17:14 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 17:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 17:14 411648 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-05-11 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-04-02 468264]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 321088]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"SPC_Monitor"="c:\windows\Philips\SPC230NC\Monitor.exe" [2007-12-10 323584]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SPC230NC_Monitor"="c:\windows\Philips\SPC230NC\Monitor.exe" [2007-12-10 323584]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0316.3\mswinext.exe" [2009-09-28 240976]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"lxdmmon.exe"="c:\program files\Lexmark 5000 Series\lxdmmon.exe" [2007-12-14 455336]
"lxdmamon"="c:\program files\Lexmark 5000 Series\lxdmamon.exe" [2007-12-14 25256]
"Lexmark 5000 Series Fax Server"="c:\program files\Lexmark 5000 Series\fm3032.exe" [2007-12-14 307880]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\users\Nick F\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2009-12-25 266240]
Magic-i.lnk - c:\program files\ArcSoft\Magic-i 3\Magic-i.exe [2009-12-25 530944]
TrayMin230.lnk - c:\program files\Philips\Philips SPC230NC Webcam\TrayMin230.exe [2009-7-30 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):9b,5e,bc,5c,78,6c,ca,01

R3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\DRIVERS\PAEAFLT.sys [2007-09-26 8576]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-02-05 51792]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-03 42528]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-19 c:\windows\Tasks\HPCeeScheduleForNick F.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-06-25 03:03]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\users\Nick F\AppData\Roaming\Mozilla\Firefox\Profiles\l4fjkkx4.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-19 12:08
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3540)
c:\program files\Pure Networks\Network Magic\nmrsrc.dll
.
Completion time: 2010-05-19 12:14:08
ComboFix-quarantined-files.txt 2010-05-19 19:14
ComboFix2.txt 2010-05-18 01:08
ComboFix3.txt 2010-05-16 21:26

Pre-Run: 68,452,835,328 bytes free
Post-Run: 68,437,159,936 bytes free

- - End Of File - - 533163FA2B90949E06515EF2B52551FC

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by Belahzur on Wed May 19, 2010 10:38 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Wed May 19, 2010 10:42 pm

Done.

The machine is running fine. No fake virus scan pop ups, no redirecting to websites, no 'alerts'. It is running at a normal speed. Everything seems to be running as fine as it was before it was attacked.

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by Belahzur on Wed May 19, 2010 10:51 pm

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Fri May 21, 2010 12:41 pm

I ran the program and it found and deleted six left over trojans from the virus, but I can't seem to find the logs for it. I searched on my computer for the file mentioned but I cannot find it.

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by Belahzur on Fri May 21, 2010 1:50 pm

Hello.

Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe that you downloaded to install the newest version.

Then download and install [You must be registered and logged in to see this link.]

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by TheBlackScepter on Fri May 21, 2010 6:16 pm

I installed everything asked of me.

Everything is working fine. Before I ran the ESET scanner there was pieces of odd data that I found, once the scan was complete and the infections removed the data vanished. Everything seems to be working as fine as it was before.

TheBlackScepter
Intermediate
Intermediate

Status :
Online
Offline

Posts : 117
Joined : 2010-05-15
OS : Windows Vista
Points : 25787
# Likes : 0

View user profile

Back to top Go down

Re: Fake Anti Virus

Post by Belahzur on Fri May 21, 2010 10:02 pm

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum