Virtumonde.sdn

lolcats · Jun 19, 2009

Hi all,

My PC has a recurring virtumonde.sdn infection. Since yesterday I've run Spybot about 6 times (with windows running normally and later in safe mode), and each scan finds virtumonde.sdn. There are, however, no obvious symptoms of infection.

I use and update each of the following programs regularly: Spybot, Malwarebytes, Windows Defender, Avast! Antivirus, CCleaner. I use Comodo Firewall. Among these programs, only Spybot has found the infection. The programs VundoFix and VirtumundoBeGone (suggested on forums) do not find anything.

My PC is a Dell Inspion 1720 with Windows 7, installed a few weeks ago with minimal problems.

Any suggestions? Thanks!

HJT log posted below:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:33 AM, on 6/19/2009
Platform: Unknown Windows (WinNT 6.01.3004)
MSIE: Internet Explorer v8.00 (8.00.7100.0000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\USERS\[me]\DESKTOP\UTILITIES\PROCEXP.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7977] command.com /c del "C:\Windows\System32\rpcnet.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7596] cmd.exe /c del "C:\Windows\System32\rpcnet.dll"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA3125] command.com /c del "C:\Windows\System32\rpcnet.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8729] cmd.exe /c del "C:\Windows\System32\rpcnet.dll_old"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB4857] command.com /c del "C:\Windows\System32\rpcnet.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1160] cmd.exe /c del "C:\Windows\System32\rpcnet.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 7077 bytes

ken545 · Jun 21, 2009

Hello lolcats

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Do this first...Important

Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect

Please do not proceed until the TeaTimer is disabled

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.

lolcats · Jun 22, 2009

Malwarebytes' Anti-Malware 1.38
Database version: 2323
Windows 6.1.7100

6/22/2009 4:14:03 PM
mbam-log-2009-06-22 (16-14-03).txt

Scan type: Quick Scan
Objects scanned: 76275
Time elapsed: 3 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:11 PM, on 6/22/2009
Platform: Unknown Windows (WinNT 6.01.3004)
MSIE: Internet Explorer v8.00 (8.00.7100.0000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Users\[me]\Desktop\Utilities\procexp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA4963] command.com /c del "C:\Windows\System32\rpcnet.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6220] cmd.exe /c del "C:\Windows\System32\rpcnet.dll_old"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 6392 bytes

ken545 · Jun 22, 2009

Hello,

Make sure Spybot Search and Destroy is closed, Reboot your computer.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

These may be gone
O4 - HKLM\..\RunOnce: [SpybotDeletingA4963] command.com /c del "C:\Windows\System32\rpcnet.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6220] cmd.exe /c del "C:\Windows\System32\rpcnet.dll_old"

Please download ATF Cleaner by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

lolcats · Jun 23, 2009

Thank you for the response.

Both of the HJT entries that you said to delete did not appear in my most recent scan.

I ran ATF-cleaner with no problems.

Combo-fix gives me an error message that says it will only run on Windows 2000 and XP. I am using Windows 7. I attempted to use compatibility settings and the same error message appeared.

ken545 · Jun 23, 2009

Ahhhh Windows 7, how do you like it??

Not sure what tools will run on 7

This wont fix anything but will give a good report

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
  Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

lolcats · Jun 23, 2009

Extras.txt

OTL Extras logfile created on: 6/22/2009 10:03:44 PM - Run 1
OTL by OldTimer - Version 3.0.5.0 Folder = C:\Users\[me]\Desktop
Ultimate Edition (Version = 6.1.7100) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7100.0)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 170.80 Gb Total Space | 102.82 Gb Free Space | 60.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COMPY
Current User Name: [me]
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\Windows\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
Reg Error: Unknown registry data type File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{4E5386F5-C0F6-4532-A54A-374865AEAB71}" = Cisco PEAP Module
"{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}" = iTunes
"{612B9183-67A9-4B44-9877-2F059E35B86A}" = Broadcom 440x 10/100 Integrated Controller
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76F9CF97-FC4B-4E20-B363-D127C888448F}" = Cisco LEAP Module
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{AFA20D47-69C3-4030-8DF8-D37466E70F13}" = Apple Mobile Device Support
"{B3141D63-DF59-45F1-B7C9-48A07FD9D7B3}" = MozyHome Remote Backup
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BF53252E-4AB2-4C7F-A0FD-6100755745E3}" = Cisco EAP-FAST Module
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Audacity_is1" = Audacity 1.2.6
"avast!" = avast! Antivirus
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CCleaner" = CCleaner (remove only)
"COMODO Internet Security" = COMODO Internet Security
"EASEUS Partition Master Home Edition_is1" = EASEUS Partition Master 3.5 Home Edition
"ERUNT_is1" = ERUNT 1.1j
"Foxit Reader" = Foxit Reader
"FoxyTunesForFirefox" = FoxyTunes for Firefox
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"JDiskReport 1.3.1" = JGoodies JDiskReport 1.3.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.0.11)" = Mozilla Firefox (3.0.11)
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"PowerISO" = PowerISO
"RadarSync" = RadarSync
"Revo Uninstaller" = Revo Uninstaller 1.83
"RiseOfNationsExpansion 1.0" = Rise of Nations
"Starcraft" = Starcraft
"Steam App 440" = Team Fortress 2
"Steam App 4700" = Medieval II: Total War
"Steam App 4780" = Medieval II: Total War Kingdoms
"Trillian" = Trillian
"VLC media player" = VLC media player 0.9.9
"WinRAR archiver" = WinRAR archiver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"WinDirStat" = WinDirStat 1.1.2

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 6/18/2009 8:05:36 PM | Computer Name = Compy | Source = avast! | ID = 33554522
Description = Internal error has occurred in module aswar scan function failed!,
function 00000002.

[ Application Events ]
Error - 6/22/2009 1:07:36 PM | Computer Name = Compy | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7100.0, time
stamp: 0x49ee8c24 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000005 Fault offset: 0x003f2ea1 Faulting process id: 0x3c4 Faulting application
start time: 0x01c9f35bef86efe6 Faulting application path: C:\Windows\System32\svchost.exe
Faulting
module path: unknown Report Id: 2e78e073-5f4f-11de-907e-001d09d65be8

Error - 6/22/2009 2:25:26 PM | Computer Name = Compy | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7100.0, time
stamp: 0x49ee8c24 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000005 Fault offset: 0x003f2ea1 Faulting process id: 0x148c Faulting application
start time: 0x01c9f366cf2e5cf2 Faulting application path: C:\Windows\System32\svchost.exe
Faulting
module path: unknown Report Id: 0e0460a6-5f5a-11de-907e-001d09d65be8

Error - 6/22/2009 2:37:10 PM | Computer Name = Compy | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. The BaseIndex value from the
Performance registry is the first DWORD in the Data section, LastCounter value
is the second DWORD in the Data section, and LastHelp value is the third DWORD in
the Data section.

Error - 6/22/2009 2:37:10 PM | Computer Name = Compy | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The first DWORD in the Data section contains the error code.

Error - 6/22/2009 6:57:26 PM | Computer Name = Compy | Source = VSS | ID = 8194
Description =

Error - 6/22/2009 7:04:57 PM | Computer Name = Compy | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. The BaseIndex value from the
Performance registry is the first DWORD in the Data section, LastCounter value
is the second DWORD in the Data section, and LastHelp value is the third DWORD in
the Data section.

Error - 6/22/2009 7:04:57 PM | Computer Name = Compy | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The first DWORD in the Data section contains the error code.

Error - 6/22/2009 7:14:45 PM | Computer Name = Compy | Source = VSS | ID = 8194
Description =

Error - 6/22/2009 7:47:05 PM | Computer Name = Compy | Source = Microsoft-Windows-LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. The BaseIndex value from the
Performance registry is the first DWORD in the Data section, LastCounter value
is the second DWORD in the Data section, and LastHelp value is the third DWORD in
the Data section.

Error - 6/22/2009 7:47:05 PM | Computer Name = Compy | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The first DWORD in the Data section contains the error code.

[ Broadcom Wireless LAN Events ]
Error - 6/12/2009 4:09:47 AM | Computer Name = Compy | Source = WLAN-Tray | ID = 0
Description = 04:09:47, Fri, Jun 12, 09 Error - Unable to gain access to user store

[ System Events ]
Error - 6/22/2009 2:31:55 PM | Computer Name = Compy | Source = Service Control Manager | ID = 7000
Description = The BCM42RLY service failed to start due to the following error: %%2

Error - 6/22/2009 4:08:06 PM | Computer Name = Compy | Source = Service Control Manager | ID = 7000
Description = The BCM42RLY service failed to start due to the following error: %%2

Error - 6/22/2009 4:08:06 PM | Computer Name = Compy | Source = Service Control Manager | ID = 7000
Description = The BCM42RLY service failed to start due to the following error: %%2

Error - 6/22/2009 6:58:51 PM | Computer Name = Compy | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AVG Anti-Spyware Driver AvgAsCln

Error - 6/22/2009 6:58:54 PM | Computer Name = Compy | Source = Service Control Manager | ID = 7000
Description = The BCM42RLY service failed to start due to the following error: %%2

Error - 6/22/2009 6:58:55 PM | Computer Name = Compy | Source = Service Control Manager | ID = 7000
Description = The BCM42RLY service failed to start due to the following error: %%2

Error - 6/22/2009 6:58:56 PM | Computer Name = Compy | Source = Service Control Manager | ID = 7000
Description = The BCM42RLY service failed to start due to the following error: %%2

Error - 6/22/2009 6:58:56 PM | Computer Name = Compy | Source = Service Control Manager | ID = 7000
Description = The BCM42RLY service failed to start due to the following error: %%2

Error - 6/22/2009 6:59:49 PM | Computer Name = Compy | Source = Service Control Manager | ID = 7000
Description = The BCM42RLY service failed to start due to the following error: %%2

Error - 6/22/2009 6:59:49 PM | Computer Name = Compy | Source = Service Control Manager | ID = 7000
Description = The BCM42RLY service failed to start due to the following error: %%2

< End of report >

lolcats · Jun 23, 2009

OTL.txt #1

OTL logfile created on: 6/22/2009 10:03:44 PM - Run 1
OTL by OldTimer - Version 3.0.5.0 Folder = C:\Users\[me]\Desktop
Ultimate Edition (Version = 6.1.7100) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7100.0)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 170.80 Gb Total Space | 102.82 Gb Free Space | 60.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COMPY
Current User Name: [me]
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe ()
PRC - C:\Windows\System32\WLTRYSVC.EXE ()
PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation)
PRC - C:\Windows\System32\bcmwltry.exe (Dell Inc.)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (GRISOFT s.r.o.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Program Files\MozyHome\mozybackup.exe (Mozy, Inc.)
PRC - C:\Windows\System32\rpcnet.exe (Absolute Software Corp.)
PRC - C:\Program Files\MozyHome\mozybackup.exe (Mozy, Inc.)
PRC - C:\Windows\System32\WUDFHost.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Program Files\MozyHome\mozybackup.exe (Mozy, Inc.)
PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)
PRC - C:\USERS\[me]\DESKTOP\UTILITIES\PROCEXP.EXE (Sysinternals - www.sysinternals.com)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\COMODO\COMODO Internet Security\cfp.exe ()
PRC - C:\Windows\System32\WLTRAY.EXE (Dell Inc.)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\Steam\Steam.exe (Valve Corporation)
PRC - C:\Program Files\MozyHome\mozystat.exe (Mozy, Inc.)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Steam\SteamService.exe (Valve Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Users\[me]\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (AppIDSvc [On_Demand | Stopped]) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation)
SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (aswUpdSv [Auto | Running]) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (avast! Antivirus [Auto | Running]) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner [On_Demand | Stopped]) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner [On_Demand | Stopped]) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (AVG Anti-Spyware Guard [Auto | Running]) -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (GRISOFT s.r.o.)
SRV - (AxInstSV [On_Demand | Stopped]) -- C:\Windows\System32\AxInstSV.dll (Microsoft Corporation)
SRV - (BDESVC [Unknown | Stopped]) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (cmdAgent [Auto | Running]) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe ()
SRV - (defragsvc [On_Demand | Stopped]) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation)
SRV - (Dhcp [Auto | Running]) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation)
SRV - (ehRecvr [On_Demand | Stopped]) -- C:\Windows\ehome\ehRecvr.exe (Microsoft Corporation)
SRV - (ehSched [On_Demand | Stopped]) -- C:\Windows\ehome\ehsched.exe (Microsoft Corporation)
SRV - (eventlog [Auto | Running]) -- C:\Windows\System32\wevtsvc.dll (Microsoft Corporation)
SRV - (FontCache [On_Demand | Stopped]) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (HomeGroupListener [On_Demand | Running]) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation)
SRV - (HomeGroupProvider [On_Demand | Running]) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (mozybackup [Auto | Running]) -- C:\Program Files\MozyHome\mozybackup.exe (Mozy, Inc.)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (p2pimsvc [On_Demand | Running]) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc [On_Demand | Stopped]) -- C:\Windows\System32\peerdistsvc.dll (Microsoft Corporation)
SRV - (PNRPAutoReg [On_Demand | Stopped]) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation)
SRV - (PNRPsvc [On_Demand | Running]) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (Power [Auto | Running]) -- C:\Windows\System32\umpo.dll (Microsoft Corporation)
SRV - (RpcEptMapper [Unknown | Running]) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SRV - (rpcnet [Auto | Running]) -- C:\Windows\System32\rpcnet.exe (Absolute Software Corp.)
SRV - (SensrSvc [On_Demand | Stopped]) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (sppsvc [Auto | Stopped]) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation)
SRV - (sppuinotify [On_Demand | Stopped]) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation)
SRV - (Steam Client Service [On_Demand | Running]) -- C:\Program Files\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (Themes [Auto | Running]) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation)
SRV - (WbioSrvc [On_Demand | Stopped]) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation)
SRV - (WinDefend [Auto | Running]) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation)
SRV - (wltrysvc [Auto | Running]) -- C:\Windows\System32\WLTRYSVC.EXE ()
SRV - (WMPNetworkSvc [Auto | Running]) -- C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
SRV - (WwanSvc [On_Demand | Stopped]) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation)
SRV - (SBSDWSCService [Auto | Stopped]) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)

========== Driver Services (SafeList) ==========

DRV - (1394ohci [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\1394ohci.sys (Microsoft Corporation)
DRV - (AcpiPmi [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation)
DRV - (adp94xx [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.)
DRV - (adpahci [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.)
DRV - (adpu320 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (aic78xx [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.)
DRV - (aliide [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (AmdPPM [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation)
DRV - (amdsata [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\amdsata.sys (AMD)
DRV - (amdsbs [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.)
DRV - (amdxata [Boot | Running]) -- C:\Windows\system32\DRIVERS\amdxata.sys (AMD)
DRV - (ApfiltrService [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (AppID [On_Demand | Stopped]) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation)
DRV - (arc [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.)
DRV - (arcsas [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.)
DRV - (aswFsBlk [Auto | Running]) -- C:\Windows\System32\DRIVERS\aswFsBlk.sys (ALWIL Software)
DRV - (aswMonFlt [Auto | Running]) -- C:\Windows\System32\DRIVERS\aswMonFlt.sys (ALWIL Software)
DRV - (aswRdr [System | Running]) -- C:\Windows\System32\drivers\aswRdr.sys (ALWIL Software)
DRV - (aswSP [System | Running]) -- C:\Windows\System32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswTdi [System | Running]) -- C:\Windows\System32\drivers\aswTdi.sys (ALWIL Software)
DRV - (AVG Anti-Spyware Driver [System | Stopped]) -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ()
DRV - (AvgAsCln [System | Stopped]) -- C:\Windows\System32\DRIVERS\AvgAsCln.sys ()
DRV - (b06bdrv [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation)
DRV - (b57nd60x [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\b57nd60x.sys (Broadcom Corporation)
DRV - (BCM43XX [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\bcmwl6.sys (Broadcom Corp.)
DRV - (bcm4sbxp [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\bcm4sbxp.sys (Broadcom Corporation)
DRV - (BrFiltLo [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.)
DRV - (Brserid [On_Demand | Stopped]) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.)
DRV - (BrSerWdm [On_Demand | Stopped]) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm [On_Demand | Stopped]) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer [On_Demand | Stopped]) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.)
DRV - (cmdGuard [System | Running]) -- C:\Windows\System32\DRIVERS\cmdguard.sys (COMODO)
DRV - (cmdHlp [System | Running]) -- C:\Windows\System32\DRIVERS\cmdhlp.sys (COMODO)
DRV - (cmdide [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (CNG [Boot | Running]) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation)
DRV - (CompositeBus [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\CompositeBus.sys (Microsoft Corporation)
DRV - (discache [System | Running]) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation)
DRV - (ebdrv [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation)
DRV - (elxstor [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex)
DRV - (epmntdrv [On_Demand | Stopped]) -- C:\Windows\System32\epmntdrv.sys ()
DRV - (EuGdiDrv [On_Demand | Stopped]) -- C:\Windows\System32\EuGdiDrv.sys ()
DRV - (FsDepends [On_Demand | Stopped]) -- C:\Windows\System32\drivers\FsDepends.sys (Microsoft Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (hcw85cir [On_Demand | Stopped]) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (HidBatt [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation)
DRV - (HpSAMD [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company)
DRV - (hwpolicy [Boot | Running]) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation)
DRV - (iaStorV [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation)
DRV - (iirsp [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (inspect [System | Running]) -- C:\Windows\System32\DRIVERS\inspect.sys (COMODO)
DRV - (KSecPkg [Boot | Running]) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation)
DRV - (LSI_FC [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation)
DRV - (LSI_SAS [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation)
DRV - (LSI_SAS2 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation)
DRV - (LSI_SCSI [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation)
DRV - (megasas [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation)
DRV - (MegaSR [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.)
DRV - (mozyFilter [System | Running]) -- C:\Windows\System32\DRIVERS\mozy.sys (Mozy, Inc.)
DRV - (mshidkmdf [On_Demand | Stopped]) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation)
DRV - (MTConfig [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation)
DRV - (NdisCap [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\ndiscap.sys (Microsoft Corporation)
DRV - (nfrd960 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation)
DRV - (nvlddmkm [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\nvlddmkm.sys (NVIDIA Corporation)
DRV - (nvraid [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation)
DRV - (nvstor [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation)
DRV - (pcw [Boot | Running]) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation)
DRV - (ql2300 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation)
DRV - (ql40xx [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation)
DRV - (RasAgileVpn [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\AgileVpn.sys (Microsoft Corporation)
DRV - (rdpbus [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\rdpbus.sys (Microsoft Corporation)
DRV - (RDPREFMP [System | Running]) -- C:\Windows\System32\drivers\rdprefmp.sys (Microsoft Corporation)
DRV - (rdyboost [Boot | Running]) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation)
DRV - (rimmptsk [Auto | Running]) -- C:\Windows\System32\DRIVERS\rimmptsk.sys (REDC)
DRV - (rimsptsk [Auto | Running]) -- C:\Windows\System32\DRIVERS\rimsptsk.sys (REDC)
DRV - (rismxdp [Auto | Running]) -- C:\Windows\System32\DRIVERS\rixdptsk.sys (REDC)
DRV - (s3cap [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation)
DRV - (SCDEmu [System | Running]) -- C:\Windows\System32\drivers\scdemu.sys (PowerISO Computing, Inc.)
DRV - (scfilter [Unknown | Stopped]) -- C:\Windows\System32\DRIVERS\scfilter.sys (Microsoft Corporation)
DRV - (secdrv [Auto | Running]) -- C:\Windows\System32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SiSRaid2 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.)
DRV - (SiSRaid4 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems)
DRV - (sptd [Boot | Running]) -- C:\Windows\System32\Drivers\sptd.sys ()
DRV - (SrvHsfHDA [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\VSTAZL3.SYS (Conexant Systems, Inc.)
DRV - (SrvHsfV92 [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\VSTDPV3.SYS (Conexant Systems, Inc.)
DRV - (SrvHsfWinac [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\VSTCNXT3.SYS (Conexant Systems, Inc.)
DRV - (stexstor [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology)
DRV - (storflt [Boot | Running]) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation)
DRV - (UmPass [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation)
DRV - (usbaudio [On_Demand | Stopped]) -- C:\Windows\System32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (vdrvroot [Boot | Running]) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation)
DRV - (vhdmp [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation)
DRV - (viaide [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.)
DRV - (vmbus [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation)
DRV - (VMBusHID [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation)
DRV - (vsmraid [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (vwifibus [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\vwifibus.sys (Microsoft Corporation)
DRV - (vwififlt [System | Running]) -- C:\Windows\System32\DRIVERS\vwififlt.sys (Microsoft Corporation)
DRV - (WfpLwf [System | Running]) -- C:\Windows\System32\DRIVERS\wfplwf.sys (Microsoft Corporation)
DRV - (WIMMount [On_Demand | Stopped]) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CB 75 D5 60 99 E5 C9 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://en.wikipedia.org/wiki/Main_Page|https://mail.google.com/mail/?zx=1dlrvy6ifk99q&shva=1#inbox|https://www.google.com/calendar/render?tab=mc"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.0.2
FF - prefs.js..extensions.enabledItems: {097d3191-e6fa-4728-9826-b533d755359d}:0.7.10
FF - prefs.js..extensions.enabledItems: piclens@cooliris.com:1.10
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.3
FF - prefs.js..extensions.enabledItems: firegestures@xuldev.org:1.5
FF - prefs.js..extensions.enabledItems: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374}:3.5.6.1
FF - prefs.js..extensions.enabledItems: {bbfec13c-8cb2-53f2-b852-999eb2a852c9}:0.1.4
FF - prefs.js..extensions.enabledItems: {5546F97E-11A5-46b0-9082-32AD74AAA920}:0.5.5.5
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:2.2.0.102
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.11
FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.64

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/04/22 04:55:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/06/13 01:20:07 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/06/12 23:59:18 | 00,000,000 | ---D | M]

[2009/05/30 20:10:50 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\mozilla\Extensions
[2009/05/30 20:10:50 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/06/22 21:33:48 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\mozilla\Firefox\Profiles\rxtxfxe7.default\extensions
[2009/05/30 23:52:32 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\mozilla\Firefox\Profiles\rxtxfxe7.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}
[2009/05/30 23:52:29 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\mozilla\Firefox\Profiles\rxtxfxe7.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/06/07 12:23:23 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\mozilla\Firefox\Profiles\rxtxfxe7.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
[2009/06/05 20:32:06 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\mozilla\Firefox\Profiles\rxtxfxe7.default\extensions\{5546F97E-11A5-46b0-9082-32AD74AAA920}
[2009/06/03 14:57:51 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\mozilla\Firefox\Profiles\rxtxfxe7.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2009/05/30 23:52:30 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\mozilla\Firefox\Profiles\rxtxfxe7.default\extensions\{bbfec13c-8cb2-53f2-b852-999eb2a852c9}
[2009/05/30 23:52:29 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\mozilla\Firefox\Profiles\rxtxfxe7.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/06/20 21:58:07 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\mozilla\Firefox\Profiles\rxtxfxe7.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2009/06/09 11:06:30 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\mozilla\Firefox\Profiles\rxtxfxe7.default\extensions\firegestures@xuldev.org
[2009/06/03 17:24:05 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\mozilla\Firefox\Profiles\rxtxfxe7.default\extensions\piclens@cooliris.com
[2009/06/22 22:03:16 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/06/12 23:59:18 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/05/31 00:53:13 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
[2009/06/12 23:59:14 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/06/12 23:59:14 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/06/11 15:21:22 | 00,072,960 | ---- | M] (Foxit Software Company) -- C:\Program Files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
[2009/06/12 23:59:16 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2006/10/26 20:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL
[2009/05/31 02:09:17 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/05/31 02:09:17 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/05/31 02:09:17 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/05/31 02:09:17 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/05/31 02:09:17 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/05/31 02:09:18 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/05/31 02:09:18 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/04/23 20:39:08 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/04/23 20:39:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/04/23 20:39:08 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/23 20:39:08 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/04/23 20:39:08 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/04/23 20:39:08 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/23 20:39:08 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

lolcats · Jun 23, 2009

OTL.txt #2

O1 HOSTS File: (307262 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123haustiereundmehr.com
O1 - Hosts: 10573 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\Windows\System32\WLTRAY.exe (Dell Inc.)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe ()
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\Windows\System32\nvHotkey.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - HKLM..\RunOnce: [Spybot - Search & Destroy] C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe (Safer Networking Limited)
O4 - HKLM..\RunOnce: [SpybotDeletingA9228] C:\Windows\System32\command.com ()
O4 - HKLM..\RunOnce: [SpybotDeletingC1030] C:\Windows\System32\cmd.exe (Microsoft Corporation)
O4 - HKCU..\RunOnce: [SpybotDeletingB5085] C:\Windows\System32\command.com ()
O4 - HKCU..\RunOnce: [SpybotDeletingD1518] C:\Windows\System32\cmd.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\System32\NLAapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\napinsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.64.150 68.87.75.198
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/20 11:42:25 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/06/22 21:59:26 | 00,512,512 | ---- | C] (OldTimer Tools) -- C:\Users\[me]\Desktop\OTL.exe
[2009/06/22 19:43:24 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Local\Apple
[2009/06/22 19:43:16 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Local\Apple Computer
[2009/06/22 19:30:13 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2009/06/22 19:16:51 | 00,301,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cmd.execf
[2009/06/22 19:10:07 | 03,038,734 | ---- | C] () -- C:\Users\[me]\Desktop\ComboFix.exe
[2009/06/22 18:58:48 | 00,056,680 | ---- | C] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.dll_old
[2009/06/19 19:49:03 | 00,001,809 | ---- | C] () -- C:\Users\[me]\Desktop\Medieval II Total War Kingdoms.lnk
[2009/06/19 19:43:03 | 02,388,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_30.dll
[2009/06/19 13:17:57 | 02,342,522 | -H-- | C] () -- C:\Users\[me]\AppData\Local\IconCache.db
[2009/06/19 11:45:14 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/06/18 23:18:02 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2009/06/18 22:50:50 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/06/18 22:30:00 | 00,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2009/06/18 22:30:00 | 00,000,000 | RHS- | C] () -- C:\IO.SYS
[2009/06/18 14:09:43 | 00,000,582 | ---- | C] () -- C:\Windows\wininit.ini
[2009/06/13 10:32:26 | 00,000,000 | ---D | C] -- C:\Program Files\PowerISO
[2009/06/12 17:09:20 | 00,001,646 | ---- | C] () -- C:\Users\[me]\Desktop\Starcraft.lnk
[2009/06/12 16:52:45 | 00,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite
[2009/06/12 16:52:43 | 00,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Toolbar
[2009/06/12 16:50:03 | 00,721,904 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2009/06/12 16:49:38 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Roaming\DAEMON Tools Lite
[2009/06/12 16:44:48 | 00,094,208 | ---- | C] (Blizzard Entertainment) -- C:\Windows\ScUnin.exe
[2009/06/12 16:44:48 | 00,012,782 | ---- | C] () -- C:\Windows\scunin.dat
[2009/06/12 16:44:48 | 00,000,967 | ---- | C] () -- C:\Windows\ScUnin.pif
[2009/06/12 16:42:16 | 00,000,000 | ---D | C] -- C:\Program Files\Starcraft
[2009/06/12 16:35:12 | 00,000,000 | ---D | C] -- C:\Users\[me]\Desktop\RonGold
[2009/06/11 15:22:35 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Roaming\Foxit
[2009/06/11 15:22:17 | 00,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2009/06/11 00:58:02 | 00,011,142 | ---- | C] () -- C:\Users\[me]\Desktop\summer.docx
[2009/06/07 18:32:45 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Local\ElevatedDiagnostics
[2009/06/07 01:10:45 | 00,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2009/06/05 07:28:58 | 03,920,612 | ---- | C] () -- C:\Users\[me]\Desktop\P6050001.JPG
[2009/06/03 23:00:45 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Roaming\dvdcss
[2009/06/03 21:00:01 | 00,122,440 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
[2009/06/03 17:24:10 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Local\Cooliris
[2009/06/01 14:36:47 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/06/01 01:39:13 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Works
[2009/06/01 01:39:02 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2009/06/01 01:38:52 | 00,000,000 | ---D | C] -- C:\Windows\PCHEALTH
[2009/06/01 01:38:52 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2009/06/01 01:37:41 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Local\Microsoft Help
[2009/06/01 01:37:38 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2009/06/01 01:37:37 | 00,000,000 | ---D | C] -- C:\ProgramData\Microsoft Help
[2009/06/01 01:37:09 | 00,000,000 | RH-D | C] -- C:\MSOCache
[2009/06/01 00:38:45 | 00,000,000 | ---D | C] -- C:\Users\[me]\Desktop\MSOffice
[2009/05/31 23:58:06 | 00,000,000 | ---D | C] -- C:\Users\[me]\Desktop\Desktop
[2009/05/31 23:39:39 | 00,000,000 | ---D | C] -- C:\Windows\Downloaded Installations
[2009/05/31 22:19:04 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Roaming\Adobe
[2009/05/31 22:16:48 | 00,000,000 | ---D | C] -- C:\Program Files\Project64 1.6
[2009/05/31 22:15:43 | 00,000,000 | ---D | C] -- C:\Windows\System32\Macromed
[2009/05/31 02:10:16 | 00,002,429 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2009/05/31 02:10:01 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/05/31 02:10:00 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/05/31 02:08:55 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/05/31 01:40:19 | 01,907,712 | ---- | C] () -- C:\Windows\System32\BootMan.exe
[2009/05/31 01:40:19 | 00,086,408 | ---- | C] () -- C:\Windows\System32\setupempdrv03.exe
[2009/05/31 01:40:19 | 00,014,848 | ---- | C] () -- C:\Windows\System32\EuEpmGdi.dll
[2009/05/31 01:40:19 | 00,009,728 | ---- | C] () -- C:\Windows\System32\epmntdrv.sys
[2009/05/31 01:40:19 | 00,003,072 | ---- | C] () -- C:\Windows\System32\EuGdiDrv.sys
[2009/05/31 01:40:07 | 00,000,000 | ---D | C] -- C:\Program Files\EASEUS
[2009/05/31 01:30:48 | 00,000,000 | ---D | C] -- C:\Users\[me]\Desktop\More Music
[2009/05/31 01:30:38 | 00,000,000 | ---D | C] -- C:\Users\[me]\Desktop\Shamanism
[2009/05/31 01:28:00 | 00,001,791 | ---- | C] () -- C:\Users\[me]\Desktop\Medieval II Total War.lnk
[2009/05/31 01:24:34 | 00,001,064 | ---- | C] () -- C:\Users\Public\Desktop\Picasa 3.lnk
[2009/05/31 01:24:34 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PX Storage Engine
[2009/05/31 01:24:16 | 00,000,000 | ---D | C] -- C:\Program Files\JGoodies
[2009/05/31 01:24:01 | 00,000,000 | ---D | C] -- C:\Windows\System32\IOSUBSYS
[2009/05/31 01:22:27 | 00,000,000 | ---D | C] -- C:\Program Files\WinDirStat
[2009/05/31 01:18:42 | 00,000,000 | ---D | C] -- C:\Users\[me]\Desktop\[me]'s Folder
[2009/05/31 01:16:52 | 00,001,934 | ---- | C] () -- C:\Users\[me]\Desktop\Rise of Nations Gold.lnk
[2009/05/31 01:15:22 | 00,001,827 | ---- | C] () -- C:\Users\[me]\Desktop\Team Fortress 2.lnk
[2009/05/31 01:12:03 | 00,000,000 | R--D | C] -- C:\Users\[me]\Desktop\Downloads
[2009/05/31 00:56:28 | 00,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2009/05/31 00:56:27 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Roaming\skypePM
[2009/05/31 00:55:12 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Roaming\Skype
[2009/05/31 00:53:19 | 00,002,503 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2009/05/31 00:53:15 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2009/05/31 00:53:13 | 00,000,000 | R--D | C] -- C:\Program Files\Skype
[2009/05/31 00:52:45 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Roaming\Macromedia
[2009/05/31 00:52:41 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Local\Google
[2009/05/31 00:52:29 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Steam
[2009/05/31 00:52:28 | 00,002,513 | ---- | C] () -- C:\Users\Public\Desktop\Steam.lnk
[2009/05/31 00:52:27 | 00,000,000 | ---D | C] -- C:\Program Files\Steam
[2009/05/31 00:52:22 | 00,000,000 | ---D | C] -- C:\Program Files\Google
[2009/05/31 00:52:05 | 00,000,000 | ---D | C] -- C:\ProgramData\Skype
[2009/05/31 00:48:15 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Roaming\vlc
[2009/05/31 00:47:19 | 00,000,000 | ---D | C] -- C:\Users\[me]\Documents\Chats
[2009/05/31 00:46:19 | 00,000,000 | ---D | C] -- C:\Users\[me]\Documents\Non-School Work
[2009/05/31 00:46:12 | 00,000,000 | ---D | C] -- C:\Users\[me]\Documents\Wallpapers
[2009/05/31 00:44:50 | 00,000,000 | ---D | C] -- C:\Users\[me]\Documents\Schoolwork
[2009/05/31 00:41:58 | 00,000,000 | ---D | C] -- C:\Program Files\Cisco
[2009/05/31 00:41:30 | 00,744,740 | ---- | C] () -- C:\Windows\System32\oem11.inf
[2009/05/31 00:40:52 | 02,682,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vcredist_x86.exe
[2009/05/31 00:40:52 | 00,001,591 | ---- | C] () -- C:\Windows\System32\Uninst_EAPModules.bat
[2009/05/31 00:40:52 | 00,000,416 | ---- | C] () -- C:\Windows\System32\vcredist_x86.bat
[2009/05/31 00:40:51 | 00,054,784 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2009/05/31 00:40:50 | 00,024,064 | ---- | C] () -- C:\Windows\System32\WLTRYSVC.EXE
[2009/05/31 00:40:49 | 01,044,472 | ---- | C] (Broadcom Corp.) -- C:\Windows\System32\drivers\BCMWL6.SYS
[2009/05/31 00:40:00 | 00,021,469 | ---- | C] () -- C:\newkey
[2009/05/31 00:40:00 | 00,021,469 | ---- | C] () -- C:\newfile.enc
[2009/05/31 00:39:42 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Roaming\InstallShield
[2009/05/31 00:37:30 | 00,000,000 | ---D | C] -- C:\Program Files\Broadcom
[2009/05/31 00:34:44 | 00,043,520 | ---- | C] (REDC) -- C:\Windows\System32\drivers\rimsptsk.sys
[2009/05/31 00:34:44 | 00,037,376 | ---- | C] (REDC) -- C:\Windows\System32\drivers\rixdptsk.sys
[2009/05/31 00:34:44 | 00,032,256 | ---- | C] (REDC) -- C:\Windows\System32\drivers\rimmptsk.sys
[2009/05/31 00:34:44 | 00,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2009/05/31 00:28:57 | 00,000,000 | ---D | C] -- C:\Windows\System32\vmm32
[2009/05/31 00:28:57 | 00,000,000 | ---D | C] -- C:\Program Files\Dell
[2009/05/31 00:25:43 | 00,000,000 | ---D | C] -- C:\Windows\Minidump
[2009/05/31 00:24:47 | 00,010,872 | ---- | C] () -- C:\Windows\System32\drivers\AvgAsCln.sys
[2009/05/31 00:24:46 | 00,000,000 | ---D | C] -- C:\ProgramData\Grisoft
[2009/05/31 00:24:46 | 00,000,000 | ---D | C] -- C:\Program Files\Grisoft
[2009/05/31 00:22:50 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Roaming\Malwarebytes
[2009/05/31 00:22:46 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/05/31 00:22:45 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/05/31 00:22:45 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/05/31 00:22:44 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/31 00:21:46 | 00,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2009/05/31 00:21:46 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/05/31 00:17:08 | 00,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2009/05/31 00:15:38 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Roaming\Apple Computer
[2009/05/31 00:15:17 | 00,000,000 | ---D | C] -- C:\ProgramData\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/05/31 00:14:54 | 00,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2009/05/31 00:14:35 | 00,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2009/05/31 00:14:27 | 00,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2009/05/31 00:13:58 | 00,000,000 | ---D | C] -- C:\ProgramData\Apple
[2009/05/31 00:13:58 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2009/05/31 00:09:43 | 00,000,913 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MozyHome Status.lnk
[2009/05/31 00:09:32 | 00,053,240 | ---- | C] (Mozy, Inc.) -- C:\Windows\System32\drivers\mozy.sys
[2009/05/31 00:09:31 | 00,056,680 | ---- | C] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.exe
[2009/05/31 00:09:31 | 00,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2009/05/31 00:09:31 | 00,000,000 | ---D | C] -- C:\Program Files\MozyHome
[2009/05/31 00:08:53 | 00,013,160 | ---- | C] (Absolute Software Corp.) -- C:\Windows\System32\Upgrd.exe
[2009/05/31 00:08:49 | 00,000,000 | -HSD | C] -- C:\Windows\Installer
[2009/05/30 23:52:58 | 00,000,000 | ---D | C] -- C:\Windows\Panther
[2009/05/30 23:52:08 | 00,078,863 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/05/30 23:52:08 | 00,078,863 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/05/30 23:46:10 | 00,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
[2009/05/30 22:56:20 | 00,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2009/05/30 22:55:15 | 00,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2009/05/30 22:54:13 | 00,017,408 | ---- | C] () -- C:\Windows\System32\rpcnetp.dll
[2009/05/30 22:54:13 | 00,000,000 | ---D | C] -- C:\Windows\Prefetch
[2009/05/30 22:53:30 | 28,170,32192 | -HS- | C] () -- C:\hiberfil.sys
[2009/05/30 22:53:30 | 00,000,000 | -HSD | C] -- C:\System Volume Information
[2009/05/30 22:53:29 | 00,017,408 | ---- | C] () -- C:\Windows\System32\rpcnetp.exe
[2009/05/30 20:43:02 | 00,000,000 | ---D | C] -- C:\ProgramData\Comodo
[2009/05/30 20:43:01 | 00,168,208 | ---- | C] () -- C:\Windows\System32\guard32.dll
[2009/05/30 20:43:01 | 00,130,080 | ---- | C] (COMODO) -- C:\Windows\System32\drivers\cmdguard.sys
[2009/05/30 20:43:01 | 00,068,640 | ---- | C] (COMODO) -- C:\Windows\System32\drivers\inspect.sys
[2009/05/30 20:43:01 | 00,028,704 | ---- | C] (COMODO) -- C:\Windows\System32\drivers\cmdhlp.sys
[2009/05/30 20:43:01 | 00,000,000 | ---D | C] -- C:\Program Files\COMODO
[2009/05/30 20:42:36 | 00,000,913 | ---- | C] () -- C:\Users\[me]\Desktop\Audacity.lnk
[2009/05/30 20:42:35 | 00,000,000 | ---D | C] -- C:\Program Files\Audacity
[2009/05/30 20:41:49 | 00,001,024 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2009/05/30 20:41:43 | 00,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2009/05/30 20:34:44 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Local\Diagnostics
[2009/05/30 20:28:11 | 00,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
[2009/05/30 20:27:59 | 00,000,000 | ---D | C] -- C:\Program Files\Apoint2K
[2009/05/30 20:27:44 | 01,419,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WdfCoInstaller01005.dll
[2009/05/30 20:26:13 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Roaming\WinRAR
[2009/05/30 20:25:48 | 00,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2009/05/30 20:24:13 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2009/05/30 20:24:10 | 00,795,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dpinst.exe
[2009/05/30 20:24:10 | 00,169,773 | ---- | C] () -- C:\Windows\System32\nvapps.xml
[2009/05/30 20:24:10 | 00,025,494 | ---- | C] () -- C:\Windows\System32\nvwsapps.xml
[2009/05/30 20:24:10 | 00,007,542 | ---- | C] () -- C:\Windows\System32\nvdisp.nvu
[2009/05/30 20:24:09 | 00,000,000 | ---D | C] -- C:\Dell
[2009/05/30 20:18:13 | 00,053,248 | ---- | C] (Windows XP Bundled build C-Centric Single User) -- C:\Windows\System32\CSVer.dll
[2009/05/30 20:18:13 | 00,000,000 | ---D | C] -- C:\Program Files\Intel
[2009/05/30 20:18:05 | 00,000,000 | ---D | C] -- C:\Intel
[2009/05/30 20:16:52 | 00,000,000 | ---D | C] -- C:\Users\[me]\Desktop\Utilities
[2009/05/30 20:14:48 | 00,051,376 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2009/05/30 20:14:48 | 00,023,152 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2009/05/30 20:14:46 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswSP.sys
[2009/05/30 20:14:46 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\Windows\System32\AvastSS.scr
[2009/05/30 20:14:46 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2009/05/30 20:14:32 | 01,256,296 | ---- | C] (ALWIL Software) -- C:\Windows\System32\aswBoot.exe
[2009/05/30 20:14:32 | 01,060,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MFC71.dll
[2009/05/30 20:14:32 | 00,499,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSVCP71.dll
[2009/05/30 20:14:32 | 00,380,928 | ---- | C] () -- C:\Windows\System32\actskin4.ocx
[2009/05/30 20:14:32 | 00,348,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSVCR71.dll
[2009/05/30 20:14:32 | 00,051,792 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2009/05/30 20:14:31 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2009/05/30 20:13:37 | 00,002,022 | ---- | C] () -- C:\Users\[me]\Desktop\Trillian.lnk
[2009/05/30 20:13:24 | 00,000,000 | ---D | C] -- C:\Program Files\Trillian
[2009/05/30 20:13:20 | 00,063,944 | ---- | C] () -- C:\Users\[me]\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/05/30 20:13:20 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Local\RadarSync
[2009/05/30 20:13:19 | 00,000,000 | ---D | C] -- C:\Program Files\RadarSync
[2009/05/30 20:10:50 | 00,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2009/05/30 20:10:49 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Roaming\Mozilla
[2009/05/30 20:10:49 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Local\Mozilla
[2009/05/30 20:10:48 | 00,001,885 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2009/05/30 20:10:46 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/05/30 20:01:20 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Roaming\Identities
[2009/05/30 20:01:10 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Local\VirtualStore
[2009/05/30 20:01:09 | 00,000,000 | --SD | C] -- C:\Users\[me]\AppData\Roaming\Microsoft
[2009/05/30 20:01:09 | 00,000,000 | -HSD | C] -- C:\Users\[me]\Documents\My Videos
[2009/05/30 20:01:09 | 00,000,000 | -HSD | C] -- C:\Users\[me]\Documents\My Pictures
[2009/05/30 20:01:09 | 00,000,000 | -HSD | C] -- C:\Users\[me]\Documents\My Music
[2009/05/30 20:01:09 | 00,000,000 | -HSD | C] -- C:\Users\[me]\AppData\Local\Temporary Internet Files
[2009/05/30 20:01:09 | 00,000,000 | -HSD | C] -- C:\Users\[me]\AppData\Local\History
[2009/05/30 20:01:09 | 00,000,000 | -HSD | C] -- C:\Users\[me]\AppData\Local\Application Data
[2009/05/30 20:01:09 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Roaming\Media Center Programs
[2009/05/30 20:01:09 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Local\Temp
[2009/05/30 20:01:09 | 00,000,000 | ---D | C] -- C:\Users\[me]\AppData\Local\Microsoft
[2009/05/30 20:00:53 | 00,000,000 | -HSD | C] -- C:\Recovery
[2009/04/22 01:58:02 | 00,000,403 | ---- | C] () -- C:\Windows\win.ini
[2009/04/22 01:58:02 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini
[2009/04/21 23:50:07 | 00,073,216 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/04/21 23:40:32 | 00,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2008/10/10 10:57:26 | 00,003,584 | ---- | C] () -- C:\Windows\System32\wceprv.dll

========== Files - Modified Within 30 Days ==========

[2009/06/22 21:59:27 | 00,512,512 | ---- | M] (OldTimer Tools) -- C:\Users\[me]\Desktop\OTL.exe
[2009/06/22 21:01:11 | 00,000,582 | ---- | M] () -- C:\Windows\wininit.ini
[2009/06/22 20:19:55 | 00,307,262 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2009/06/22 19:47:08 | 00,802,140 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/06/22 19:47:08 | 00,167,062 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/06/22 19:47:08 | 00,004,522 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/06/22 19:34:09 | 00,002,022 | ---- | M] () -- C:\Users\[me]\Desktop\Trillian.lnk
[2009/06/22 19:30:23 | 00,301,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cmd.execf
[2009/06/22 19:10:12 | 03,038,734 | ---- | M] () -- C:\Users\[me]\Desktop\ComboFix.exe
[2009/06/22 19:05:58 | 00,013,408 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2009/06/22 19:05:58 | 00,013,408 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2009/06/22 18:59:46 | 00,078,863 | ---- | M] () -- C:\ProgramData\nvModes.001
[2009/06/22 18:58:50 | 00,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.exe
[2009/06/22 18:58:48 | 00,056,680 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.dll_old
[2009/06/22 18:58:46 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/06/22 18:58:40 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/06/22 18:58:35 | 28,170,32192 | -HS- | M] () -- C:\hiberfil.sys
[2009/06/22 18:57:43 | 00,001,954 | ---- | M] () -- C:\Windows\mozy.blk
[2009/06/22 18:57:43 | 00,000,074 | ---- | M] () -- C:\Windows\mozy.flt
[2009/06/22 18:57:35 | 02,342,522 | -H-- | M] () -- C:\Users\[me]\AppData\Local\IconCache.db
[2009/06/22 16:56:40 | 00,078,863 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2009/06/21 13:39:41 | 00,011,142 | ---- | M] () -- C:\Users\[me]\Desktop\summer.docx
[2009/06/19 19:49:03 | 00,001,809 | ---- | M] () -- C:\Users\[me]\Desktop\Medieval II Total War Kingdoms.lnk
[2009/06/19 03:08:05 | 00,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.dll
[2009/06/18 23:18:49 | 00,307,262 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20090622-201955.backup
[2009/06/18 23:18:00 | 00,307,262 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20090618-231848.backup
[2009/06/18 22:30:00 | 00,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2009/06/18 22:30:00 | 00,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/06/18 12:51:41 | 00,307,262 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20090618-231800.backup
[2009/06/17 11:27:56 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/06/17 11:27:44 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/06/12 17:09:20 | 00,001,646 | ---- | M] () -- C:\Users\[me]\Desktop\Starcraft.lnk
[2009/06/12 16:50:03 | 00,721,904 | ---- | M] () -- C:\Windows\System32\drivers\sptd.sys
[2009/06/12 16:44:48 | 00,094,208 | ---- | M] (Blizzard Entertainment) -- C:\Windows\ScUnin.exe
[2009/06/12 16:44:48 | 00,012,782 | ---- | M] () -- C:\Windows\scunin.dat
[2009/06/12 16:44:48 | 00,000,967 | ---- | M] () -- C:\Windows\ScUnin.pif
[2009/06/11 02:22:30 | 00,307,247 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20090618-125141.backup
[2009/06/05 07:28:58 | 03,920,612 | ---- | M] () -- C:\Users\[me]\Desktop\P6050001.JPG
[2009/06/03 21:00:01 | 00,122,440 | -H-- | M] () -- C:\Windows\System32\mlfcache.dat
[2009/06/03 18:08:40 | 00,307,233 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20090611-022230.backup
[2009/06/01 15:27:59 | 00,306,823 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20090603-180840.backup
[2009/06/01 15:26:54 | 00,306,823 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20090601-152759.backup
[2009/06/01 15:23:08 | 00,063,944 | ---- | M] () -- C:\Users\[me]\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/06/01 14:13:34 | 00,296,376 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/05/31 02:10:16 | 00,002,429 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2009/05/31 01:28:00 | 00,001,791 | ---- | M] () -- C:\Users\[me]\Desktop\Medieval II Total War.lnk
[2009/05/31 01:24:34 | 00,001,064 | ---- | M] () -- C:\Users\Public\Desktop\Picasa 3.lnk
[2009/05/31 01:15:22 | 00,001,827 | ---- | M] () -- C:\Users\[me]\Desktop\Team Fortress 2.lnk
[2009/05/31 00:56:28 | 00,000,056 | -H-- | M] () -- C:\Windows\System32\ezsidmv.dat
[2009/05/31 00:53:19 | 00,002,503 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2009/05/31 00:52:28 | 00,002,513 | ---- | M] () -- C:\Users\Public\Desktop\Steam.lnk
[2009/05/31 00:41:14 | 00,744,740 | ---- | M] () -- C:\Windows\System32\oem11.inf
[2009/05/31 00:40:00 | 00,021,469 | ---- | M] () -- C:\newkey
[2009/05/31 00:40:00 | 00,021,469 | ---- | M] () -- C:\newfile.enc
[2009/05/31 00:09:43 | 00,000,913 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MozyHome Status.lnk
[2009/05/31 00:09:08 | 00,013,160 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\Upgrd.exe
[2009/05/31 00:08:51 | 00,056,680 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.exe
[2009/05/30 22:55:15 | 00,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2009/05/30 20:43:01 | 00,168,208 | ---- | M] () -- C:\Windows\System32\guard32.dll
[2009/05/30 20:43:01 | 00,130,080 | ---- | M] (COMODO) -- C:\Windows\System32\drivers\cmdguard.sys
[2009/05/30 20:43:01 | 00,068,640 | ---- | M] (COMODO) -- C:\Windows\System32\drivers\inspect.sys
[2009/05/30 20:43:01 | 00,028,704 | ---- | M] (COMODO) -- C:\Windows\System32\drivers\cmdhlp.sys
[2009/05/30 20:42:36 | 00,000,913 | ---- | M] () -- C:\Users\[me]\Desktop\Audacity.lnk
[2009/05/30 20:41:49 | 00,001,024 | ---- | M] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2009/05/30 20:28:11 | 00,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
[2009/05/30 20:14:45 | 00,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2009/05/30 20:10:50 | 00,000,000 | ---- | M] () -- C:\Windows\nsreg.dat
[2009/05/30 20:10:48 | 00,001,885 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2009/05/30 19:57:37 | 00,028,965 | ---- | M] () -- C:\Windows\System32\license.rtf

========== LOP Check ==========

[2009/06/12 16:49:38 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming
[2009/06/12 16:53:27 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\DAEMON Tools Lite
[2009/06/21 22:28:43 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\dvdcss
[2009/06/11 15:22:35 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\Foxit
[2009/04/22 06:24:12 | 00,000,000 | ---D | M] -- C:\Users\[me]\AppData\Roaming\Media Center Programs
[2009/06/22 18:58:46 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT
[2009/04/22 04:27:21 | 00,013,324 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

lolcats · Jun 23, 2009

Windows 7 has given me few problems thus far. I am on my second trial; the first one was botched but the second generally works despite a few compatibility issues.

Is it possible that Spybot finding virtumonde is a false positive? I noticed in a few other threads that virtumonde false positives started appearing with a recent update. I think in one case the same offending .dll as in my case was a false positive; it was tied to Lojack. I had a trial of Lojack but it ran out last month...a possible connection?

ken545 · Jun 23, 2009

False positives are always possible.
http://forums.spybot.info/showthread.php?t=49473

I am not looking at any Vundo on this system but there are a few files we need to check

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see.

C:\Windows\System32\epmntdrv.sys
C:\Windows\System32\EuGdiDrv.sys
C:\Windows\System32\rpcnetp.dll

lolcats · Jun 25, 2009

epmntdrv.sys

MD5: 6eceb0ce18d352af410dd50ee13eaa9a
First received: 2009.03.07 08:59:20 UTC
Date: 2009.06.12 10:39:27 UTC [>12D]
Results: 0/38
Permalink: analisis/971506f90f764aa9acc87e498f606fb433a45e4a3ac66441e4e6df002dd9bcde-1244803167

lolcats · Jun 25, 2009

EuGdiDrv.sys

MD5: 5f779f5edab787f2d090c71a9051f365
First received: 2009.03.17 03:58:17 UTC
Date: 2009.06.23 18:46:34 UTC [+1D]
Results: 0/41
Permalink: analisis/b2c4d872550a41a91efc2a12fe699e99b3f6baa26e68d75f1004389fbcf7db89-1245782794

lolcats · Jun 25, 2009

rpcnet.dll

MD5: 2f4158cfe7801a73beaa7e8a9dfcad26
First received: 2009.05.24 15:20:39 UTC
Date: 2009.06.24 12:58:51 UTC [<1D]
Results: 1/41
Permalink: analisis/c959993db45d484da3a811f2dd6a8bf522fcd15afa05b46053e061db500d66f3-1245848331

ken545 · Jun 25, 2009

Hi,

That's not the entire log, you can try here if VT is busy

Jotti Upload

lolcats · Jun 25, 2009

Are these the correct reports?

File epmntdrv.sys received on 2009.06.12 10:39:27 (UTC)
Current status: finished
Result: 0/38 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.12 -
AhnLab-V3 5.0.0.2 2009.06.12 -
AntiVir 7.9.0.187 2009.06.12 -
Antiy-AVL 2.0.3.1 2009.06.12 -
Authentium 5.1.2.4 2009.06.12 -
Avast 4.8.1335.0 2009.06.11 -
AVG 8.5.0.339 2009.06.12 -
BitDefender 7.2 2009.06.12 -
CAT-QuickHeal 10.00 2009.06.12 -
ClamAV 0.94.1 2009.06.12 -
Comodo 1319 2009.06.12 -
DrWeb 5.0.0.12182 2009.06.12 -
eSafe 7.0.17.0 2009.06.11 -
eTrust-Vet 31.6.6555 2009.06.12 -
F-Prot 4.4.4.56 2009.06.12 -
F-Secure 8.0.14470.0 2009.06.12 -
Fortinet 3.117.0.0 2009.06.12 -
GData 19 2009.06.12 -
Ikarus T3.1.1.59.0 2009.06.12 -
K7AntiVirus 7.10.760 2009.06.10 -
Kaspersky 7.0.0.125 2009.06.12 -
McAfee 5643 2009.06.11 -
McAfee+Artemis 5643 2009.06.11 -
McAfee-GW-Edition 6.7.6 2009.06.12 -
Microsoft 1.4701 2009.06.12 -
NOD32 4150 2009.06.12 -
Norman 6.01.09 2009.06.12 -
nProtect 2009.1.8.0 2009.06.12 -
Panda 10.0.0.14 2009.06.12 -
Prevx 3.0 2009.06.12 -
Rising 21.33.42.00 2009.06.12 -
Sophos 4.42.0 2009.06.12 -
Sunbelt 3.2.1858.2 2009.06.12 -
Symantec 1.4.4.12 2009.06.12 -
TheHacker 6.3.4.3.344 2009.06.11 -
TrendMicro 8.950.0.1092 2009.06.12 -
VBA32 3.12.10.7 2009.06.12 -
ViRobot 2009.6.12.1783 2009.06.12 -
Additional information
File size: 9728 bytes
MD5 : 6eceb0ce18d352af410dd50ee13eaa9a
SHA1 : 38788c71cbde5f2a0ceb9f661cb5f912d2f2e480
SHA256: 971506f90f764aa9acc87e498f606fb433a45e4a3ac66441e4e6df002dd9bcde
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5005
timedatestamp.....: 0x4897E6B1 (Tue Aug 5 07:35:45 2008)
machinetype.......: 0x14C (Intel I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1668 0x1800 6.05 6bbc43603096ffa044c0a268d9a9429f
.rdata 0x3000 0x1E5 0x200 4.77 ae2851de0512b92979bd41f2e7743c1a
.data 0x4000 0x60 0x200 0.40 3d4fa9d0508245adc58a5a235964b4eb
INIT 0x5000 0x3B4 0x400 5.07 83cda44c3f736cf615a059cd7efa53d6
.reloc 0x6000 0x18A 0x200 3.53 7cf285b6ba58acb025e2ed849942dd71

( 0 imports )

( 0 exports )
TrID : File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
ssdeep: 96:KXNL0d41oh1o26LVL8q5cSdrjEG00qZJHgvr0K9RLieHYjDZf0R2htqlKKIAyapg:G9Bgq7dIqqXU9piHf0etqlKdaK0
PEiD : -
RDS : NSRL Reference Data Set
-

File EuGdiDrv.sys received on 2009.06.23 18:46:34 (UTC)
Current status: finished
Result: 0/41 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.23 -
AhnLab-V3 5.0.0.2 2009.06.23 -
AntiVir 7.9.0.193 2009.06.23 -
Antiy-AVL 2.0.3.1 2009.06.23 -
Authentium 5.1.2.4 2009.06.23 -
Avast 4.8.1335.0 2009.06.23 -
AVG 8.5.0.339 2009.06.23 -
BitDefender 7.2 2009.06.23 -
CAT-QuickHeal 10.00 2009.06.22 -
ClamAV 0.94.1 2009.06.23 -
Comodo 1401 2009.06.23 -
DrWeb 5.0.0.12182 2009.06.23 -
eSafe 7.0.17.0 2009.06.23 -
eTrust-Vet 31.6.6575 2009.06.23 -
F-Prot 4.4.4.56 2009.06.23 -
F-Secure 8.0.14470.0 2009.06.23 -
Fortinet 3.117.0.0 2009.06.23 -
GData 19 2009.06.23 -
Ikarus T3.1.1.59.0 2009.06.23 -
Jiangmin 11.0.706 2009.06.23 -
K7AntiVirus 7.10.768 2009.06.19 -
Kaspersky 7.0.0.125 2009.06.23 -
McAfee 5655 2009.06.23 -
McAfee+Artemis 5655 2009.06.23 -
McAfee-GW-Edition 6.7.6 2009.06.23 -
Microsoft 1.4803 2009.06.23 -
NOD32 4181 2009.06.23 -
Norman 6.01.09 2009.06.23 -
nProtect 2009.1.8.0 2009.06.23 -
Panda 10.0.0.16 2009.06.23 -
PCTools 4.4.2.0 2009.06.22 -
Prevx 3.0 2009.06.23 -
Rising 21.35.14.00 2009.06.23 -
Sophos 4.42.0 2009.06.23 -
Sunbelt 3.2.1858.2 2009.06.23 -
Symantec 1.4.4.12 2009.06.23 -
TheHacker 6.3.4.3.351 2009.06.22 -
TrendMicro 8.950.0.1094 2009.06.23 -
VBA32 3.12.10.7 2009.06.23 -
ViRobot 2009.6.23.1800 2009.06.23 -
VirusBuster 4.6.5.0 2009.06.23 -
Additional information
File size: 3072 bytes
MD5 : 5f779f5edab787f2d090c71a9051f365
SHA1 : f3a892028dc6f5e618c023e8d57b6617459b7ec0
SHA256: b2c4d872550a41a91efc2a12fe699e99b3f6baa26e68d75f1004389fbcf7db89
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x78E
timedatestamp.....: 0x48A14CF5 (Tue Aug 12 10:42:29 2008)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x400 0x448 0x480 5.91 d274f23352781cfc58577357bfc5f799
.rdata 0x880 0xEB 0x100 4.55 a5319e0d99b07471fa7d279c6dce6232
INIT 0x980 0x1D2 0x200 4.42 a55d2a66ed767c912467e14ecf38d5e5
.reloc 0xB80 0x60 0x80 3.31 b504644c5a309a4360ab9262a4e670ad

( 2 imports )

> bootvid.dll: VidBufferToScreenBlt, VidScreenToBufferBlt, VidBitBlt
> ntoskrnl.exe: IofCompleteRequest, InbvDisplayString, InbvSetScrollRegion, InbvEnableDisplayString, RtlInitUnicodeString, InbvSetTextColor, IoCreateSymbolicLink, IoCreateDevice, IoDeleteSymbolicLink, IoDeleteDevice, InbvSolidColorFill, DbgPrint

( 0 exports )
TrID : File type identification
Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
ssdeep: 24:e/GSeed/XveKChTKQD97CeDYlvDiAuxZhkSMJeQcIYFSC4c4tWW21g152AzYRqrR:Q3hvtAKgBwbIZKpESC4LsWKYERRWL
PEiD : -
RDS : NSRL Reference Data Set

File rpcnet.dll received on 2009.06.24 12:58:51 (UTC)
Current status: finished
Result: 1/41 (2.44%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.24 -
AhnLab-V3 5.0.0.2 2009.06.24 -
AntiVir 7.9.0.193 2009.06.24 -
Antiy-AVL 2.0.3.1 2009.06.24 -
Authentium 5.1.2.4 2009.06.24 -
Avast 4.8.1335.0 2009.06.23 -
AVG 8.5.0.339 2009.06.24 -
BitDefender 7.2 2009.06.24 -
CAT-QuickHeal 10.00 2009.06.22 -
ClamAV 0.94.1 2009.06.24 -
Comodo 1404 2009.06.24 -
DrWeb 5.0.0.12182 2009.06.24 -
eSafe 7.0.17.0 2009.06.24 -
eTrust-Vet 31.6.6577 2009.06.24 -
F-Prot 4.4.4.56 2009.06.24 -
F-Secure 8.0.14470.0 2009.06.24 -
Fortinet 3.117.0.0 2009.06.24 PossibleThreat
GData 19 2009.06.24 -
Ikarus T3.1.1.59.0 2009.06.24 -
Jiangmin 11.0.706 2009.06.24 -
K7AntiVirus 7.10.768 2009.06.19 -
Kaspersky 7.0.0.125 2009.06.24 -
McAfee 5655 2009.06.23 -
McAfee+Artemis 5655 2009.06.23 -
McAfee-GW-Edition 6.7.6 2009.06.24 -
Microsoft 1.4803 2009.06.24 -
NOD32 4184 2009.06.24 -
Norman 6.01.09 2009.06.23 -
nProtect 2009.1.8.0 2009.06.24 -
Panda 10.0.0.16 2009.06.24 -
PCTools 4.4.2.0 2009.06.24 -
Prevx 3.0 2009.06.24 -
Rising 21.35.24.00 2009.06.24 -
Sophos 4.42.0 2009.06.24 -
Sunbelt 3.2.1858.2 2009.06.23 -
Symantec 1.4.4.12 2009.06.24 -
TheHacker 6.3.4.3.352 2009.06.24 -
TrendMicro 8.950.0.1094 2009.06.24 -
VBA32 3.12.10.7 2009.06.24 -
ViRobot 2009.6.24.1802 2009.06.24 -
VirusBuster 4.6.5.0 2009.06.23 -
Additional information
File size: 56680 bytes
MD5 : 2f4158cfe7801a73beaa7e8a9dfcad26
SHA1 : 54f8866720054252de75a2f05643ce98b5a9d253
SHA256: c959993db45d484da3a811f2dd6a8bf522fcd15afa05b46053e061db500d66f3
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1C10
timedatestamp.....: 0x49AD6B29 (Tue Mar 3 18:38:49 2009)
machinetype.......: 0x14C (Intel I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x9129 0x9200 6.51 9becfb7d2513d33591ab673115bba95f
.data 0xB000 0x1D74 0x1E00 3.36 62bbc527cc88a05d5c449d6103467740
.cdata 0xD000 0x298 0x400 2.66 c93e206aac1e4e4b1506d414a18738eb
.rsrc 0xE000 0x448 0x600 2.54 66c04b9abc0c570bb3b2612f0ccfd50b
.reloc 0xF000 0x9EE 0xA00 6.24 3a404a244b8c32be9260e308210f9344

( 7 imports )

> advapi32.dll: ControlService, DeleteService, CreateServiceA, QueryServiceConfigA, ChangeServiceConfigA, OpenSCManagerA, OpenServiceA, QueryServiceStatus, StartServiceA, CloseServiceHandle, EqualSid, RegisterServiceCtrlHandlerA, SetServiceStatus, StartServiceCtrlDispatcherA, DuplicateTokenEx, SetTokenInformation, CreateProcessAsUserA, RegOpenKeyA, RegCreateKeyExA, RegSetValueExA, SetKernelObjectSecurity, RegDeleteKeyA, RegDeleteValueA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, OpenProcessToken, GetTokenInformation, AdjustTokenPrivileges, GetKernelObjectSecurity, AllocateAndInitializeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, SetEntriesInAclA, FreeSid
> kernel32.dll: lstrcatA, lstrcpyA, MapViewOfFile, CreateFileMappingA, SetEvent, ResetEvent, WaitForSingleObject, LocalAlloc, CreateThread, GetLastError, BackupRead, BackupWrite, OpenProcess, GetCurrentProcessId, GetCurrentProcess, FreeLibrary, GetProcAddress, LoadLibraryA, DeleteFileA, lstrlenA, CreateFileA, BackupSeek, GetFileAttributesExA, SetFileTime, SetFileAttributesA, CreateEventA, GetVersionExA, GetSystemDirectoryA, FindClose, FindFirstFileA, lstrcmpiA, lstrcmpA, LoadLibraryExA, GetModuleHandleA, WriteFile, GetWindowsDirectoryA, GetEnvironmentVariableA, GetExitCodeThread, WaitForMultipleObjects, CreateRemoteThread, VirtualFreeEx, WriteProcessMemory, VirtualAllocEx, SetFilePointer, CopyFileA, GetModuleFileNameA, SetStdHandle, TerminateProcess, CreateProcessA, ReadProcessMemory, GetStdHandle, HeapAlloc, HeapFree, GetProcessHeap, RaiseException, GetVersion, RtlUnwind, ClearCommError, PurgeComm, GetOverlappedResult, EnterCriticalSection, LeaveCriticalSection, WaitCommEvent, SetCommMask, ReadFile, Sleep, DeleteCriticalSection, SetThreadPriority, InitializeCriticalSection, SetCommTimeouts, SetCommState, GetCommState, SetupComm, GetCommProperties, GetCurrentThreadId, GetLocalTime, GetCommandLineA, FlushFileBuffers, ExitProcess, ResumeThread, GetComputerNameA, TerminateThread, LocalFree, CloseHandle, UnmapViewOfFile, ExitThread
> netapi32.dll: Netbios
> tapi32.dll: lineDeallocateCall, lineMakeCall, lineSetDevConfig, lineGetID, lineSetStatusMessages, lineGetDevCaps, lineInitialize, lineGetDevConfig, lineOpen, lineShutdown, lineGetCallStatus, lineDrop, lineClose
> user32.dll: PeekMessageA, KillTimer, PostMessageA, GetMessageA, TranslateMessage, PostQuitMessage, DefWindowProcA, wsprintfA, RegisterClassA, CreateWindowExA, DispatchMessageA, MsgWaitForMultipleObjects, SendMessageA, PostThreadMessageA, SetTimer
> userenv.dll: CreateEnvironmentBlock, DestroyEnvironmentBlock
> wsock32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -

( 1 exports )

> ServiceMain
TrID : File type identification
Generic Win/DOS Executable (50.0%)
DOS Executable Generic (49.9%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=2f4158cfe7801a73beaa7e8a9dfcad26
ssdeep: 768:kJTMRW36uadqY3bIxaiXssKrXbdURa1MRAn/v2mN90ebqAMt2IHjPz3Ot0qPG4Pb:LW3/aEwsK7iCMun/eAeydt0Yw4G4
PEiD : -
RDS : NSRL Reference Data Set
-

lolcats · Jun 25, 2009

With the most recent update, Spybot no longer detects virtumonde...

ken545 · Jun 25, 2009

Hi,

Those files are fine. No Vundo :bigthumb:

OTL <--Drag it to the trash

ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
Grinler BleepingComputer
GeeksTo Go
Dslreports

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Safe Surfn
Ken

lolcats · Jun 25, 2009

Thanks a ton, Ken, for all your help.

ken545 · Jun 25, 2009

Your very welcome my friend

Virtumonde.sdn

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

New member

New member

New member

Emeritus-Security Expert

New member

New member

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert