Win32.FraudLoad.edt still not allowing Windows Security Center to run [Archive]

View Full Version : Win32.FraudLoad.edt still not allowing Windows Security Center to run

ms_curmudge0n

2010-12-18, 10:26

Hi,

I got a virus earlier today (brain said "don't allow" as my fingers clicked "allow") - I knew the file was bad as I opened it. Anyway, I ran downloaded and ran spybot. Here is what it originally found:

--- Report generated: 2010-12-17 23:52 ---

Win32.FraudLoad.edt: [SBI $8454102F] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1860931620-3416279968-1384942285-1000\Software\NtWqIVLZEWZU

Win32.FraudLoad.edt: [SBI $354F3C2C] Data (File, fixed)
C:\Windows\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

Although it seemed to successfully locate and fix the original problem, I still can't get the Security Center service to run (even if I go into services, change it to run automatically, and start the service - it just becomes disabled again). When I run Spybot now, this is what I get:

--- Report generated: 2010-12-18 00:33 ---

Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

However, it doesn't actually fix whatever is disabling Security Center. I have Norton AV, and it has found nothing; Windows Defender is rendered unable to run in the same manner as the Security Center.

Any help would be much appreciated!

DDS (Ver_10-12-12.02) - NTFSx86
Run by Victor at 1:02:27.42 on Sat 12/18/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1919.1006 [GMT -8:00]

AV: SymantecAntiVirus *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: SymantecAntiVirus *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

============== Running Processes ===============

C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\taskhost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\rundll32.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\msi\EasyFace Logon\KillAutoAP.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\DllHost.exe
C:\windows\system32\msiexec.exe
C:\windows\system32\wuauclt.exe
C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\SearchProtocolHost.exe
C:\Users\Victor\Desktop\dds.scr
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://msi.msn.com
uDefault_Page_URL = hxxp://msi.msn.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [EasyFace Agent] c:\program files\msi\easyface logon\KillAutoAP.exe
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\victor\appdata\roaming\micros~1\windows\startm~1\programs\startup\powerm~1.lnk - c:\program files\powermenu\PowerMenu.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\victor\appdata\roaming\mozilla\firefox\profiles\690xq680.plain\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2002-1-15 172032]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2002-1-15 160768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-19 102448]
R3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\drivers\netr28.sys [2009-9-29 626688]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-3-4 277536]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2002-1-15 27320]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2002-1-15 17408]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2002-1-15 166912]

=============== Created Last 30 ================

2010-12-18 08:53:40 -------- d-----w- c:\users\victor\appdata\local\HuluDesktop
2010-12-18 07:18:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-18 07:18:20 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-12-17 23:15:05 126464 --sha-r- c:\windows\system32\usbmonx.dll
2010-12-17 10:22:28 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{098cd548-c609-455e-bccf-4f02793f6827}\mpengine.dll
2010-11-23 21:08:01 7680 ----a-w- c:\program files\internet explorer\iecompat.dll

==================== Find3M ====================

2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-23 07:47:28 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-09-23 07:32:56 301936 ----a-w- c:\windows\WLXPGSS.SCR
2010-09-21 21:03:14 208768 ----a-w- c:\windows\system32\LIVESSP.DLL

============= FINISH: 1:04:02.50 ===============

ken545

2010-12-24, 13:19

:snwelcome:

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Sorry for the delay but we get overwhelmed at times, but I am linked to you now.

Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

ms_curmudge0n

2010-12-27, 22:39

OTL stuff coming soon...

ms_curmudge0n

2010-12-27, 22:45

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5405

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/27/2010 1:22:38 PM
mbam-log-2010-12-27 (13-22-38).txt

Scan type: Quick scan
Objects scanned: 144658
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 33

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\H3O8CABBPI (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\JP595IR86O (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\usbmonx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\K8Q90DHP\inst[10].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\K8Q90DHP\inst[1].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\K8Q90DHP\inst[2].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\K8Q90DHP\inst[3].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\K8Q90DHP\inst[4].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\K8Q90DHP\inst[5].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\K8Q90DHP\inst[6].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\K8Q90DHP\inst[7].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\K8Q90DHP\inst[8].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\K8Q90DHP\inst[9].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\OUNNG0ZK\inst[1].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\OUNNG0ZK\inst[2].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\OUNNG0ZK\inst[3].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\OUNNG0ZK\inst[4].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\OUNNG0ZK\inst[5].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\PLF47TF7\inst[10].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\PLF47TF7\inst[1].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\PLF47TF7\inst[2].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\PLF47TF7\inst[3].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\PLF47TF7\inst[4].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\PLF47TF7\inst[5].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\PLF47TF7\inst[6].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\PLF47TF7\inst[7].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\PLF47TF7\inst[8].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\PLF47TF7\inst[9].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\TNG6NZ80\inst[1].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\TNG6NZ80\inst[2].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\TNG6NZ80\inst[3].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\TNG6NZ80\inst[4].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\TNG6NZ80\inst[5].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\TNG6NZ80\inst[6].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Victor\local settings\temporary internet files\Content.IE5\TNG6NZ80\inst[7].exe (Trojan.GBFE) -> Quarantined and deleted successfully.

ms_curmudge0n

2010-12-27, 22:51

OTL logfile created on: 12/27/2010 1:46:57 PM - Run 2
OTL by OldTimer - Version 3.2.18.0 Folder = C:\Users\Victor\Desktop
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 133.67 Gb Total Space | 116.30 Gb Free Space | 87.01% Space Free | Partition Type: NTFS
Drive D: | 89.11 Gb Total Space | 88.11 Gb Free Space | 98.87% Space Free | Partition Type: NTFS

Computer Name: VICTOR-NETBOOK | User Name: Victor | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Victor\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (ArcSoft Inc.)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\atieclxx.exe (AMD)
PRC - C:\Windows\System32\atiesrxx.exe (AMD)
PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
PRC - C:\Program Files\System Control Manager\MGSysCtrl.exe (Micro-Star International Co., Ltd.)
PRC - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\msi\EasyFace Logon\KillAutoAP.exe ()
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Program Files\System Control Manager\MSIService.exe (Micro-Star International Co., Ltd.)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\PowerMenu\PowerMenu.exe (Thong Nguyen)

========== Modules (SafeList) ==========

MOD - C:\Users\Victor\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation)
MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation)
MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\dwmapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (AMD External Events Utility) -- C:\Windows\System32\atiesrxx.exe (AMD)
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (SavRoam) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)
SRV - (DefWatch) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation)
SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation)
SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation)
SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation)
SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation)
SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation)
SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation)
SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation)
SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
SRV - (AxInstSV) ActiveX Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation)
SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation)
SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation)
SRV - (Micro Star SCM) -- C:\Program Files\System Control Manager\MSIService.exe (Micro-Star International Co., Ltd.)
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)

========== Driver Services (SafeList) ==========

DRV - (USBCCID) -- C:\windows\System32\DRIVERS\RtsUCcid.sys File not found
DRV - (RtsUIR) -- C:\windows\System32\DRIVERS\Rts516xIR.sys File not found
DRV - (NAVEX15) -- C:\ProgramData\Symantec\Definitions\VirusDefs\20101227.002\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\ProgramData\Symantec\Definitions\VirusDefs\20101227.002\NAVENG.SYS (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (SymEvent) -- C:\Windows\System32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (RTL8167) -- C:\Windows\System32\drivers\Rt86win7.sys (Realtek )
DRV - (KSecPkg) -- C:\windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation)
DRV - (AtiHdmiService) -- C:\Windows\System32\drivers\AtiHdmi.sys (ATI Technologies, Inc.)
DRV - (AtiPcie) AMD PCI Express (3GIO) -- C:\windows\system32\DRIVERS\AtiPcie.sys (Advanced Micro Devices Inc.)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (netr28) -- C:\Windows\System32\drivers\netr28.sys (Ralink Technology, Corp.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
DRV - (RTHDMIAzAudService) -- C:\Windows\System32\drivers\RtHDMIV.sys (Realtek Semiconductor Corp.)
DRV - (cmdide) -- C:\windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (adpahci) -- C:\windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.)
DRV - (adp94xx) -- C:\windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.)
DRV - (amdsbs) -- C:\windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.)
DRV - (adpu320) -- C:\windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.)
DRV - (amdsata) -- C:\windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices)
DRV - (arc) -- C:\windows\system32\DRIVERS\arc.sys (Adaptec, Inc.)
DRV - (amdxata) -- C:\windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices)
DRV - (aliide) -- C:\windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (nvstor) -- C:\windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation)
DRV - (nvraid) -- C:\windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\windows\system32\DRIVERS\nfrd960.sys (IBM Corporation)
DRV - (LSI_SAS) -- C:\windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation)
DRV - (iaStorV) -- C:\windows\system32\DRIVERS\iaStorV.sys (Intel Corporation)
DRV - (MegaSR) -- C:\windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.)
DRV - (LSI_SCSI) -- C:\windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation)
DRV - (LSI_FC) -- C:\windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation)
DRV - (LSI_SAS2) -- C:\windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation)
DRV - (iirsp) -- C:\windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (megasas) -- C:\windows\system32\DRIVERS\megasas.sys (LSI Corporation)
DRV - (hwpolicy) -- C:\windows\System32\drivers\hwpolicy.sys (Microsoft Corporation)
DRV - (elxstor) -- C:\windows\system32\DRIVERS\elxstor.sys (Emulex)
DRV - (aic78xx) -- C:\windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.)
DRV - (HpSAMD) -- C:\windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company)
DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation)
DRV - (vsmraid) -- C:\windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (vhdmp) -- C:\windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation)
DRV - (vdrvroot) -- C:\windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation)
DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation)
DRV - (viaide) -- C:\windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.)
DRV - (ql2300) -- C:\windows\system32\DRIVERS\ql2300.sys (QLogic Corporation)
DRV - (rdyboost) -- C:\windows\System32\drivers\rdyboost.sys (Microsoft Corporation)
DRV - (ql40xx) -- C:\windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation)
DRV - (SiSRaid4) -- C:\windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems)
DRV - (pcw) -- C:\windows\System32\drivers\pcw.sys (Microsoft Corporation)
DRV - (SiSRaid2) -- C:\windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.)
DRV - (stexstor) -- C:\windows\system32\DRIVERS\stexstor.sys (Promise Technology)
DRV - (CNG) -- C:\windows\System32\Drivers\cng.sys (Microsoft Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.)
DRV - (rdpbus) -- C:\windows\system32\DRIVERS\rdpbus.sys (Microsoft Corporation)
DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation)
DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation)
DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation)
DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation)
DRV - (vwifimp) -- C:\Windows\System32\drivers\vwifimp.sys (Microsoft Corporation)
DRV - (vwififlt) -- C:\Windows\System32\drivers\vwififlt.sys (Microsoft Corporation)
DRV - (vwifibus) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation)
DRV - (1394ohci) -- C:\windows\system32\DRIVERS\1394ohci.sys (Microsoft Corporation)
DRV - (UmPass) -- C:\windows\system32\DRIVERS\umpass.sys (Microsoft Corporation)
DRV - (WinUSB) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (mshidkmdf) -- C:\windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation)
DRV - (MTConfig) -- C:\windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation)
DRV - (CompositeBus) -- C:\windows\system32\DRIVERS\CompositeBus.sys (Microsoft Corporation)
DRV - (AppID) -- C:\windows\system32\drivers\appid.sys (Microsoft Corporation)
DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation)
DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation)
DRV - (AcpiPmi) -- C:\windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation)
DRV - (AmdPPM) -- C:\windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation)
DRV - (hcw85cir) -- C:\windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (BrUsbMdm) -- C:\windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.)
DRV - (BrSerWdm) -- C:\windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.)
DRV - (BrFiltLo) -- C:\windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp) -- C:\windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.)
DRV - (smserial) -- C:\Windows\System32\drivers\smserial.sys (Motorola Inc.)
DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation)
DRV - (ebdrv) -- C:\windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation)
DRV - (b06bdrv) -- C:\windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation)
DRV - (usbfilter) -- C:\Windows\System32\drivers\usbfilter.sys (Advanced Micro Devices)
DRV - (RSUSBSTOR) -- C:\Windows\System32\drivers\RtsUStor.sys (Realtek Semiconductor Corp.)
DRV - (ArcSoftKsUFilter) -- C:\Windows\System32\drivers\ArcSoftKsUFilter.sys (ArcSoft, Inc.)
DRV - (SRTSPL) -- C:\Windows\System32\drivers\srtspl.sys (Symantec Corporation)
DRV - (SRTSP) -- C:\Windows\System32\drivers\srtsp.sys (Symantec Corporation)
DRV - (SRTSPX) -- C:\Windows\System32\drivers\srtspx.sys (Symantec Corporation)
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (SYMTDI) -- C:\windows\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (SYMREDRV) -- C:\windows\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msi.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://msi.msn.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/18 09:39:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/17 23:34:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.3\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/03/23 21:36:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.3\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/03/23 21:42:38 | 000,000,000 | ---D | M] -- C:\Users\Victor\AppData\Roaming\Mozilla\Extensions
[2010/03/23 21:42:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Victor\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/12/17 23:33:57 | 000,000,000 | ---D | M] -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\690xq680.plain\extensions
[2010/12/16 12:34:41 | 000,000,000 | ---D | M] -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions
[2010/10/04 20:13:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{0fed7d55-65d4-47b6-a6de-9a4adb55355f}
[2010/10/04 20:13:02 | 000,000,000 | ---D | M] (FlagTab) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{11615921-d8e7-3e9a-827d-2b41d3e5e22d}
[2010/10/04 20:13:02 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/10/04 20:13:02 | 000,000,000 | ---D | M] (Linkification) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}
[2010/10/28 10:40:33 | 000,000,000 | ---D | M] (Flashblock) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2010/10/04 20:13:02 | 000,000,000 | ---D | M] (Favicon Picker 3) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{446c03e0-2c35-11db-a98b-0800200c9a67}
[2010/10/04 20:13:07 | 000,000,000 | ---D | M] (FEBE) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
[2010/10/04 20:13:07 | 000,000,000 | ---D | M] (Searchbar Autosizer) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{655397ca-4766-496b-b7a8-3a5b176ee4c2}
[2010/10/04 20:13:07 | 000,000,000 | ---D | M] (Nightly Tester Tools) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{8620c15f-30dc-4dba-a131-7c5d20cf4a29}
[2010/10/04 20:13:08 | 000,000,000 | ---D | M] (MR Tech Toolkit) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC}
[2010/10/04 20:13:08 | 000,000,000 | ---D | M] (BugMeNot) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}
[2010/11/15 14:56:28 | 000,000,000 | ---D | M] (TryAgain) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{992791ee-61dc-7b98-a8fd-dc49b7deeee9}
[2010/10/04 20:13:08 | 000,000,000 | ---D | M] (Table2Clipboard) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{9ab67d74-ec41-4cb2-b417-df5d93ba1beb}
[2010/10/04 20:13:09 | 000,000,000 | ---D | M] (LeechBlock) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{a95d8332-e4b4-6e7f-98ac-20b733364387}
[2010/11/15 14:56:29 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/10/07 19:59:28 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/10/07 19:57:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010/10/04 20:13:09 | 000,000,000 | ---D | M] (BlockSite) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
[2010/10/04 20:13:10 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/10/04 20:13:13 | 000,000,000 | ---D | M] (User Agent Switcher) -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
[2010/10/04 20:12:59 | 000,000,000 | ---D | M] -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\bettergcal@ginatrapani.org
[2010/10/04 20:12:59 | 000,000,000 | ---D | M] -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\bettergmail2@ginatrapani.org
[2010/10/04 20:12:59 | 000,000,000 | ---D | M] -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\bettergreader@ginatrapani.org
[2010/10/04 20:13:00 | 000,000,000 | ---D | M] -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\faviconizetab@espion.just-size.jp
[2010/10/04 20:13:00 | 000,000,000 | ---D | M] -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\w4f8ioov.dissertation\extensions\zotero@chnm.gmu.edu
[2010/03/23 20:51:58 | 000,000,000 | ---D | M] -- C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\z82t93hm.default\extensions
[2010/03/23 20:51:33 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2009/06/10 13:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [EasyFace Agent] C:\Program Files\msi\EasyFace Logon\KillAutoAP.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe (Micro-Star International Co., Ltd.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - Startup: C:\Users\Victor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe (Thong Nguyen)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab (Windows Live OneCare safety scanner control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 8.8.8.8 8.8.4.4
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - C:\windows\System32\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (livessp) - C:\windows\System32\livessp.dll (Microsoft Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 13:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/27 13:16:20 | 000,000,000 | ---D | C] -- C:\Users\Victor\AppData\Roaming\Malwarebytes
[2010/12/27 13:16:04 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2010/12/27 13:16:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/12/27 13:15:59 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2010/12/27 13:15:59 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/12/27 13:14:59 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Victor\Desktop\mbam-setup-1.50.1.1100.exe
[2010/12/27 13:04:51 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Users\Victor\Desktop\OTL.exe
[2010/12/18 01:01:14 | 000,000,000 | ---D | C] -- C:\Users\Victor\Desktop\12-18-2010
[2010/12/18 00:59:54 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/12/18 00:57:58 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Users\Victor\Desktop\erunt-setup.exe
[2010/12/18 00:53:40 | 000,000,000 | ---D | C] -- C:\Users\Victor\AppData\Local\HuluDesktop
[2010/12/18 00:48:52 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/12/17 23:18:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/12/17 23:18:20 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/12/17 16:35:29 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/12/14 13:25:07 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\tzres.dll
[2010/12/14 13:24:54 | 000,606,208 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\mstime.dll
[2010/12/14 13:24:52 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\msfeeds.dll
[2010/12/14 13:24:52 | 000,381,440 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\iedkcs32.dll
[2010/12/14 13:24:52 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\iepeers.dll
[2010/12/14 13:24:52 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ieui.dll
[2010/12/14 13:24:51 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\mshtml.tlb
[2010/12/14 13:24:51 | 000,386,048 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\html.iec
[2010/12/14 13:24:51 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\msfeedsbs.dll
[2010/12/14 13:24:51 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\jsproxy.dll
[2010/12/14 13:24:51 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\licmgr10.dll
[2010/12/14 13:24:51 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\msfeedssync.exe
[2010/12/14 13:24:47 | 000,496,128 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\taskschd.dll
[2010/12/14 13:24:47 | 000,351,232 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\wmicmiplugin.dll
[2010/12/14 13:24:46 | 000,305,152 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\taskcomp.dll
[2010/12/14 13:24:46 | 000,179,712 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\schtasks.exe
[2010/12/14 13:24:44 | 000,294,400 | ---- | C] (Adobe Systems Incorporated) -- C:\windows\System32\atmfd.dll
[2010/12/14 13:24:44 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\windows\System32\atmlib.dll
[2010/12/14 13:24:43 | 000,314,368 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\webio.dll
[2010/12/14 13:24:42 | 000,101,760 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\consent.exe
[2010/12/14 13:24:41 | 002,327,552 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\win32k.sys
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/27 13:35:45 | 000,017,600 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/12/27 13:35:45 | 000,017,600 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/12/27 13:32:57 | 000,624,178 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2010/12/27 13:32:57 | 000,106,522 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2010/12/27 13:26:17 | 000,000,306 | -HS- | M] () -- C:\windows\tasks\bzchpkn.job
[2010/12/27 13:25:42 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2010/12/27 13:25:16 | 1509,400,576 | -HS- | M] () -- C:\hiberfil.sys
[2010/12/27 13:16:04 | 000,001,081 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/27 13:14:59 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Victor\Desktop\mbam-setup-1.50.1.1100.exe
[2010/12/27 13:05:06 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Victor\Desktop\OTL.exe
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2010/12/18 09:20:54 | 000,333,192 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
[2010/12/18 01:34:40 | 000,001,103 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Works.lnk
[2010/12/18 01:05:41 | 000,003,731 | ---- | M] () -- C:\Users\Victor\Desktop\Attach.zip
[2010/12/18 01:02:10 | 000,624,128 | ---- | M] () -- C:\Users\Victor\Desktop\dds.scr
[2010/12/18 00:59:58 | 000,000,889 | ---- | M] () -- C:\Users\Victor\Desktop\ERUNT.lnk
[2010/12/18 00:58:04 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Users\Victor\Desktop\erunt-setup.exe
[2010/12/18 00:44:03 | 253,185,560 | ---- | M] () -- C:\windows\MEMORY.DMP
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/27 13:16:04 | 000,001,081 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/18 01:34:40 | 000,001,103 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Works.lnk
[2010/12/18 01:05:41 | 000,003,731 | ---- | C] () -- C:\Users\Victor\Desktop\Attach.zip
[2010/12/18 01:01:56 | 000,624,128 | ---- | C] () -- C:\Users\Victor\Desktop\dds.scr
[2010/12/18 00:59:58 | 000,000,889 | ---- | C] () -- C:\Users\Victor\Desktop\ERUNT.lnk
[2010/12/17 15:15:05 | 000,000,306 | -HS- | C] () -- C:\windows\tasks\bzchpkn.job
[2010/11/14 16:12:26 | 000,007,605 | ---- | C] () -- C:\Users\Victor\AppData\Local\Resmon.ResmonCfg
[2010/10/05 08:55:26 | 000,000,176 | ---- | C] () -- C:\Users\Victor\AppData\Roaming\wklnhst.dat
[2010/04/17 15:10:41 | 000,003,584 | ---- | C] () -- C:\Users\Victor\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/03 08:27:28 | 000,080,416 | ---- | C] () -- C:\windows\System32\RtNicProp32.dll
[2009/08/03 12:07:42 | 000,403,816 | ---- | C] () -- C:\windows\System32\OGACheckControl.dll
[2009/07/13 15:51:43 | 000,073,728 | ---- | C] () -- C:\windows\System32\BthpanContextHandler.dll
[2009/07/13 15:42:10 | 000,064,000 | ---- | C] () -- C:\windows\System32\BWContextHandler.dll
[2002/01/15 03:55:23 | 000,802,816 | ---- | C] () -- C:\windows\System32\EasyFaceCredentialProvider.dll
[2002/01/15 03:55:22 | 001,144,320 | ---- | C] () -- C:\windows\System32\FD.dll
[2002/01/15 03:55:22 | 000,483,328 | ---- | C] () -- C:\windows\System32\FR.dll
[2002/01/15 03:55:22 | 000,291,840 | ---- | C] () -- C:\windows\System32\PreProc.dll
[2002/01/15 03:55:22 | 000,080,384 | ---- | C] () -- C:\windows\System32\LBP.dll

========== LOP Check ==========

[2010/10/05 08:55:27 | 000,000,000 | ---D | M] -- C:\Users\Victor\AppData\Roaming\Template
[2010/03/23 21:42:37 | 000,000,000 | ---D | M] -- C:\Users\Victor\AppData\Roaming\Thunderbird
[2010/10/22 14:50:03 | 000,000,000 | ---D | M] -- C:\Users\Victor\AppData\Roaming\Windows Live Writer
[2010/12/27 13:26:17 | 000,000,306 | -HS- | M] () -- C:\Windows\Tasks\bzchpkn.job
[2009/07/13 20:53:46 | 000,015,424 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

ms_curmudge0n

2010-12-27, 23:00

No extras.txt file was generated.

Update: I was able to re-enable the Windows Security Center under services and restart it; this time, it seems to be staying on and not getting disabled again. Yay! I'm feeling cautiously optimistic.

ken545

2010-12-28, 00:17

Great,

How are things running in general, any redirects, unwantedpopup windows ?

Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

ms_curmudge0n

2010-12-28, 02:22

Ran ESET and it didn't find anything. This is all the log had in it:
----

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

----

I ran Spybot again and it found this:

--- Search result list ---
Win32.AutoRun.tmp: [SBI $751B1850] Settings (Registry value, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

----

I got a message about not being an administrator, and another message about needing a reset because that file might still be in use.

ms_curmudge0n

2010-12-28, 03:29

Ran Spybot with Windows in safe mode, and that seemed to take care of it.

ken545

2010-12-28, 10:04

Hi,

Run this cleaner to since you had some bad stuff in your Temporary Internet Files

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

Any problems ?

ms_curmudge0n

2010-12-31, 02:09

I think that took care of it - things are running fine, and all symptoms seem to be resolved. Thank you so very very much! :thanks:

ken545

2010-12-31, 02:26

Your very welcome.

Open OTL and click on Cleanup and it will remove some of the tools we used to clean your system.

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

WinPatrol (www.winpatrol.com/download.html) Keep this fine program activated to block a lot of threats

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Safe Surfn
Ken

ken545

2011-01-05, 13:00

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.