# inst.exe trogan, pretends to be antivirus software



## Kironnis (Sep 29, 2010)

Hey everyone,

I seem to have gotten a trogan with the name inst.exe..I'll be browsing the web and a window will pop up saying something about having detected viruses and wants to do a scan, and if I do click okay, it closes any tabs in the browser I may have open and just has one, doing a scan, then another window pops up asking if I want to run inst.exe..I've search it on google and I found that it is a trogan, and can be used to obtain passwords, etc..my battle.net account has already been hacked, and everytime I try to fix it, they get it again, I'm guessing its this trogan. I have a full version of windows 7 home edition, as well as McAfee internet security, and I downloaded malwarebytes. I've ran both several times, including in safe mode, gone through my folders, gone through regedit, and cannot find or remove this thing. Please, help me get rid of it. Thanks guys


----------



## imduffy (Aug 10, 2010)

Hey! welecome to *TechSupportGuy*

My name is Duffy and I will be helping you with your malware issue.

Since I am still in training, all my fixes must be checked by an Expert first. Please be patient with me during this time while I propose a fix for you. Please follow my instructions step by step, if you have any questions feel free to ask. Do not attach any logs unless I specifically ask you to. It is also a good idea to save my instructions to notepad or print them out so you have them.

*Generate OTL logs*
Download *OTL* to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click on *Minimal Output* at the top
Download the following file *scan.txt* to your *Desktop*. *Click here to download it*. You may need to right click on it and select *"Save"* 
Double click inside the Custom Scan box at the bottom
A window will appear saying *"Click Ok to load a custom scan from a file or Cancel to cancel"*
Click the Ok button and navigate to the file *scan.txt* which we just saved to your *desktop*
Select *scan.txt* and click Open. Writing will now appear under the Custom Scan box
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL.
Please copy *(Edit->Select All, Edit->Copy)* the contents of these files, one at a time and post them in your topic


----------



## Kironnis (Sep 29, 2010)

Thanks for your reply, imduffy. Here are the logs you asked for:

*OTL

*OTL logfile created on: 9/30/2010 2:18:24 AM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Users\Josh\Downloads
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 55.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 61.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 232.88 Gb Total Space | 186.95 Gb Free Space | 80.28% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Unable to calculate disk information.
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JOSH-PC
Current User Name: Josh
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Josh\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Uniblue\RegistryBooster\registrybooster.exe (Uniblue Systems Limited)
PRC - C:\Program Files (x86)\Uniblue\RegistryBooster\rbmonitor.exe (Uniblue Systems Limited)
PRC - C:\Program Files (x86)\BitComet\BitComet.exe (www.BitComet.com)
PRC - C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe (Microsoft Corporation)
PRC - C:\Windows\PixArt\PAP7501\PACTray.exe (PixArt Imaging Incorporation)
PRC - C:\Windows\PixArt\PAP7501\GUCI_AVS.exe (PixArt Imaging Incorporation)

========== Modules (SafeList) ==========

MOD - C:\Users\Josh\Downloads\OTL.exe (OldTimer Tools)
MOD - c:\Program Files (x86)\McAfee\SiteAdvisor\sahook.dll (McAfee, Inc.)
MOD - C:\Windows\SysWOW64\msscript.ocx (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV:*64bit:* - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
SRV:*64bit:* - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe ()
SRV:*64bit:* - (mfevtp) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
SRV:*64bit:* - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV:*64bit:* - (MSK80Service) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV:*64bit:* - (McProxy) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV:*64bit:* - (McNASvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV:*64bit:* - (McNaiAnn) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV:*64bit:* - (mcmscsvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV:*64bit:* - (McMPFSvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV:*64bit:* - (McAfee SiteAdvisor Service) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV:*64bit:* - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV:*64bit:* - (mfehidk) -- C:\Windows\SysNative\drivers\mfehidk.sys (McAfee, Inc.)
DRV:*64bit:* - (mfefirek) -- C:\Windows\SysNative\drivers\mfefirek.sys (McAfee, Inc.)
DRV:*64bit:* - (mfewfpk) -- C:\Windows\SysNative\drivers\mfewfpk.sys (McAfee, Inc.)
DRV:*64bit:* - (mfeavfk) -- C:\Windows\SysNative\drivers\mfeavfk.sys (McAfee, Inc.)
DRV:*64bit:* - (mfeapfk) -- C:\Windows\SysNative\drivers\mfeapfk.sys (McAfee, Inc.)
DRV:*64bit:* - (mferkdet) -- C:\Windows\SysNative\drivers\mferkdet.sys (McAfee, Inc.)
DRV:*64bit:* - (mfenlfk) -- C:\Windows\SysNative\drivers\mfenlfk.sys (McAfee, Inc.)
DRV:*64bit:* - (cfwids) -- C:\Windows\SysNative\drivers\cfwids.sys (McAfee, Inc.)
DRV:*64bit:* - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:*64bit:* - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:*64bit:* - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:*64bit:* - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:*64bit:* - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:*64bit:* - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:*64bit:* - (ROOTMODEM) -- C:\Windows\SysNative\drivers\rootmdm.sys (Microsoft Corporation)
DRV:*64bit:* - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:*64bit:* - (Ntfs) -- C:\Windows\SysNative\wbem\ntfs.mof ()
DRV:*64bit:* - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek Corporation )
DRV:*64bit:* - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:*64bit:* - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:*64bit:* - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:*64bit:* - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:*64bit:* - (RimVSerPort) -- C:\Windows\SysNative\drivers\RimSerial_AMD64.sys (Research in Motion Ltd)
DRV:*64bit:* - (GUCI_AVS) -- C:\Windows\SysNative\drivers\GUCI_AVS.sys (PixArt Imaging Incorporation)
DRV:*64bit:* - (RimUsb) -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys (Research In Motion Limited)
DRV:*64bit:* - (MTsensor) -- C:\Windows\SysNative\drivers\ASACPI.sys ()

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/iat/us_ca.aspx
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 17 B7 4C 53 56 5F CB 01 [binary data]
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Secure Search"
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.1
FF - prefs.js..extensions.enabledItems: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB}:1.23
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files (x86)\McAfee\SiteAdvisor [2010/09/30 02:05:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/09/17 04:05:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/09/17 04:05:19 | 000,000,000 | ---D | M]

[2010/07/27 18:16:40 | 000,000,000 | ---D | M] -- C:\Users\Josh\AppData\Roaming\Mozilla\Extensions
[2010/09/30 02:14:28 | 000,000,000 | ---D | M] -- C:\Users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\82s7oa6d.default\extensions
[2010/09/06 15:38:09 | 000,000,000 | ---D | M] (BitComet Video Downloader) -- C:\Users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\82s7oa6d.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
[2010/09/06 15:38:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\82s7oa6d.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}-trash
[2010/07/28 23:57:56 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/08/24 14:57:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\components\Scriptff.dll
[2010/08/24 04:31:30 | 000,773,120 | ---- | M] (BitComet) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npBitCometAgent.dll

O1 HOSTS File: ([2009/06/10 16:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:*64bit:* - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho64.dll ()
O2:*64bit:* - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100914181607.dll (McAfee, Inc.)
O2:*64bit:* - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files (x86)\BitComet\tools\BitCometBHO_1.4.8.11.dll (BitComet)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20100914181607.dll (McAfee, Inc.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3:*64bit:* - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4:*64bit:* - HKLM..\Run: [GUCI_AVS] C:\Windows\PixArt\PAP7501\GUCI_AVS.exe (PixArt Imaging Incorporation)
O4:*64bit:* - HKLM..\Run: [PACTray] C:\Windows\PixArt\PAP7501\PACTray.exe (PixArt Imaging Incorporation)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKCU..\Run: [BitComet] C:\Program Files (x86)\BitComet\BitComet.exe (www.BitComet.com)
O4 - HKCU..\Run: [msnmsgr] C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
O4 - HKCU..\Run: [RegistryBooster] C:\Program Files (x86)\Uniblue\RegistryBooster\launcher.exe (Uniblue Systems Limited)
O4 - HKCU..\Run: [Uniblue RegistryBooster 2009] c:\program files (x86)\uniblue\registrybooster\StartRegistryBooster.exe File not found
O4 - Startup: C:\Users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:*64bit:* - Extra context menu item: &D&ownload &with BitComet - C:\Program Files (x86)\BitComet\BitComet.exe (www.BitComet.com)
O8:*64bit:* - Extra context menu item: &D&ownload all with BitComet - C:\Program Files (x86)\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files (x86)\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files (x86)\BitComet\BitComet.exe (www.BitComet.com)
O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files (x86)\BitComet\tools\BitCometBHO_1.4.8.11.dll (BitComet)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab (RIM AxLoader)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.65.69 213.109.77.229 1.1.1.1
O18:*64bit:* - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O18:*64bit:* - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:*64bit:* - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:*64bit:* - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O18:*64bit:* - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:*64bit:* - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - Reg Error: Key error. File not found
O18:*64bit:* - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20:*64bit:* - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:*64bit:* - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:*64bit:* - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:*64bit:* - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:*64bit:* - HKLM\..comfile [open] -- "%1" %*
O35:*64bit:* - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:*64bit:* - HKLM\...com [@ = comfile] -- "%1" %*
O37:*64bit:* - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/09/29 00:23:42 | 000,000,000 | ---D | C] -- C:\Users\Josh\AppData\Roaming\Malwarebytes
[2010/09/29 00:23:31 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/09/29 00:23:28 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/09/29 00:23:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/09/29 00:23:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/09/28 17:37:38 | 000,000,000 | ---D | C] -- C:\Users\Josh\Documents\BlackBerry
[2010/09/28 17:36:54 | 000,000,000 | ---D | C] -- C:\Users\Josh\AppData\Roaming\Research In Motion
[2010/09/28 17:35:41 | 000,031,744 | ---- | C] (Research in Motion Ltd) -- C:\Windows\SysNative\drivers\RimSerial_AMD64.sys
[2010/09/28 17:35:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Research In Motion
[2010/09/28 17:34:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Research In Motion
[2010/09/28 17:34:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Research In Motion
[2010/09/15 01:30:08 | 002,441,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iertutil.dll
[2010/09/07 21:40:47 | 000,000,000 | ---D | C] -- C:\Users\Josh\Documents\Cooking ideas

========== Files - Modified Within 30 Days ==========

[2010/09/30 02:21:23 | 003,145,728 | -HS- | M] () -- C:\Users\Josh\NTUSER.DAT
[2010/09/30 02:09:58 | 000,013,440 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/30 02:09:58 | 000,013,440 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/30 02:05:53 | 000,001,828 | ---- | M] () -- C:\Users\Public\Desktop\McAfee Internet Security.lnk
[2010/09/30 02:00:31 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\RegistryBooster.job
[2010/09/30 02:00:18 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/30 02:00:13 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/30 02:00:10 | 1508,761,600 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/29 03:10:45 | 001,137,496 | -H-- | M] () -- C:\Users\Josh\AppData\Local\IconCache.db
[2010/09/29 02:12:04 | 000,000,056 | -H-- | M] () -- C:\Windows\SysWow64\ezsidmv.dat
[2010/09/29 00:23:34 | 000,001,013 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/29 00:00:35 | 000,001,088 | ---- | M] () -- C:\Users\Public\Desktop\RegistryBooster.lnk
[2010/09/28 23:52:57 | 294,631,983 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/09/28 23:51:31 | 000,921,636 | ---- | M] () -- C:\PAP7501.dat
[2010/09/28 17:35:05 | 000,002,231 | ---- | M] () -- C:\Users\Public\Desktop\BlackBerry Desktop Software.lnk
[2010/09/28 17:32:09 | 105,378,136 | ---- | M] () -- C:\Users\Josh\Documents\600_b047_multilanguage.exe
[2010/09/28 16:44:34 | 000,713,888 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/09/28 16:44:34 | 000,615,122 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/09/28 16:44:34 | 000,103,496 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/09/28 16:43:04 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2010/09/07 23:08:19 | 000,002,014 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/09/06 15:38:07 | 000,001,011 | ---- | M] () -- C:\Users\Public\Desktop\BitComet.lnk

========== Files Created - No Company Name ==========

[2010/09/29 02:12:04 | 000,000,056 | -H-- | C] () -- C:\Windows\SysWow64\ezsidmv.dat
[2010/09/29 00:23:34 | 000,001,013 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/29 00:00:45 | 000,000,342 | ---- | C] () -- C:\Windows\tasks\RegistryBooster.job
[2010/09/29 00:00:34 | 000,001,088 | ---- | C] () -- C:\Users\Public\Desktop\RegistryBooster.lnk
[2010/09/28 17:36:55 | 000,000,077 | ---- | C] () -- C:\Users\Josh\AppData\Roaming\Rim.Desktop.Exception.log
[2010/09/28 17:35:28 | 000,000,807 | ---- | C] () -- C:\Users\Josh\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
[2010/09/28 17:35:05 | 000,002,231 | ---- | C] () -- C:\Users\Public\Desktop\BlackBerry Desktop Software.lnk
[2010/09/28 17:30:07 | 105,378,136 | ---- | C] () -- C:\Users\Josh\Documents\600_b047_multilanguage.exe
[2010/09/28 16:43:04 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2010/07/27 22:27:11 | 000,000,262 | ---- | C] () -- C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
[2010/07/27 21:51:11 | 000,002,057 | ---- | C] () -- C:\Windows\SysWow64\GUCI_AVS.ini
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
< End of report >

*Extras

*OTL Extras logfile created on: 9/30/2010 2:18:25 AM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Users\Josh\Downloads
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 55.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 61.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 232.88 Gb Total Space | 186.95 Gb Free Space | 80.28% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Unable to calculate disk information.
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JOSH-PC
Current User Name: Josh
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

*64bit:* [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

*64bit:* [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" File not found
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

*64bit:* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

*64bit:* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

*64bit:* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

*64bit:* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}" = Ventrilo Client for Windows x64

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0EDBEB2B-7C8D-42E6-8312-0F84394A3223}" = Windows Media Center Add-in for Silverlight
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9D318C86-AF4C-409F-A6AC-7183FF4CF424}" = Internet TV for Windows Media Center
"{9F479685-180E-4C05-9400-D59292A1B29C}" = Windows Live Movie Maker
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{B10914FD-8812-47A4-85A1-50FCDE7F1F33}" = Windows Live Sync
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{C427E746-4EC9-4E3C-AACB-C6BB1F714D7F}" = Uniblue DriverScanner 2009
"{C6A0FD8A-F107-44CA-AA1B-49341936F76A}" = USB PC Camera K
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype 4.2
"{D25F26E6-7F37-4580-9E83-2BDD9BE9E0CE}" = BlackBerry Desktop Software 6.0
"{E2D09AC2-4153-4817-AAEB-24F92A8BCE88}" = Windows Media Center Add-in for Flash
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E63E34A7-E552-412B-9E40-FD6FC5227ABA}_is1" = Uniblue RegistryBooster
"{EE39FFBD-544E-49E4-A999-6819828EAE91}" = Windows Live Photo Gallery
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F80DDFFD-D030-4CCC-AF03-BD8EEE5E20ED}" = General Module
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"{FFB768E4-E427-4553-BC36-A11F5E62A94D}" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"BitComet" = BitComet 1.23
"BlackBerry_Desktop" = BlackBerry Desktop Software 6.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)
"MSC" = McAfee Internet Security
"Uniblue DriverScanner 2009" = Uniblue DriverScanner 2009
"WinLiveSuite_Wave3" = Windows Live Essentials
"World of Warcraft" = World of Warcraft

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"090215de958f1060" = Curse Client

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/13/2010 4:34:13 PM | Computer Name = josh-pc | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "c:\program files (x86)\windows
live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
found in manifest does not match the identity of the component requested. Reference
is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
sxstrace.exe for detailed diagnosis.

Error - 9/17/2010 3:17:13 AM | Computer Name = josh-pc | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "c:\program files (x86)\windows
live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
found in manifest does not match the identity of the component requested. Reference
is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
sxstrace.exe for detailed diagnosis.

Error - 9/18/2010 1:30:17 AM | Computer Name = josh-pc | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "c:\program files (x86)\windows
live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
found in manifest does not match the identity of the component requested. Reference
is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
sxstrace.exe for detailed diagnosis.

Error - 9/20/2010 4:14:07 AM | Computer Name = josh-pc | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "c:\program files (x86)\windows
live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
found in manifest does not match the identity of the component requested. Reference
is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
sxstrace.exe for detailed diagnosis.

Error - 9/21/2010 1:51:53 PM | Computer Name = josh-pc | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "c:\program files (x86)\windows
live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
found in manifest does not match the identity of the component requested. Reference
is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
sxstrace.exe for detailed diagnosis.

Error - 9/22/2010 2:29:20 PM | Computer Name = josh-pc | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "c:\program files (x86)\windows
live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
found in manifest does not match the identity of the component requested. Reference
is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
sxstrace.exe for detailed diagnosis.

Error - 9/27/2010 8:44:29 PM | Computer Name = josh-pc | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "c:\program files (x86)\windows
live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
found in manifest does not match the identity of the component requested. Reference
is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
sxstrace.exe for detailed diagnosis.

Error - 9/28/2010 6:35:23 PM | Computer Name = josh-pc | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files (x86)\Research
In Motion\BlackBerry Desktop\IntelliSync\Connectors\MS Outlook Connector\X64\MsOutlookApiProxy.exe".
Dependent
Assembly Microsoft.VC90.ATL,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 9/28/2010 6:35:23 PM | Computer Name = josh-pc | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files (x86)\Research
In Motion\BlackBerry Desktop\IntelliSync\Connectors\MS Outlook Connector\X64\MsOutlookApiProxy.exe".
Dependent
Assembly Microsoft.VC90.ATL,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 9/29/2010 1:40:29 AM | Computer Name = josh-pc | Source = Application Hang | ID = 1002
Description = The program mbam.exe version 1.46.0.1 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: 13ec Start Time:
01cb5f967f0dbf35 Termination Time: 80 Application Path: C:\Program Files (x86)\Malwarebytes'
Anti-Malware\mbam.exe Report Id: 01d792c5-cb8c-11df-b455-001d607c6d75

[ Media Center Events ]
Error - 8/6/2010 1:14:09 PM | Computer Name = josh-pc | Source = MCUpdate | ID = 0
Description = 12:14:09 PM - Error connecting to the internet. 12:14:09 PM - Unable
to contact server..

Error - 8/6/2010 1:14:18 PM | Computer Name = josh-pc | Source = MCUpdate | ID = 0
Description = 12:14:14 PM - Error connecting to the internet. 12:14:14 PM - Unable
to contact server..

Error - 9/25/2010 11:39:24 PM | Computer Name = josh-pc | Source = MCUpdate | ID = 0
Description = 10:39:24 PM - Failed to retrieve SportsV2 (Error: The underlying connection
was closed: Could not establish trust relationship for the SSL/TLS secure channel.)

[ System Events ]
Error - 9/29/2010 3:01:32 AM | Computer Name = josh-pc | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 9/29/2010 3:01:32 AM | Computer Name = josh-pc | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 9/29/2010 3:01:32 AM | Computer Name = josh-pc | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 9/29/2010 3:01:32 AM | Computer Name = josh-pc | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 9/29/2010 3:01:32 AM | Computer Name = josh-pc | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 9/29/2010 3:01:32 AM | Computer Name = josh-pc | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 9/29/2010 3:03:45 AM | Computer Name = josh-pc | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 9/29/2010 3:05:15 AM | Computer Name = josh-pc | Source = DCOM | ID = 10005
Description =

Error - 9/29/2010 4:01:11 AM | Computer Name = josh-pc | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80073715: Update for Windows 7 for x64-based Systems (KB979538).

Error - 9/29/2010 4:11:15 AM | Computer Name = josh-pc | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070002: Update for Windows 7 for x64-based Systems (KB979538).

< End of report >

*Scan

*netsvcs
drivers32 
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg 
%systemroot%\*.jpg 
%systemroot%\*.png 
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.* 
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav 
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x 
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.exe
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
%USERPROFILE%\Templates\*.tmp
%SYSTEMDRIVE%\explorexxx.exe\*.*
%Windir%\Installer\*.tmp
%systemroot%\System32\*.xco
%ProgramFiles%\system32\*.*
%systemroot%\System32\windos\*.*
%SystemRoot%\system32\sandbox\*.*
%SystemRoot%\system32\*.amo
%SystemRoot%\system32\Windows Live\*.*
%ProgramFiles%\logs\*.*
%ProgramFiles%\Bifrost\*.*
%SystemRoot%\system32\*.goo
%systemroot%\system32\IME\*.*
%systemroot%\BackUp\*.*
%systemroot%\system32\*.ico
%systemroot%\system\*.dat
%systemroot%\system\*.exe
%AppData%\Macromedia\Common\*.*
%SYSTEMDRIVE%\dir\*.* /s
%systemroot%\system32\ras\*.exe
%SYSTEMDRIVE%\MFILES\*.*
%SYSTEMDRIVE%\mDNSRespon.exe\*.*
%systemroot%\system32\services\*.*
%systemroot%\Spooler\*.*
%ProgramFiles%\system32\*.*
%systemroot%\system32\Setup\*.dll /x
%systemroot%\system32\*.mine 
%SYSTEMDRIVE%\cleansweep.exe\*.*
%systemroot%\system32\ras\*.dll 
%systemroot%\system32\ras\*.drv
%systemroot%\*.iq 
%systemroot%\system32\XP\*.*
%SYSTEMDRIVE%\Extracted\*.*
%systemroot%\system32\windows\*.*
%systemroot%\logs\*.*
%SYSTEMDRIVE%\Win.Msi\*.*
%systemroot%\regedit\*.*
%systemroot%\system32\skype\*.*
%AppData%\Adobe\dlluplwin25\*.*
%UserProfile%\*.dat
%UserProfile%\*.dll
%systemroot%\system32\*.sxo
%SYSTEMDRIVE%\Gazma\*.* /s
%systemroot%\system32\spynet\*.*
%systemroot%\system32\System\*.*
%appdata%\Microsoft\Windows\*.*
%systemroot%\system32\WinDir\*.*
%systemroot%\_\*.*
%systemroot%\system32\windows32\*.*
%ProgramFiles%\win\*.*
%AppData%\Microsoft\CD Burning\*.*
%systemroot%\*.cab
%systemroot%\K.Backup\*.*
%ProgramFiles%\Massenger\*.*
%systemroot%\System32\*.doc
%systemroot%\Office12\*.*
%systemroot%\System32\Rundl32.exe\*.*
%ProgramFiles%\yahoo.net\*.*
%systemroot%\system32\*.igo
%systemroot%\*.rew
%systemroot%\System32\spool\DRIVERS\W32X86\3\*.exe
%USERPROFILE%\.COMMgr\*.*
%USERPROFILE%\Desktop\*.bat
%PROGRAMFILES%\Common Files\Real\visualizations\*.*
%PROGRAMFILES%\Internet Explorer\*.Jmp
%PROGRAMFILES%\Windows NT\system\*.dll
%systemroot%\system32\*.ext
%systemroot%\system32\Com\*.cfg
%systemroot%\system32\btz\*.*
%systemroot%\system32\EMP\*.*
%systemroot%\system32\expo\*.*
%systemroot%\system32\inet2\*.*
%systemroot%\system32\xrem\*.*
%ProgramFiles%\Microsoft\*.*
%systemroot%\usgwmt\*.*
%ProgramFiles%\B\*.*
%SYSTEMDRIVE%\lspp\*.*
%systemroot%\Kral\*.*
%SYSTEMDRIVE%\windowsdvd.exe\*.*
%systemroot%\system32\*.ipo
%SYSTEMDRIVE%\usxxxxxxxx.exe\*.*
%systemroot%\system32\*.mof
%systemroot%\*.atm
%systemroot%\system32\svhost\*.*
%ProgramFiles%\system32\*.*
%ProgramFiles%\Docmentt\*.*
%systemroot%\Help\*.vbs
%ProgramFiles%\Windows WinSxs\*.* /s
%ProgramFiles%\Outlook Express\IDT\*.* /s
%ProgramFiles%\Microsoft Office\365\*.* /s
%ProgramFiles%\Windows Live\*.*
%systemroot%\system32\win32\*.*
%SYSTEMDRIVE%\RECYCLER\*.*
%systemroot%\Fresh1\*.*
%ProgramFiles%\Kekj\*.* /s
%systemroot%\GDU\*.*
%systemroot%\KA\*.*
%systemroot%\R\*.*
%systemroot%\system32\*.fyo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


----------



## imduffy (Aug 10, 2010)

Hey Kironnis!

I have outlined some more instructions for you below.

*Peer-to-Peer Programs Warning*
Your log shows that you are using so called *peer-to-peer* or *file-sharing* programs (in your case *bitcomet*). These programs allow to share files between users whether they are from known or unknown zones. In today's world *cyber crime* has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malicious files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Even with care, using such programs are extremely dangerous since you have no idea who or what you are sharing with. Many sever and nasty malware infections also come upon P2P sharing network programs.

Some further readings on this subject: 
*File-Sharing, otherwise known as Peer To Peer* and *Risks of File-Sharing Technology*.

It is also important to note that sharing entertainment files _(music files, video files etc..)_ and *proprietary software* infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files _(e.g: The *RIAA* for music files, or the *MPAA* for movie files in the USA)_ or the authors of the files themselves.

Naturally, there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) however, I *strongly recommend you remove it via add/remove (For Windows XP) or Programs/Features (For Windows Vista)*

If you do decide to keep it, please refrain from using them until your computer has been declared clean.

*Run Rooter*
Please download Rooter Rootkit Detector to your Desktop

Doubleclick it to start the tool.
Press scan.
A Notepad file containing the report will open, also found at %systemdrive% (usually C:\Rooter.txt).
Post the report for me to see.


----------



## Kironnis (Sep 29, 2010)

Rooter.exe (v1.0.2) by Eric_71
.
The token does not have the SeDebugPrivilege privilege ! (error:1300)
*Can not acquire SeDebugPrivilege !
Please run the tool as administrator ..*
.
Windows 7 Home Edition (6.1.7600) 
[32_bits] - AMD64 Family 15 Model 107 Stepping 2, AuthenticAMD
.
Error OpenService (wscsvc) : 6
Error OpenSCManager : 5
Error OpenService (MpsSvc) : 6
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 8.0.7600.16385
Mozilla Firefox 3.6.10 (en-US)
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:232 Go - Free:186 Go )
D:\ [Fixed-NTFS] .. ( Total:0 Go - Free:0 Go )
E:\ [CD_Rom]
.
Scan : 02:29.05
Path : C:\Users\Josh\Downloads\Rooter.exe
User : Josh ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
Locked smss.exe (280)
Locked csrss.exe (444)
Locked wininit.exe (492)
Locked csrss.exe (516)
Locked services.exe (576)
Locked winlogon.exe (584)
Locked lsass.exe (632)
Locked lsm.exe (640)
Locked svchost.exe (744)
Locked svchost.exe (824)
Locked svchost.exe (936)
Locked svchost.exe (980)
Locked svchost.exe (1016)
Locked audiodg.exe (400)
Locked svchost.exe (364)
Locked svchost.exe (1052)
Locked spoolsv.exe (1172)
Locked svchost.exe (1200)
Locked svchost.exe (1300)
Locked McSvHost.exe (1356)
Locked mfevtps.exe (1416)
Locked rundll32.exe (1444)
Locked rundll32.exe (1476)
Locked mcshield.exe (1508)
Locked mfefire.exe (1548)
______ ?????????? (1612)
______ ?????????? (2000)
Locked taskeng.exe (1908)
Locked rbmonitor.exe (2052)
Locked svchost.exe (2236)
______ ?????????? (2368)
______ C:\Windows\PixArt\PAP7501\GUCI_AVS.exe (2732)
______ C:\Windows\PixArt\PAP7501\PACTray.exe (2756)
______ C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe (2868)
Locked SearchIndexer.exe (2968)
______ C:\Program Files (x86)\Skype\Phone\Skype.exe (1124)
______ C:\Program Files (x86)\BitComet\BitComet.exe (2316)
Locked wmpnetwk.exe (2632)
______ ?????????? (2996)
______ ?????????? (3188)
Locked svchost.exe (3500)
Locked registrybooster.exe (3596)
______ C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe (3020)
______ C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe (3356)
______ C:\Program Files (x86)\Windows Media Player\wmplayer.exe (2244)
______ C:\Program Files (x86)\Mozilla Firefox\firefox.exe (5100)
______ C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe (3960)
Locked mcupdmgr.exe (4320)
Locked SearchProtocolHost.exe (5800)
Locked SearchFilterHost.exe (5824)
Locked svchost.exe (5892)
______ C:\Users\Josh\Downloads\Rooter.exe (5956)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:1048576 | Length:104857600)
\Device\Harddisk0\Partition2 (Start_Offset:105906176 | Length:13494124544)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\RegistryBooster.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 02:29.07
.
C:\Rooter$\Rooter_1.txt - (01/10/2010 | 02:29.07)


----------



## imduffy (Aug 10, 2010)

Hey Kironnis!

Not seeing anything too nasty in your logs yet. Want to run a few scans on your machine. Instructions below 

*Install Java:*

To get the latest version of Java please go HERE.
Go to *Start* -> *Control Panel* -> *Programs and Features*.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
They should have this icon next to any that are there:








Select any found and choose *Uninstall*.
Then install the version you downloaded earlier.

*Run TFC*

Download *TFC by OldTimer* to your desktop

 Please double-click *TFC.exe* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).
It *will close all programs* when run, so make sure you have *saved all your work* before you begin.
Click the *Start* button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. *Let it run uninterrupted to completion*.
Once it's finished it should *reboot your machine*. If it does not, please *manually reboot the machine* yourself to ensure a complete clean.

*Run Malwarebytes*
Please download *Malwarebytes' Anti-Malware* to your desktop.

Double-click *mbam-setup.exe* and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click *Finish*.
If an update is found, it will download and install the latest version.
Once the program has loaded, select *Perform Quick scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Be sure that everything is checked, and click *Remove Selected*.
When completed, a log will open in Notepad. Please save it to a convenient location.
The log can also be found here:
C:\Documents and Settings\_Username_\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\*log-date.txt*
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\*log-date.txt*
Post that log back here.

*Run Kaspersky Online AV Scanner*
Note: Internet Explorer should be used.

Please go to Kaspersky's website and perform an online antivirus scan.


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the *Save* button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases

Click on *My Computer* under *Scan* and then put the kettle on!
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As....*
Save this report to a convenient place like your Desktop. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Copy and paste the report into your next reply.

Thanks.


----------



## Kironnis (Sep 29, 2010)

Hey imduffy, thanks again for the response. Sorry I havent responded in a few days, havent had much time to spend on my comp. I'll do all that now.


----------



## Kironnis (Sep 29, 2010)

Ugh, whatever this thing is, it must be good
*
Malwarebytes report:*

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/4/2010 4:17:38 PM
mbam-log-2010-10-04 (16-17-38).txt

Scan type: Quick scan
Objects scanned: 115005
Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*Kaspersky Report:

*--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, October 4, 2010
Operating system: Microsoft (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, October 04, 2010 14:27:20
Records in database: 4283720
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 80518
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:23:03

No threats found. Scanned area is clean.

Selected area has been scanned.


----------



## imduffy (Aug 10, 2010)

Hey Kironnis,

*Run OTL*

Under the *Custom Scans/Fixes* box at the bottom, paste in the following


```
:OTL
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.65.69 213.109.77.229 1.1.1.1
:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot the PC when it is done
Paste any logs it outputs in your next reply.


----------



## Kironnis (Sep 29, 2010)

Hey, here's the log:

All processes killed
========== OTL ==========
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer| /E : value set successfully!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Josh
->Temp folder emptied: 109772530 bytes
->Temporary Internet Files folder emptied: 9623286 bytes
->Java cache emptied: 128094 bytes
->FireFox cache emptied: 45033044 bytes
->Flash cache emptied: 2451 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10529 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50199 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 157.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.14.1 log created on 10062010_024001

Files\Folders moved on Reboot...
C:\Users\Josh\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Josh\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W507S5WZ\addons-tracker-v4[1].htm moved successfully.

Registry entries deleted on Reboot...


----------



## imduffy (Aug 10, 2010)

Hey Kironnis,
How has the system been running since that last post?

From what I can see your inst.exe errors are *not* being caused by an infection, However, I would like to try something before letting you go.

*Run RegSearch*
Download Registry Search to your desktop.

Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
Open the new folder, and double click on regsearch.exe
Paste in this -> inst.exe inside of the white box.
Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
Please reply here with the entire contents of the Notepad file from RegSearch.


----------



## Kironnis (Sep 29, 2010)

Hey imduffy,
it's been running fine, but I also havent been using it much. There's been a few times where I start the computer, log in etc, then it goes to a blue screen with some white text (something about windows) then restarts before I can read it all. Here's the log:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 10/6/2010 3:56:23 PM for strings:
; 'inst.exe'
; Strings excluded from search:
; (None)
; Search in: 
; Registry Keys Registry Values Registry Data 
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SharedModules\c:%progra~2%common~1%mcafee%instal~1%mcinst.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SharedModules\c:%progra~2%common~1%mcafee%instal~1%mcinst.exe]
@="C:\\PROGRA~2\\COMMON~1\\McAfee\\INSTAL~1\\mcinst.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\Low]
; Contents of value:
; DAInstall.exe
; MVsInst.exe
; McAltHst.exe
; McENUI.exe
; McInsUpd.exe
; McNDUI.exe
; McProxy.exe
; McSACore.exe
; McSmtFwk.exe
; McSvHost.exe
; McUICnt.exe
; McUpdUtl.exe
; McVsMap.exe
; McVsShld.exe
; McpAdmin.exe
; MpfAlert.exe
; MpfSrv.exe
; MvsVista.exe
; NaturalTouch.exe
; QcConsol.exe
; ShrCL.exe
; TMC.exe
; TMCMonitor.exe
; TVECapSvc.exe
; TVEnhance.exe
; TrustedInstaller.exe
; hwupdchk.exe
; mcagent.exe
; mcappcfg.exe
; mchost.exe
; mcinfo.exe
; mcinst.exe
; mclgview.exe
; mcmscsvc.exe
; mcods.exe
; mcoemmgr.exe
; mcshell.exe
; mcshield.exe
; mcsvrcnt.exe
; mcsync.exe
; mcui.exe
; mcuihost.exe
; mcuninst.exe
; mcupdmgr.exe
; mcupdui.exe
; mfefire.exe
; mfehidin.exe
; mfevtps.exe
; mispreg.exe
; msksrver.exe
; mskxagnt.exe
; windvd.exe
; xbootmgr.exe
; xperf.exe
; 
"ProcessList"=hex(7):44,00,41,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,2e,\
00,65,00,78,00,65,00,00,00,4d,00,56,00,73,00,49,00,6e,00,73,00,74,00,2e,00,\
65,00,78,00,65,00,00,00,4d,00,63,00,41,00,6c,00,74,00,48,00,73,00,74,00,2e,\
00,65,00,78,00,65,00,00,00,4d,00,63,00,45,00,4e,00,55,00,49,00,2e,00,65,00,\
78,00,65,00,00,00,4d,00,63,00,49,00,6e,00,73,00,55,00,70,00,64,00,2e,00,65,\
00,78,00,65,00,00,00,4d,00,63,00,4e,00,44,00,55,00,49,00,2e,00,65,00,78,00,\
65,00,00,00,4d,00,63,00,50,00,72,00,6f,00,78,00,79,00,2e,00,65,00,78,00,65,\
00,00,00,4d,00,63,00,53,00,41,00,43,00,6f,00,72,00,65,00,2e,00,65,00,78,00,\
65,00,00,00,4d,00,63,00,53,00,6d,00,74,00,46,00,77,00,6b,00,2e,00,65,00,78,\
00,65,00,00,00,4d,00,63,00,53,00,76,00,48,00,6f,00,73,00,74,00,2e,00,65,00,\
78,00,65,00,00,00,4d,00,63,00,55,00,49,00,43,00,6e,00,74,00,2e,00,65,00,78,\
00,65,00,00,00,4d,00,63,00,55,00,70,00,64,00,55,00,74,00,6c,00,2e,00,65,00,\
78,00,65,00,00,00,4d,00,63,00,56,00,73,00,4d,00,61,00,70,00,2e,00,65,00,78,\
00,65,00,00,00,4d,00,63,00,56,00,73,00,53,00,68,00,6c,00,64,00,2e,00,65,00,\
78,00,65,00,00,00,4d,00,63,00,70,00,41,00,64,00,6d,00,69,00,6e,00,2e,00,65,\
00,78,00,65,00,00,00,4d,00,70,00,66,00,41,00,6c,00,65,00,72,00,74,00,2e,00,\
65,00,78,00,65,00,00,00,4d,00,70,00,66,00,53,00,72,00,76,00,2e,00,65,00,78,\
00,65,00,00,00,4d,00,76,00,73,00,56,00,69,00,73,00,74,00,61,00,2e,00,65,00,\
78,00,65,00,00,00,4e,00,61,00,74,00,75,00,72,00,61,00,6c,00,54,00,6f,00,75,\
00,63,00,68,00,2e,00,65,00,78,00,65,00,00,00,51,00,63,00,43,00,6f,00,6e,00,\
73,00,6f,00,6c,00,2e,00,65,00,78,00,65,00,00,00,53,00,68,00,72,00,43,00,4c,\
00,2e,00,65,00,78,00,65,00,00,00,54,00,4d,00,43,00,2e,00,65,00,78,00,65,00,\
00,00,54,00,4d,00,43,00,4d,00,6f,00,6e,00,69,00,74,00,6f,00,72,00,2e,00,65,\
00,78,00,65,00,00,00,54,00,56,00,45,00,43,00,61,00,70,00,53,00,76,00,63,00,\
2e,00,65,00,78,00,65,00,00,00,54,00,56,00,45,00,6e,00,68,00,61,00,6e,00,63,\
00,65,00,2e,00,65,00,78,00,65,00,00,00,54,00,72,00,75,00,73,00,74,00,65,00,\
64,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,65,00,72,00,2e,00,65,00,78,\
00,65,00,00,00,68,00,77,00,75,00,70,00,64,00,63,00,68,00,6b,00,2e,00,65,00,\
78,00,65,00,00,00,6d,00,63,00,61,00,67,00,65,00,6e,00,74,00,2e,00,65,00,78,\
00,65,00,00,00,6d,00,63,00,61,00,70,00,70,00,63,00,66,00,67,00,2e,00,65,00,\
78,00,65,00,00,00,6d,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,\
00,00,00,6d,00,63,00,69,00,6e,00,66,00,6f,00,2e,00,65,00,78,00,65,00,00,00,\
6d,00,63,00,69,00,6e,00,73,00,74,00,2e,00,65,00,78,00,65,00,00,00,6d,00,63,\
00,6c,00,67,00,76,00,69,00,65,00,77,00,2e,00,65,00,78,00,65,00,00,00,6d,00,\
63,00,6d,00,73,00,63,00,73,00,76,00,63,00,2e,00,65,00,78,00,65,00,00,00,6d,\
00,63,00,6f,00,64,00,73,00,2e,00,65,00,78,00,65,00,00,00,6d,00,63,00,6f,00,\
65,00,6d,00,6d,00,67,00,72,00,2e,00,65,00,78,00,65,00,00,00,6d,00,63,00,73,\
00,68,00,65,00,6c,00,6c,00,2e,00,65,00,78,00,65,00,00,00,6d,00,63,00,73,00,\
68,00,69,00,65,00,6c,00,64,00,2e,00,65,00,78,00,65,00,00,00,6d,00,63,00,73,\
00,76,00,72,00,63,00,6e,00,74,00,2e,00,65,00,78,00,65,00,00,00,6d,00,63,00,\
73,00,79,00,6e,00,63,00,2e,00,65,00,78,00,65,00,00,00,6d,00,63,00,75,00,69,\
00,2e,00,65,00,78,00,65,00,00,00,6d,00,63,00,75,00,69,00,68,00,6f,00,73,00,\
74,00,2e,00,65,00,78,00,65,00,00,00,6d,00,63,00,75,00,6e,00,69,00,6e,00,73,\
00,74,00,2e,00,65,00,78,00,65,00,00,00,6d,00,63,00,75,00,70,00,64,00,6d,00,\
67,00,72,00,2e,00,65,00,78,00,65,00,00,00,6d,00,63,00,75,00,70,00,64,00,75,\
00,69,00,2e,00,65,00,78,00,65,00,00,00,6d,00,66,00,65,00,66,00,69,00,72,00,\
65,00,2e,00,65,00,78,00,65,00,00,00,6d,00,66,00,65,00,68,00,69,00,64,00,69,\
00,6e,00,2e,00,65,00,78,00,65,00,00,00,6d,00,66,00,65,00,76,00,74,00,70,00,\
73,00,2e,00,65,00,78,00,65,00,00,00,6d,00,69,00,73,00,70,00,72,00,65,00,67,\
00,2e,00,65,00,78,00,65,00,00,00,6d,00,73,00,6b,00,73,00,72,00,76,00,65,00,\
72,00,2e,00,65,00,78,00,65,00,00,00,6d,00,73,00,6b,00,78,00,61,00,67,00,6e,\
00,74,00,2e,00,65,00,78,00,65,00,00,00,77,00,69,00,6e,00,64,00,76,00,64,00,\
2e,00,65,00,78,00,65,00,00,00,78,00,62,00,6f,00,6f,00,74,00,6d,00,67,00,72,\
00,2e,00,65,00,78,00,65,00,00,00,78,00,70,00,65,00,72,00,66,00,2e,00,65,00,\
78,00,65,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VirusScan\InstallSettings]
"VS_UninstallString"="\"C:\\Program Files (x86)\\Common Files\\McAfee\\Installer\\mcinst.exe\" \"C:\\Program Files\\McAfee\\VirusScan\\vsomain64.inf\" /uninstall"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\FileAssociation]
"AddRemoveApps"="SETUP.EXE;INSTALL.EXE;ISUNINST.EXE;UNWISE.EXE;UNWISE32.EXE;ST5UNST.EXE;MSOOBE.EXE;LNKSTUB.EXE;CONTROL.EXE;WERFAULT.EXE;WLRMDR.EXE;GUESTMODEMSG.EXE;MSIEXEC.EXE;DFSVC.EXE;WUAPP.EXE;"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\datainst.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\wpnpinst.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\webpnpFile]
; Contents of value:
; @%SystemRoot%\system32\wpnpinst.exe,-50 
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
32,00,5c,00,77,00,70,00,6e,00,70,00,69,00,6e,00,73,00,74,00,2e,00,65,00,78,\
00,65,00,2c,00,2d,00,35,00,30,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\webpnpFile\shell\open\command]
; Contents of value:
; %SystemRoot%\system32\wpnpinst.exe %1 
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,70,00,\
6e,00,70,00,69,00,6e,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,25,00,31,\
00,00,00

; End Of The Log...


----------



## imduffy (Aug 10, 2010)

Hey Kironnis,
Your machine is clean and I cannot see what is causing the inst.exe errors, please refer to the operating systems forum for support with this. Have outlined instructions below on how to clean up after the work we have done.

*Clean up Using OTL*

Open OTL to run it. (Vista users, right click on OTL and "Run as administrator")
Under the *Custom Scans/Fixes* box at the bottom, paste in the following


```
:commands
[CLEARALLRESTOREPOINTS]
```

Then click the *Run Fix* button at the top
Once its finished Click on the CleanUp button.
Click Yes to begin the cleanup process and remove tools, including this application
You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes

*Recommendations*

*Using a limited user account*

Using a limited user account can greatly improve your security as it disables the effect the malicious code can have on your system. For more information please see this link:
http://blogs.msdn.com/b/aaron_margosis/archive/2004/06/17/157962.aspx
If you would like to create a limited user account:
For Windows XP: http://www.microsoft.com/windowsxp/using/setup/winxp/accounts.mspx#1
For Vista:
1.	Open User Accounts by clicking the Start button, clicking Control Panel, clicking User Accounts and Family Safety, and then clicking User Accounts.
2.	Click Manage another account. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3.	Click Create a new account.
4.	Type the name you want to give the user account, click an account type, and then click Create Account, when asked to select an account type pick limited.

*Switch from Internet explorer*

Internet explorer makes it relatively easy for malicious software to install itself on your machine. This is done via two features known as activex and active scripting. These were designed specifically to all for better interaction with websites however have been exploited greatly  this is not good. 
For this reason I suggest an alternative browser. There are many out there, my personal preference is Mozilla Firefox or Opera

*Install an anti-virus*

This is one of the most recommended things. Using a real time anti-virus can help prevent infection caused by user miss-use. My personal prefrence is avast

The following anti-virus software is also recommended by the community:

*AntiVir Personal*
*Microsoft Security Essentials*
*PC Tools AntiVirus*

*Update your anti-virus software *

Whats the point in having a light bulb if you have no electricity to power it? The same goes for your anti-virus; its updates are what power it. If youre not going to update it you may as well not use it. Using your anti-virus program without it being updated in some cases is more dangerous than using no anti-virus as it creates a sense of false security.

*Install a firewall*

This is one step highly recommended in the malware industry; personally I dont see a need for it on a home user level. In this day and age most of us are running a router which has a build in firewall which will block incoming connections which should be enough.
If you are worried about monitoring outgoing connections on your machine feel free to install a software based firewall(windows vista and windows 7 already have an outbound firewall built in) I recommend Comodo firewall which is freely downloadable from their website http://www.comodo.com/home/download/download.php?prod=firewall
Others in the community also recommend the following:

*Online-Armor Free*
*Outpost Firewall Free*
*PC Tools Firewall Plus*
*Comodo Firewall*

*Be Smart!*

This is probably one of the most important things. Most infections these days are due to user fault I cant stress how important it is to be cautions when browsing the internet.

*Watch what you download*
A lot of freeware programs come bundled with ad-ware that will slow down your machine and cause general hassle. Watch out for pre-checked options such as toolbars that are not required when installing software
Avoid Peer-to-peer programs such as kazza, limewire, iMesh etc. Peer-to-peer content in my experiences is greatly infected and usually the cause of infection on clients machines.
_Always be wary of files with the extensions of .exe, .pif, .com and .bat
If you are ever unsure about content you have downloaded feel free to scan it online for free:
http://virscan.org/_
If you visit a site and a popup appears saying that your computer is unsafe, ignore it! These are gimmicks which result in you installing a rogue anti-virus and possibly passing on credit-card details
Avoid using warez and cracks they are generally loaded with dangerous content

*Spring Cleaning*

*TFC - Temp File Cleaner by OldTimer* - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders

*Auslogics Disc Defrag* or *JKDefrag* - Two good disc defragmenters for you to choose from.


----------



## Kironnis (Sep 29, 2010)

Hey imduffy,
I ran otl as you said, already use firefox, have mcafee internet security, and a firewall. I'm starting to think I might have a smart keylogger, and might just reformat my computer which really sucks because I just did that a little while ago >.< anyways, thanks again for all your help, appreciate it


----------



## Kironnis (Sep 29, 2010)

oh, also, I found out the program I mentioned in my first post that comes up when I'm browsing the internet is that stupid antivirus 2010 thing, which is a fake antivirus program that installs itself on your comp and makes up fake infected files so you'll buy the "full version." weird, all the stuff we ran should have picked it up.


----------



## imduffy (Aug 10, 2010)

Hi Kironnis,
From what you've said the only possible thing I can think of is possible infection on your router which is using DNS to redirect you to that "antivirus 2010" site.

Please Reset your router(If its supplied by your ISP, please make sure you know the required settings if any.)
and Re-Run a scan with malwarebytes.


----------



## Kironnis (Sep 29, 2010)

alright, thanks man I'll be sure to do that. Just as I was coming here today, it did the same thing but went to one called system security instead. blah. I'll let you know how that goes.


----------



## imduffy (Aug 10, 2010)

Hi Kironnis,
Do you still require help with this issue?


----------



## SweetTech (Jan 1, 1970)

*Due to lack of response this topic is now closed.*

If you still require assistance with this issue you must open up a new thread in the Virus & Other Malware forum, please make sure that you post a new log, and then wait for a new helper to respond to your thread.


----------



## Cookiegal (Aug 27, 2003)

Closed due to inactivity.


----------

