Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Double Click Virus Among Other Weird Activities


  • This topic is locked This topic is locked
16 replies to this topic

#1 Itlan

Itlan

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 24 April 2010 - 10:10 AM

I seem to have a double click virus, as well as one that slows down my computer the longer it is running. Also, if I have FireFox open for say 5 minutes, and then go to a new page, all the flash and coding will be gone and it will show everything in html format.

I've tried SpyBot, AVG, and Malware Bytes. Decided to a HJT log, so here it is:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:07:34 AM, on 4/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\The Skins Factory\Hyperdesk\Common\HDThemeEnabler.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
D:\Program Files\AVG\AVG9\avgchsvx.exe
D:\Program Files\AVG\AVG9\avgrsx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AVG\AVG9\avgcsrvx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
D:\PROGRA~1\AVG\AVG9\avgtray.exe
D:\Program Files\Zune\ZuneLauncher.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\SafeConnect\scClient.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\AVG\AVG9\avgwdsvc.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\libusbd-nt.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\SafeConnect\scManager.sys
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\WINDOWS\system32\ZuneBusEnum.exe
D:\Program Files\AVG\AVG9\avgemc.exe
D:\Program Files\AVG\AVG9\avgnsx.exe
D:\Program Files\AVG\AVG9\avgcsrvx.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\DOCUME~1\MARKAN~1\LOCALS~1\Temp\AutoRun.exe
D:\Documents and Settings\Mark Andrew\Desktop\HiJackThis.exe
D:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] D:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Zune Launcher] "D:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DS3 Tool] D:\Program Files\MotioninJoy\ds3\DS3_Tool.exe -mini
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Desktop Manager.lnk = D:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: SafeConnect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - D:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - D:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Hyperdesk Theme Enabler (HdThemeEnabler) - The Skins Factory, Inc. - D:\Program Files\The Skins Factory\Hyperdesk\Common\HDThemeEnabler.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - D:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SafeConnect Manager (SCManager) - Unknown owner - D:\Program Files\SafeConnect\scManager.sys servicestart (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7905 bytes


Any help guys?

Edited by Pandy, 24 April 2010 - 10:26 AM.
Moved from Windows XP Home and Pro to a more appropriate forum as an HjT logfile is included ~Pandy


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:29 PM

Posted 29 April 2010 - 10:17 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 Itlan

Itlan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 01 May 2010 - 03:47 PM


DDS (Ver_10-03-17.01) - NTFSx86
Run by Mark Andrew at 16:44:17.45 on Sat 05/01/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1222 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\Program Files\The Skins Factory\Hyperdesk\Common\HDThemeEnabler.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
D:\Program Files\AVG\AVG9\avgchsvx.exe
D:\Program Files\AVG\AVG9\avgrsx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AVG\AVG9\avgcsrvx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\PROGRA~1\AVG\AVG9\avgtray.exe
D:\Program Files\Zune\ZuneLauncher.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\AIM6\aim6.exe
D:\Program Files\MotioninJoy\ds3\DS3_Tool.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\SafeConnect\scClient.exe
svchost.exe
D:\Program Files\AIM6\aolsoftware.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\AVG\AVG9\avgwdsvc.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Documents and Settings\All Users\Application Data\{7A15561F-A104-47D7-ACC2-B0E721761121}\Server.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\libusbd-nt.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\SafeConnect\scManager.sys
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\WINDOWS\system32\ZuneBusEnum.exe
D:\Program Files\AVG\AVG9\avgemc.exe
D:\Program Files\AVG\AVG9\avgnsx.exe
D:\Program Files\AVG\AVG9\avgcsrvx.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\Documents and Settings\Mark Andrew\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [Aim6] "d:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [DS3 Tool] d:\program files\motioninjoy\ds3\DS3_Tool.exe -mini
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG9_TRAY] d:\progra~1\avg\avg9\avgtray.exe
mRun: [Zune Launcher] "d:\program files\zune\ZuneLauncher.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup
mRun: [SkyTel] SkyTel.EXE
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - d:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\safeco~1.lnk - d:\program files\safeconnect\scClient.exe
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - hxxp://download.gigabyte.com.tw/object/Dldrv.ocx
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - d:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\markan~1\applic~1\mozilla\firefox\profiles\yhnr3673.default\
FF - component: d:\documents and settings\mark andrew\application data\mozilla\firefox\profiles\yhnr3673.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: d:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: d:\documents and settings\mark andrew\application data\mozilla\firefox\profiles\yhnr3673.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: d:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: d:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: d:\program files\sony online entertainment\station launcher\npsoe.dll
FF - plugin: d:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;d:\windows\system32\drivers\Lbd.sys [2009-8-16 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [2009-8-16 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;d:\windows\system32\drivers\avgmfx86.sys [2009-8-16 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;d:\windows\system32\drivers\avgtdix.sys [2009-8-16 242896]
R2 avg9emc;AVG Free E-mail Scanner;d:\program files\avg\avg9\avgemc.exe [2010-3-16 916760]
R2 avg9wd;AVG Free WatchDog;d:\program files\avg\avg9\avgwdsvc.exe [2009-11-1 308064]
R2 GJService;Game Jackal Server;d:\documents and settings\all users\application data\{7a15561f-a104-47d7-acc2-b0e721761121}\Server.exe [2010-4-25 2031040]
R2 HdThemeEnabler;Hyperdesk Theme Enabler;d:\program files\the skins factory\hyperdesk\common\HDThemeEnabler.exe [2008-7-23 106496]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 SCManager;SafeConnect Manager;d:\program files\safeconnect\scmanager.sys servicestart --> d:\program files\safeconnect\scManager.sys servicestart [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;d:\program files\viewpoint\common\ViewpointService.exe [2009-8-16 24652]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;d:\windows\system32\drivers\libusb0.sys [2010-4-5 33792]
R3 MaplomL;MaplomL;d:\windows\system32\drivers\maploml.sys [2010-4-25 44480]
R3 NTProcDrv;Process creation detector for NT.;d:\windows\temp\drv1.tmp [2010-4-30 3584]
S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [2008-1-1 1684736]
S3 ATICDSDr;ATICDSDr;d:\documents and settings\mark andrew\my documents\downloads\xp32\bin\atiicdxx.sys [2008-1-1 6144]
S3 GarenaPEngine;GarenaPEngine;\??\d:\docume~1\markan~1\locals~1\temp\btl404.tmp --> d:\docume~1\markan~1\locals~1\temp\BTL404.tmp [?]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;d:\windows\system32\drivers\MijXfilt.sys [2010-3-24 48640]
S3 XPADFL02;XPAD Filter Service 02;d:\windows\system32\drivers\xPADFL02.sys [2009-11-18 27904]

=============== Created Last 30 ================

2010-04-25 19:18:35 0 dc----w- d:\docume~1\alluse~1\applic~1\{7A15561F-A104-47D7-ACC2-B0E721761121}
2010-04-25 19:18:34 44480 -c--a-w- d:\windows\system32\drivers\maploml.sys
2010-04-25 19:18:34 42944 -c--a-w- d:\windows\system32\drivers\maplom.sys
2010-04-25 19:18:32 0 dc----w- d:\program files\SlySoft
2010-04-25 19:14:36 0 dc----w- d:\docume~1\markan~1\applic~1\My The Lord of the Rings, The Rise of the Witch-king Files
2010-04-24 15:34:34 0 dc----w- d:\docume~1\markan~1\applic~1\My Battle for Middle-earth™ II Files
2010-04-24 15:23:12 0 dc----w- d:\windows\RegisteredPackages
2010-04-24 15:22:47 5504 -c--a-w- d:\windows\system32\drivers\mstee.sys
2010-04-24 15:22:47 5504 -c--a-w- d:\windows\system32\dllcache\mstee.sys
2010-04-24 15:22:47 12288 -c--a-w- d:\windows\system32\ksolay.ax
2010-04-24 15:22:46 13312 -c--a-w- d:\windows\system32\dllcache\msdmo.dll
2010-04-24 15:22:45 63696 -c--a-w- d:\windows\system32\dxdllreg.exe
2010-04-24 15:22:43 797184 -c--a-w- d:\windows\system32\dllcache\d3dim700.dll
2010-04-24 15:22:43 381952 -c--a-w- d:\windows\system32\dllcache\dsound.dll
2010-04-24 15:22:43 292864 -c--a-w- d:\windows\system32\dllcache\ddraw.dll
2010-04-24 15:22:43 24064 -c--a-w- d:\windows\system32\dllcache\ddrawex.dll
2010-04-23 12:34:33 0 dc----w- d:\docume~1\markan~1\applic~1\QuickScan
2010-04-23 11:50:24 0 dc----w- d:\program files\Spybot - Search & Destroy
2010-04-23 11:50:24 0 dc----w- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-16 21:49:28 42496 -c-ha-w- d:\windows\system32\routhare.dll
2010-04-05 05:03:06 90112 -c--a-w- d:\windows\system32\MijFrc.dll
2010-04-05 05:03:06 0 dc----w- d:\docume~1\alluse~1\applic~1\MotioninJoy
2010-04-05 04:43:38 0 dc----w- d:\docume~1\markan~1\applic~1\MotioninJoy
2010-04-05 04:37:10 19456 -c--a-w- d:\windows\system32\libusbd-9x.exe
2010-04-05 04:37:10 18944 -c--a-w- d:\windows\system32\libusbd-nt.exe
2010-04-05 04:37:10 0 dc----w- d:\program files\LibUSB-Win32-0.1.10.1
2010-04-05 04:30:33 46592 -c--a-w- d:\windows\system32\libusb0.dll
2010-04-05 04:30:33 33792 -c--a-w- d:\windows\system32\drivers\libusb0.sys

==================== Find3M ====================

2010-04-21 13:09:57 242896 -c--a-w- d:\windows\system32\drivers\avgtdix.sys
2010-03-30 04:46:30 38224 -c--a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 -c--a-w- d:\windows\system32\drivers\mbam.sys
2010-03-24 17:37:56 0 -c-ha-w- d:\windows\system32\drivers\Msft_Kernel_xusb21_01009.Wdf
2010-03-24 17:37:55 0 -c-ha-w- d:\windows\system32\drivers\Msft_Kernel_MijXfilt_01009.Wdf
2010-03-18 23:01:22 48640 -c--a-w- d:\windows\system32\drivers\MijXfilt.sys
2010-03-16 12:14:13 12464 -c--a-w- d:\windows\system32\avgrsstx.dll
2010-03-16 12:13:41 216200 -c--a-w- d:\windows\system32\drivers\avgldx86.sys
2010-03-10 06:15:52 420352 -c--a-w- d:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 -c--a-w- d:\windows\system32\wininet.dll
2010-02-16 14:08:49 2146304 -c--a-w- d:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 -c--a-w- d:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 -c--a-w- d:\windows\system32\6to4svc.dll

============= FINISH: 16:44:45.70 ===============

Attached Files



#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:29 PM

Posted 02 May 2010 - 12:37 AM

Hi Itlan,



Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1

Please download GMER Rootkit Scanner from Here or Here.
  1. Extract the contents of the zipped file to desktop.
  2. Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  3. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  4. In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  5. Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  6. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Step2
  1. Please download OTL and save it to your desktop.
  2. Double click on the icon on your desktop.
  3. Click the "Scan All Users" checkbox.
  4. Click the "Quick Scan" button.
  5. Two reports will open, OTListIt.txt <-- Will be opened and Extra.txt <-- Will be minimized
  6. Copy and paste both logs back here in your next reply.

In your next reply, please post back:

1.Gmer log
2.OTListIt.txt and Extra.txt Thanks.

#5 Itlan

Itlan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 02 May 2010 - 03:44 PM

Computer freezes whenever I use GMER. What should I do?

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:29 PM

Posted 02 May 2010 - 09:03 PM

Hi Itlan,



You may try to run it in safe mode. If still not working, try running gmer again and this time uncheck Devices.

If still no joy, close gmer and restart it. There should be an initial scan. When done, save the log and post it in your next reply.

Please post OTL log in your next reply, even gmer problem persists.

#7 Itlan

Itlan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 05 May 2010 - 01:31 AM

OTL.txt
OTL logfile created on: 5/5/2010 2:29:25 AM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = D:\Documents and Settings\Mark Andrew\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 62.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 104.89 Gb Total Space | 55.24 Gb Free Space | 52.66% Space Free | Partition Type: NTFS
Drive D: | 127.98 Gb Total Space | 11.14 Gb Free Space | 8.71% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MARK-61BBD9EDC5
Current User Name: Mark Andrew
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/05 02:27:01 | 000,570,880 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Mark Andrew\Desktop\OTL.exe
PRC - [2010/04/21 09:09:58 | 002,064,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/04/21 09:09:56 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/04/16 16:04:56 | 002,031,040 | ---- | M] (SlySoft Inc.) -- D:\Documents and Settings\All Users\Application Data\{7A15561F-A104-47D7-ACC2-B0E721761121}\Server.exe
PRC - [2010/04/02 08:41:19 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/03/16 08:14:13 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/03/16 08:14:10 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/03/16 08:13:41 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/03/16 08:13:41 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/01/07 15:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2010/01/07 15:38:08 | 000,158,448 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Zune\ZuneLauncher.exe
PRC - [2010/01/06 16:24:30 | 000,307,672 | ---- | M] (Mozilla Corporation) -- D:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/18 13:42:40 | 000,297,240 | ---- | M] (Impulse Point, LLC) -- D:\Program Files\SafeConnect\SCClient.exe
PRC - [2009/10/18 13:42:39 | 000,128,280 | ---- | M] (Impulse Point, LLC) -- D:\Program Files\SafeConnect\scManager.sys
PRC - [2009/07/09 16:07:14 | 000,049,968 | ---- | M] (AOL LLC) -- D:\Program Files\AIM6\aim6.exe
PRC - [2009/07/03 10:49:06 | 001,029,456 | ---- | M] (Lavasoft) -- D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/07/03 10:49:06 | 000,520,024 | ---- | M] (Lavasoft) -- D:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/01/26 15:31:16 | 002,144,088 | RHS- | M] (Safer Networking Limited) -- D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/11/06 13:33:00 | 000,041,264 | ---- | M] (AOL LLC) -- D:\Program Files\AIM6\aolsoftware.exe
PRC - [2008/10/15 01:04:34 | 000,039,792 | ---- | M] (Adobe Systems Incorporated) -- D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
PRC - [2008/07/23 21:27:04 | 000,106,496 | ---- | M] (The Skins Factory, Inc.) -- D:\Program Files\The Skins Factory\Hyperdesk\Common\HDThemeEnabler.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\explorer.exe
PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- D:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2005/03/09 20:50:18 | 000,018,944 | ---- | M] (http://libusb-win32.sourceforge.net) -- D:\WINDOWS\system32\libusbd-nt.exe


========== Modules (SafeList) ==========

MOD - [2010/05/05 02:27:01 | 000,570,880 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Mark Andrew\Desktop\OTL.exe
MOD - [2010/04/16 17:49:28 | 000,042,496 | -H-- | M] () -- D:\WINDOWS\system32\routhare.dll
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/04/16 16:04:56 | 002,031,040 | ---- | M] (SlySoft Inc.) [Auto | Running] -- D:\Documents and Settings\All Users\Application Data\{7A15561F-A104-47D7-ACC2-B0E721761121}\Server.exe -- (GJService)
SRV - [2010/03/16 08:14:10 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- D:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/03/16 08:13:41 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- D:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/01/07 15:38:18 | 000,447,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- D:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/01/07 15:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- D:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2010/01/07 15:38:08 | 005,950,704 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- D:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2009/10/18 13:42:39 | 000,128,280 | ---- | M] (Impulse Point, LLC) [Auto | Running] -- D:\Program Files\SafeConnect\scManager.sys -- (SCManager)
SRV - [2009/07/03 10:49:06 | 001,029,456 | ---- | M] (Lavasoft) [Auto | Running] -- D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2008/07/23 21:27:04 | 000,106,496 | ---- | M] (The Skins Factory, Inc.) [Auto | Running] -- D:\Program Files\The Skins Factory\Hyperdesk\Common\HDThemeEnabler.exe -- (HdThemeEnabler)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- D:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2005/03/09 20:50:18 | 000,018,944 | ---- | M] (http://libusb-win32.sourceforge.net) [Auto | Running] -- D:\WINDOWS\system32\libusbd-nt.exe -- (libusbd)


========== Driver Services (SafeList) ==========

DRV - [2010/04/30 12:09:57 | 000,003,584 | ---- | M] () [Kernel | On_Demand | Running] -- D:\WINDOWS\Temp\drv1.tmp -- (NTProcDrv)
DRV - [2010/04/21 09:09:57 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- D:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/04/16 10:36:24 | 000,042,944 | ---- | M] (SlySoft Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\maplom.sys -- (Maplom)
DRV - [2010/04/16 10:33:54 | 000,044,480 | ---- | M] (SlySoft Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\maploml.sys -- (MaplomL)
DRV - [2010/03/18 19:01:22 | 000,048,640 | ---- | M] (MotioninJoy) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\MijXfilt.sys -- (MotioninJoyXFilter)
DRV - [2010/03/16 08:14:13 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- D:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/16 08:13:41 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- D:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/01/07 15:22:02 | 000,040,832 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- D:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus)
DRV - [2010/01/07 03:30:11 | 000,016,224 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2009/12/10 22:57:20 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- D:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/11/24 15:29:16 | 000,061,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\xusb21.sys -- (xusb21)
DRV - [2009/08/26 14:48:49 | 000,015,600 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2009/07/03 10:49:08 | 000,064,160 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- D:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/06/29 07:59:14 | 000,142,592 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2009/06/25 06:32:06 | 000,006,144 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- D:\Documents and Settings\Mark Andrew\My Documents\Downloads\xp32\BIN\atiicdxx.sys -- (ATICDSDr)
DRV - [2009/06/25 02:07:40 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2009/06/25 02:07:39 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2008/12/25 12:08:00 | 006,301,344 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/06 11:51:14 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- D:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2006/12/24 06:15:18 | 000,027,904 | ---- | M] (Compuware Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\xPADFL02.sys -- (XPADFL02)
DRV - [2006/11/02 08:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2006/09/24 09:28:46 | 000,005,248 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Boot | Running] -- D:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2006/08/15 14:41:16 | 004,368,896 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/03/09 20:50:16 | 000,033,792 | ---- | M] () [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\libusb0.sys -- (libusb0)
DRV - [1996/04/03 15:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- D:\WINDOWS\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2025429265-602609370-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2025429265-602609370-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.812
FF - prefs.js..extensions.enabledItems: {e001c731-5e37-4538-a5cb-8168736a2360}:0.9.9.18
FF - prefs.js..extensions.enabledItems: ffxtlbr@Facemoods.com:1.0.3
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: multipletab@piro.sakura.ne.jp:0.4.2009073101
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5
FF - prefs.js..extensions.enabledItems: {20C3BDFF-DA68-468d-8D9A-F5A6C76B0F9E}:3.11


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: D:\Program Files\AVG\AVG9\Firefox [2010/04/22 06:43:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2010/03/17 04:14:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2010/03/03 15:59:38 | 000,000,000 | ---D | M]

[2009/08/16 02:28:17 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\Mozilla\Extensions
[2010/04/23 08:34:12 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\Mozilla\Firefox\Profiles\yhnr3673.default\extensions
[2009/09/02 14:50:01 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- D:\Documents and Settings\Mark Andrew\Application Data\Mozilla\Firefox\Profiles\yhnr3673.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/01 22:26:02 | 000,000,000 | ---D | M] (Utopia FFSE White) -- D:\Documents and Settings\Mark Andrew\Application Data\Mozilla\Firefox\Profiles\yhnr3673.default\extensions\{20C3BDFF-DA68-468d-8D9A-F5A6C76B0F9E}
[2009/11/01 21:41:31 | 000,000,000 | ---D | M] (Adblock Plus) -- D:\Documents and Settings\Mark Andrew\Application Data\Mozilla\Firefox\Profiles\yhnr3673.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/04/23 08:34:04 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Mark Andrew\Application Data\Mozilla\Firefox\Profiles\yhnr3673.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
[2010/03/15 03:06:26 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\Mozilla\Firefox\Profiles\yhnr3673.default\extensions\ffxtlbr@Facemoods.com
[2009/11/01 22:09:40 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\Mozilla\Firefox\Profiles\yhnr3673.default\extensions\multipletab@piro.sakura.ne.jp
[2010/01/08 22:37:19 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\Mozilla\Firefox\Profiles\yhnr3673.default\extensions\personas@christopher.beard
[2010/04/23 08:34:12 | 000,000,000 | ---D | M] -- D:\Program Files\Mozilla Firefox\extensions
[2007/04/16 13:07:12 | 000,180,293 | ---- | M] () -- D:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,734 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG9_TRAY] D:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NvCplDaemon] D:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SkyTel] D:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Zune Launcher] D:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2025429265-602609370-839522115-1004..\Run: [Aim6] D:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKU\S-1-5-21-2025429265-602609370-839522115-1004..\Run: [DS3 Tool] D:\Program Files\MotioninJoy\ds3\DS3_Tool.exe (www.motioninjoy.com)
O4 - HKU\S-1-5-21-2025429265-602609370-839522115-1004..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk = D:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe (Research In Motion Limited)
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\SafeConnect.lnk = D:\Program Files\SafeConnect\SCClient.exe (Impulse Point, LLC)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2025429265-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - D:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - D:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} http://download.gigabyte.com.tw/object/Dldrv.ocx (Dldrv2 Control)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.24.0.7 172.24.0.5
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - D:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - D:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - D:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: D:\Documents and Settings\Mark Andrew\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: D:\Documents and Settings\Mark Andrew\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/15 14:39:07 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{4eceb4be-e601-11de-8e13-001fd0351c95}\Shell - "" = AutoRun
O33 - MountPoints2\{4eceb4be-e601-11de-8e13-001fd0351c95}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4eceb4be-e601-11de-8e13-001fd0351c95}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{a8499f64-b826-11dc-8e2f-001fd0351c95}\Shell\AutoRun\command - "" = G:\slacker.synclauncher.exe -- File not found
O33 - MountPoints2\{a8499f64-b826-11dc-8e2f-001fd0351c95}\Shell\slacker\command - "" = G:\slacker.synclauncher.exe -- File not found
O33 - MountPoints2\{dce0bdc4-b066-11de-b545-001fd0351c95}\Shell - "" = AutoRun
O33 - MountPoints2\{dce0bdc4-b066-11de-b545-001fd0351c95}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{dce0bdc4-b066-11de-b545-001fd0351c95}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{e739275a-f4aa-11de-8e18-001fd0351c95}\Shell\AutoRun\command - "" = G:\slacker.synclauncher.exe -- File not found
O33 - MountPoints2\{e739275a-f4aa-11de-8e18-001fd0351c95}\Shell\slacker\command - "" = G:\slacker.synclauncher.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: contsink - (D:\WINDOWS\system32\routhare.dll) - D:\WINDOWS\system32\routhare.dll ()
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/05/05 02:27:01 | 000,570,880 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Mark Andrew\Desktop\OTL.exe
[2010/04/28 01:33:04 | 000,000,000 | RH-D | C] -- D:\Documents and Settings\Mark Andrew\Recent
[2010/04/25 15:18:35 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\{7A15561F-A104-47D7-ACC2-B0E721761121}
[2010/04/25 15:18:34 | 000,044,480 | ---- | C] (SlySoft Inc.) -- D:\WINDOWS\System32\drivers\maploml.sys
[2010/04/25 15:18:34 | 000,042,944 | ---- | C] (SlySoft Inc.) -- D:\WINDOWS\System32\drivers\maplom.sys
[2010/04/25 15:18:32 | 000,000,000 | ---D | C] -- D:\Program Files\SlySoft
[2010/04/25 15:14:36 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Mark Andrew\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files
[2010/04/24 11:34:34 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Mark Andrew\Application Data\My Battle for Middle-earth™ II Files
[2010/04/24 11:23:12 | 000,000,000 | ---D | C] -- D:\WINDOWS\RegisteredPackages
[2010/04/24 11:03:54 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- D:\Documents and Settings\Mark Andrew\Desktop\HiJackThis.exe
[2010/04/24 10:58:37 | 000,000,000 | ---D | C] -- D:\Program Files\Electronic Arts
[2010/04/23 08:34:33 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Mark Andrew\Application Data\QuickScan
[2010/04/23 07:50:24 | 000,000,000 | ---D | C] -- D:\Program Files\Spybot - Search & Destroy
[2010/04/23 07:50:24 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/04/14 03:03:05 | 000,000,000 | -HSD | C] -- D:\Config.Msi
[2010/04/05 01:03:06 | 000,090,112 | ---- | C] (Saikeware Technology Co., Ltd. CHINA) -- D:\WINDOWS\System32\MijFrc.dll
[2010/04/05 01:03:06 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\MotioninJoy
[2010/04/05 00:43:38 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Mark Andrew\Application Data\MotioninJoy
[2010/04/05 00:37:10 | 000,019,456 | ---- | C] (http://libusb-win32.sourceforge.net) -- D:\WINDOWS\System32\libusbd-9x.exe
[2010/04/05 00:37:10 | 000,018,944 | ---- | C] (http://libusb-win32.sourceforge.net) -- D:\WINDOWS\System32\libusbd-nt.exe
[2010/04/05 00:37:10 | 000,000,000 | ---D | C] -- D:\Program Files\LibUSB-Win32-0.1.10.1
[2010/04/05 00:30:33 | 000,046,592 | ---- | C] (http://libusb-win32.sourceforge.net) -- D:\WINDOWS\System32\libusb0.dll
[2010/04/04 23:28:50 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\TEMP
[2010/03/24 13:37:49 | 000,048,640 | ---- | C] (MotioninJoy) -- D:\WINDOWS\System32\drivers\MijXfilt.sys
[2010/03/24 13:37:20 | 000,000,000 | ---D | C] -- D:\Program Files\MotioninJoy
[2010/03/03 16:00:10 | 000,000,000 | ---D | C] -- D:\Program Files\iPod
[2010/03/03 16:00:06 | 000,000,000 | ---D | C] -- D:\Program Files\iTunes
[2010/03/03 16:00:06 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/03/03 15:59:50 | 000,000,000 | ---D | C] -- D:\Program Files\Bonjour
[2010/03/03 15:59:18 | 000,000,000 | ---D | C] -- D:\Program Files\QuickTime
[2010/03/03 15:59:16 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Apple Computer
[2010/03/03 15:58:36 | 000,000,000 | ---D | C] -- D:\Program Files\Apple Software Update
[2010/02/27 19:01:47 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Mark Andrew\Application Data\ProfitUI Reborn Updater
[2010/02/12 03:24:25 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Mark Andrew\Application Data\dvdcss
[6 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[3 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/05/05 02:30:10 | 000,432,356 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2010/05/05 02:30:10 | 000,067,312 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2010/05/05 02:30:09 | 000,508,956 | ---- | M] () -- D:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/05 02:27:01 | 000,570,880 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Mark Andrew\Desktop\OTL.exe
[2010/05/05 02:26:27 | 000,000,256 | ---- | M] () -- D:\WINDOWS\System32\pool.bin
[2010/05/05 02:26:01 | 000,000,044 | -HS- | M] () -- D:\Documents and Settings\All Users\Application Data\.zreglib
[2010/05/05 02:25:54 | 000,200,790 | ---- | M] () -- D:\WINDOWS\System32\nvapps.xml
[2010/05/05 02:25:48 | 000,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2010/05/05 02:25:46 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2010/05/05 02:22:45 | 004,456,448 | ---- | M] () -- D:\Documents and Settings\Mark Andrew\NTUSER.DAT
[2010/05/04 17:40:35 | 059,569,112 | ---- | M] () -- D:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/05/04 17:10:17 | 000,013,710 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2010/05/04 17:07:41 | 002,646,664 | -H-- | M] () -- D:\Documents and Settings\Mark Andrew\Local Settings\Application Data\IconCache.db
[2010/05/03 02:11:00 | 000,000,472 | ---- | M] () -- D:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/01 15:41:41 | 000,284,915 | ---- | M] () -- D:\Documents and Settings\Mark Andrew\Desktop\gmer.zip
[2010/05/01 15:38:44 | 000,525,824 | ---- | M] () -- D:\Documents and Settings\Mark Andrew\Desktop\dds.scr
[2010/05/01 13:17:02 | 000,000,284 | ---- | M] () -- D:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/25 15:48:53 | 024,921,361 | ---- | M] () -- D:\Documents and Settings\Mark Andrew\Desktop\LotrBfMe2EP1_131073_english.exe
[2010/04/25 15:18:38 | 000,001,005 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Game Jackal v4.lnk
[2010/04/25 15:13:53 | 000,002,127 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\The Lord of the Rings, The Rise of the Witch-king.lnk
[2010/04/24 14:23:58 | 000,000,507 | ---- | M] () -- D:\WINDOWS\win.ini
[2010/04/24 14:23:58 | 000,000,227 | ---- | M] () -- D:\WINDOWS\system.ini
[2010/04/24 11:23:21 | 000,001,986 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\The Battle for Middle-earth ™ II.lnk
[2010/04/24 11:03:54 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- D:\Documents and Settings\Mark Andrew\Desktop\HiJackThis.exe
[2010/04/23 08:24:27 | 000,015,931 | ---- | M] () -- D:\Documents and Settings\Mark Andrew\My Documents\The nature of my work was two.docx
[2010/04/23 07:50:44 | 000,001,548 | ---- | M] () -- D:\Documents and Settings\Mark Andrew\Desktop\CCleaner.lnk
[2010/04/23 07:50:31 | 000,000,933 | ---- | M] () -- D:\Documents and Settings\Mark Andrew\Desktop\Spybot - Search & Destroy.lnk
[2010/04/23 07:18:41 | 000,000,162 | -H-- | M] () -- D:\Documents and Settings\Mark Andrew\My Documents\~$e nature of my work was two.docx
[2010/04/21 09:09:57 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\WINDOWS\System32\drivers\avgtdix.sys
[2010/04/20 16:12:20 | 000,086,813 | ---- | M] () -- D:\Documents and Settings\Mark Andrew\My Documents\DSCN0257.JPG
[2010/04/17 02:11:38 | 000,000,751 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk
[2010/04/16 17:49:28 | 000,042,496 | -H-- | M] () -- D:\WINDOWS\System32\routhare.dll
[2010/04/16 10:36:24 | 000,042,944 | ---- | M] (SlySoft Inc.) -- D:\WINDOWS\System32\drivers\maplom.sys
[2010/04/16 10:33:54 | 000,044,480 | ---- | M] (SlySoft Inc.) -- D:\WINDOWS\System32\drivers\maploml.sys
[2010/04/14 03:19:33 | 000,148,400 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/10 19:46:32 | 000,028,264 | ---- | M] () -- D:\Documents and Settings\Mark Andrew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/09 14:20:39 | 000,000,000 | ---- | M] () -- D:\WINDOWS\System32\Access.dat
[2010/04/08 02:16:20 | 000,012,143 | ---- | M] () -- D:\Documents and Settings\Mark Andrew\My Documents\caitlin.docx
[2010/04/05 01:03:06 | 000,000,771 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\DS3 Tool.lnk
[2010/04/05 00:23:35 | 000,000,731 | ---- | M] () -- D:\Documents and Settings\Mark Andrew\Desktop\Shortcut to ePSXe.exe.lnk
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys
[2010/03/24 13:37:56 | 000,000,000 | -H-- | M] () -- D:\WINDOWS\System32\drivers\Msft_Kernel_xusb21_01009.Wdf
[2010/03/24 13:37:55 | 000,000,000 | -H-- | M] () -- D:\WINDOWS\System32\drivers\Msft_Kernel_MijXfilt_01009.Wdf
[2010/03/18 19:01:22 | 000,048,640 | ---- | M] (MotioninJoy) -- D:\WINDOWS\System32\drivers\MijXfilt.sys
[2010/03/16 08:14:13 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/03/16 08:14:13 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\WINDOWS\System32\avgrsstx.dll
[2010/03/16 08:13:41 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- D:\WINDOWS\System32\drivers\avgldx86.sys
[2010/03/11 06:38:27 | 000,013,386 | ---- | M] () -- D:\Documents and Settings\Mark Andrew\My Documents\iloveucaitlin.docx
[2010/03/10 22:46:38 | 000,028,503 | ---- | M] () -- D:\Documents and Settings\Mark Andrew\My Documents\bert-and-ernie.jpg
[2010/03/03 16:00:53 | 000,001,804 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/03/03 15:59:32 | 000,001,604 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[6 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[3 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/01 15:41:49 | 000,293,376 | ---- | C] () -- D:\Documents and Settings\Mark Andrew\Desktop\gmer.exe
[2010/05/01 15:41:41 | 000,284,915 | ---- | C] () -- D:\Documents and Settings\Mark Andrew\Desktop\gmer.zip
[2010/05/01 15:38:44 | 000,525,824 | ---- | C] () -- D:\Documents and Settings\Mark Andrew\Desktop\dds.scr
[2010/04/25 15:48:26 | 024,921,361 | ---- | C] () -- D:\Documents and Settings\Mark Andrew\Desktop\LotrBfMe2EP1_131073_english.exe
[2010/04/25 15:20:44 | 000,000,044 | -HS- | C] () -- D:\Documents and Settings\All Users\Application Data\.zreglib
[2010/04/25 15:18:38 | 000,001,005 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Game Jackal v4.lnk
[2010/04/25 15:13:53 | 000,002,127 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\The Lord of the Rings, The Rise of the Witch-king.lnk
[2010/04/24 11:23:21 | 000,001,986 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\The Battle for Middle-earth ™ II.lnk
[2010/04/24 11:22:46 | 000,013,312 | ---- | C] () -- D:\WINDOWS\System32\dllcache\msdmo.dll
[2010/04/23 07:50:31 | 000,000,933 | ---- | C] () -- D:\Documents and Settings\Mark Andrew\Desktop\Spybot - Search & Destroy.lnk
[2010/04/23 07:18:41 | 000,000,162 | -H-- | C] () -- D:\Documents and Settings\Mark Andrew\My Documents\~$e nature of my work was two.docx
[2010/04/22 22:41:45 | 000,015,931 | ---- | C] () -- D:\Documents and Settings\Mark Andrew\My Documents\The nature of my work was two.docx
[2010/04/20 16:14:30 | 000,086,813 | ---- | C] () -- D:\Documents and Settings\Mark Andrew\My Documents\DSCN0257.JPG
[2010/04/16 17:49:28 | 000,042,496 | -H-- | C] () -- D:\WINDOWS\System32\routhare.dll
[2010/04/08 15:50:11 | 000,000,751 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk
[2010/04/08 02:16:19 | 000,012,143 | ---- | C] () -- D:\Documents and Settings\Mark Andrew\My Documents\caitlin.docx
[2010/04/05 01:03:06 | 000,000,771 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\DS3 Tool.lnk
[2010/04/05 00:30:33 | 000,033,792 | ---- | C] () -- D:\WINDOWS\System32\drivers\libusb0.sys
[2010/04/05 00:23:35 | 000,000,731 | ---- | C] () -- D:\Documents and Settings\Mark Andrew\Desktop\Shortcut to ePSXe.exe.lnk
[2010/03/24 13:37:56 | 000,000,000 | -H-- | C] () -- D:\WINDOWS\System32\drivers\Msft_Kernel_xusb21_01009.Wdf
[2010/03/24 13:37:55 | 000,000,000 | -H-- | C] () -- D:\WINDOWS\System32\drivers\Msft_Kernel_MijXfilt_01009.Wdf
[2010/03/11 06:34:53 | 000,013,386 | ---- | C] () -- D:\Documents and Settings\Mark Andrew\My Documents\iloveucaitlin.docx
[2010/03/10 22:46:37 | 000,028,503 | ---- | C] () -- D:\Documents and Settings\Mark Andrew\My Documents\bert-and-ernie.jpg
[2010/03/03 16:00:53 | 000,001,804 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/03/03 15:59:32 | 000,001,604 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/03/03 15:58:38 | 000,000,284 | ---- | C] () -- D:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/12/25 14:31:37 | 000,237,568 | ---- | C] () -- D:\WINDOWS\System32\lame_enc.dll
[2009/11/30 15:37:34 | 000,041,872 | ---- | C] () -- D:\WINDOWS\System32\xfcodec.dll
[2009/08/26 15:24:41 | 000,143,360 | ---- | C] () -- D:\WINDOWS\System32\RtlCPAPI.dll
[2009/08/25 16:22:29 | 000,003,840 | ---- | C] () -- D:\WINDOWS\System32\drivers\BANTExt.sys
[2009/08/22 00:39:53 | 000,691,696 | ---- | C] () -- D:\WINDOWS\System32\drivers\sptd.sys
[2009/08/16 20:09:03 | 000,000,262 | ---- | C] () -- D:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/08/15 15:00:16 | 000,073,728 | ---- | C] () -- D:\WINDOWS\System32\RtNicProp32.dll
[2009/04/22 00:19:06 | 000,172,173 | ---- | C] () -- D:\WINDOWS\System32\xlive.dll.cat
[2008/12/25 12:08:00 | 001,724,416 | ---- | C] () -- D:\WINDOWS\System32\nvwdmcpl.dll
[2008/12/25 12:08:00 | 001,507,328 | ---- | C] () -- D:\WINDOWS\System32\nview.dll
[2008/12/25 12:08:00 | 001,101,824 | ---- | C] () -- D:\WINDOWS\System32\nvwimg.dll
[2008/12/25 12:08:00 | 000,466,944 | ---- | C] () -- D:\WINDOWS\System32\nvshell.dll
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- D:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- D:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- D:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- D:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- D:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- D:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- D:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- D:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- D:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- D:\WINDOWS\System32\AgCPanelFrench.dll
[2002/07/05 10:12:06 | 000,027,136 | ---- | C] () -- D:\WINDOWS\System32\authdvd.dll
[1996/04/03 15:33:26 | 000,005,248 | ---- | C] () -- D:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2009/08/16 22:44:38 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\acccore
[2009/11/01 22:01:09 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\avg9
[2009/09/04 17:54:33 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Azureus
[2010/04/09 09:53:29 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\BioWare
[2009/12/10 22:57:05 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2009/08/22 00:42:00 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
[2010/04/05 01:03:06 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\MotioninJoy
[2009/12/29 19:03:41 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\NBC Direct
[2010/01/09 16:02:13 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\PassMark
[2009/08/16 02:41:39 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2010/01/04 03:42:37 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Research In Motion
[2010/04/04 23:52:50 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\TEMP
[2010/01/07 03:31:03 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Tunngle
[2009/08/16 22:44:39 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/03/03 16:00:43 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/04/25 15:18:36 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{7A15561F-A104-47D7-ACC2-B0E721761121}
[2009/08/16 02:10:59 | 000,000,000 | -H-D | M] -- D:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
[2009/08/16 22:45:38 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\acccore
[2010/04/28 01:33:01 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\Azureus
[2009/08/22 00:49:48 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\DAEMON Tools Lite
[2009/08/22 00:39:49 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\DAEMON Tools Pro
[2009/08/21 21:12:39 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\IDM
[2010/04/05 00:43:38 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\MotioninJoy
[2010/04/24 12:38:06 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\My Battle for Middle-earth™ II Files
[2010/04/27 14:26:14 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files
[2009/12/29 19:03:41 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\NBC Direct
[2010/02/27 19:03:11 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\ProfitUI Reborn Updater
[2010/04/24 11:17:55 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\QuickScan
[2009/12/25 16:05:56 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\Red Kawa
[2009/09/01 02:36:18 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\Research In Motion
[2010/01/02 18:26:46 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\runic games
[2010/01/03 18:50:30 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\Skinux
[2010/03/22 23:47:25 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\Sony Online Entertainment
[2010/01/07 03:31:20 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\Tunngle
[2009/12/29 18:51:25 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\Uniblue
[2009/12/29 19:01:55 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\uTorrent
[2009/12/25 13:43:07 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Mark Andrew\Application Data\Xilisoft Corporation
[2010/05/03 02:11:00 | 000,000,472 | ---- | M] () -- D:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 117 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:63238B95
< End of report >

Extras.txt
OTL Extras logfile created on: 5/5/2010 2:29:25 AM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = D:\Documents and Settings\Mark Andrew\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 62.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 104.89 Gb Total Space | 55.24 Gb Free Space | 52.66% Space Free | Partition Type: NTFS
Drive D: | 127.98 Gb Total Space | 11.14 Gb Free Space | 8.71% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MARK-61BBD9EDC5
Current User Name: Mark Andrew
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-2025429265-602609370-839522115-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- D:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "D:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "D:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "D:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "D:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "D:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- D:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "D:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"D:\Program Files\AVG\AVG8\avgemc.exe" = D:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found
"D:\Program Files\AVG\AVG8\avgupd.exe" = D:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"D:\Program Files\AVG\AVG8\avgnsx.exe" = D:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- File not found
"D:\Program Files\World of Warcraft\WoW-3.2.0-enUS-downloader.exe" = D:\Program Files\World of Warcraft\WoW-3.2.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"D:\Program Files\World of Warcraft\Launcher.exe" = D:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
"D:\Program Files\Ventrilo\Ventrilo.exe" = D:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"D:\Program Files\Common Files\AOL\Loader\aolload.exe" = D:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"D:\Program Files\AIM6\aim6.exe" = D:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"D:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe" = D:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"D:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = D:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"D:\Program Files\Vuze\Azureus.exe" = D:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus -- (Vuze Inc.)
"D:\Program Files\Steam\steamapps\cousinofdeath\counter-strike\hl.exe" = D:\Program Files\Steam\steamapps\cousinofdeath\counter-strike\hl.exe:*:Enabled:Half-Life Launcher -- (Valve)
"D:\Program Files\Steam\steamapps\cousinofdeath\counter-strike source\hl2.exe" = D:\Program Files\Steam\steamapps\cousinofdeath\counter-strike source\hl2.exe:*:Enabled:hl2 -- ()
"D:\Program Files\Warhammer 40,000\DOW2.exe" = D:\Program Files\Warhammer 40,000\DOW2.exe:*:Enabled:DOW2 -- File not found
"D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe" = D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords -- File not found
"D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe" = D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss -- File not found
"D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe" = D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword -- File not found
"D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe" = D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss -- File not found
"D:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe" = D:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"D:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe" = D:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"D:\Program Files\World of Warcraft Public Test\WoW-0.3.0.10522-enUS-ptr-downloader.exe" = D:\Program Files\World of Warcraft Public Test\WoW-0.3.0.10522-enUS-ptr-downloader.exe:*:Enabled:Blizzard Downloader -- File not found
"D:\Program Files\World of Warcraft Public Test\Launcher.exe" = D:\Program Files\World of Warcraft Public Test\Launcher.exe:*:Enabled:Blizzard Launcher -- File not found
"D:\Program Files\World of Warcraft Public Test\WoW-0.3.0.10522-to-0.3.0.10554-enUS-ptr-downloader.exe" = D:\Program Files\World of Warcraft Public Test\WoW-0.3.0.10522-to-0.3.0.10554-enUS-ptr-downloader.exe:*:Enabled:Blizzard Downloader -- File not found
"D:\Program Files\AVG\AVG9\avgemc.exe" = D:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"D:\Program Files\AVG\AVG9\avgupd.exe" = D:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"D:\Program Files\AVG\AVG9\avgnsx.exe" = D:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"D:\Program Files\World of Warcraft Public Test\WoW-0.3.0.10554-to-0.3.0.10571-enUS-ptr-downloader.exe" = D:\Program Files\World of Warcraft Public Test\WoW-0.3.0.10554-to-0.3.0.10571-enUS-ptr-downloader.exe:*:Enabled:Blizzard Downloader -- File not found
"D:\Program Files\World of Warcraft Public Test\WoW-0.3.0.10571-to-0.3.0.10596-enUS-ptr-downloader.exe" = D:\Program Files\World of Warcraft Public Test\WoW-0.3.0.10571-to-0.3.0.10596-enUS-ptr-downloader.exe:*:Enabled:Blizzard Downloader -- File not found
"D:\Program Files\EA GAMES\The Battle for Middle-earth ™\game.dat" = D:\Program Files\EA GAMES\The Battle for Middle-earth ™\game.dat:*:Enabled:The Battle for Middle-earth ™ -- File not found
"C:\Program Files\Sony\EverQuest II\EQ2VoiceService.exe" = C:\Program Files\Sony\EverQuest II\EQ2VoiceService.exe:*:Enabled:EQ2VoiceService -- File not found
"D:\Documents and Settings\Mark Andrew\Desktop\Left 4 Dead 2\left4dead2.exe" = D:\Documents and Settings\Mark Andrew\Desktop\Left 4 Dead 2\left4dead2.exe:*:Enabled:left4dead2 -- File not found
"D:\Program Files\Left 4 Dead 2\left4dead2.exe" = D:\Program Files\Left 4 Dead 2\left4dead2.exe:*:Enabled:left4dead2 -- File not found
"D:\Program Files\Xfire\Xfire.exe" = D:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire -- (Xfire Inc.)
"D:\Documents and Settings\Mark Andrew\My Documents\Azureus Downloads\left 4 dead 2 Nosteam by madwiggyNLD\left 4 dead 2\left4dead2.exe" = D:\Documents and Settings\Mark Andrew\My Documents\Azureus Downloads\left 4 dead 2 Nosteam by madwiggyNLD\left 4 dead 2\left4dead2.exe:*:Enabled:left4dead2 -- File not found
"D:\Program Files\Garena\Garena.exe" = D:\Program Files\Garena\Garena.exe:*:Enabled:Garena -- File not found
"D:\Program Files\Java\jre6\bin\java.exe" = D:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"D:\Program Files\Sony Online Entertainment\Installed Games\EverQuest II\EQ2VoiceService.exe" = D:\Program Files\Sony Online Entertainment\Installed Games\EverQuest II\EQ2VoiceService.exe:*:Enabled:EQ2VoiceService -- ()
"D:\Program Files\iTunes\iTunes.exe" = D:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"D:\Documents and Settings\Mark Andrew\Local Settings\Temp\Blizzard Installer Bootstrap - 129658b8\Installer.exe" = D:\Documents and Settings\Mark Andrew\Local Settings\Temp\Blizzard Installer Bootstrap - 129658b8\Installer.exe:*:Enabled:Blizzard Installer -- File not found
"D:\Program Files\Electronic Arts\The Battle for Middle-earth ™ II\game.dat" = D:\Program Files\Electronic Arts\The Battle for Middle-earth ™ II\game.dat:*:Enabled:The Battle for Middle-earth™ II -- (Electronic Arts Inc.)
"D:\Program Files\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\game.dat" = D:\Program Files\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\game.dat:*:Enabled:The Lord of the Rings, The Rise of the Witch-king -- (Electronic Arts Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}" = Microsoft Games for Windows - LIVE Redistributable
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{2A9F95AB-65A3-432c-8631-B8BC5BF7477A}" = The Battle for Middle-earth ™ II
"{330DAC67-5B62-452A-A0E4-6B4A5923940F}_is1" = MotioninJoy ds3 driver version 0.4.0002
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{370BCBBA-67D7-4535-ADCD-58CD1C8DEC99}" = Zune Language Pack (DE)
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{40EC6323-497B-44DA-8A88-74578622D9B3}" = Zune Language Pack (IT)
"{49668BEE-D721-449C-82D3-C7561945F706}" = Station Launcher
"{4D243BA7-9AC4-46D1-90E5-EEB88974F501}" = Microsoft Games for Windows - LIVE
"{54212B70-2138-4DF0-91ED-34CADE1CD8E3}" = Station Launcher
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{689E0AB3-50B2-4E5A-9DCE-6DA9F5BE1314}" = BlackBerry® Media Sync
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{870815CA-6B60-47B6-88DD-A67F42D2F03E}" = GPL MPEG-1/2 DirectShow Decoder Filter
"{888FFC82-688D-46AB-A776-B417885432B6}" = Zune
"{89064FF7-AFD0-914D-0E63-0B4E647B2148}" = Hyperdesk - DarkMatter Solar Flare
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8BCAFB73-49AE-4AC4-00A1-70E4EC38BD4E}" = The Lord of the Rings, The Rise of the Witch-king
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.6
"{AC9EB601-6F99-4F0A-B164-C9A1CF960F79}" = Hyperdesk - DarkMatter Subspace
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{B83FC356-B7C0-441F-8A4D-D71E088E7974}" = NVIDIA PhysX
"{BE09C217-887A-4E2C-8005-B5F0148C2B8F}" = Hyperdesk - DarkMatter Gamma Ray
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"8461-7759-5462-8226" = Vuze
"AC3Filter_is1" = AC3Filter 1.63b
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_6" = AIM 6
"AVG9Uninstall" = AVG Free 9.0
"Belarc Advisor" = Belarc Advisor 8.1
"BlackBerry_{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"CCleaner" = CCleaner
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"EVEREST Home Edition_is1" = EVEREST Home Edition v2.20
"Game Jackal v4_is1" = Game Jackal v4.0.2.5 (32 bit)
"GameSaike SixaxisDriver_is1" = SixaxisDriver 0.91
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"ie8" = Windows Internet Explorer 8
"LibUSB-Win32_is1" = LibUSB-Win32-0.1.10.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.17)" = Mozilla Firefox (3.0.17)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"PC Wizard 2009_is1" = PC Wizard 2009.1.90
"PerformanceTest 7_is1" = PerformanceTest v7.0
"Runic Games Torchlight" = Torchlight
"SafeConnect" = SafeConnect
"SpeedFan" = SpeedFan (remove only)
"Starcraft" = Starcraft
"Steam App 10" = Counter-Strike
"Steam App 12910" = Audiosurf Demo
"Steam App 240" = Counter-Strike: Source
"SystemRequirementsLab" = System Requirements Lab
"Videora Zune HD Converter" = Videora Zune HD Converter 5.03
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VLC media player 1.0.3
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"Wudf01009" = Microsoft User-Mode Driver Framework Feature Pack 1.9
"Xfire" = Xfire (remove only)
"Zune" = Zune

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2025429265-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ProfitUI Reborn Updater" = ProfitUI Reborn Updater

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/30/2010 11:29:48 AM | Computer Name = MARK-61BBD9EDC5 | Source = Application Error | ID = 1000
Description = Faulting application setup_wm.exe, version 11.0.5721.5146, faulting
module unknown, version 0.0.0.0, fault address 0x715b9e59.

Error - 4/30/2010 1:17:29 PM | Computer Name = MARK-61BBD9EDC5 | Source = Application Error | ID = 1000
Description = Faulting application setup_wm.exe, version 11.0.5721.5146, faulting
module unknown, version 0.0.0.0, fault address 0x715b9e59.

Error - 4/30/2010 1:18:06 PM | Computer Name = MARK-61BBD9EDC5 | Source = Application Error | ID = 1000
Description = Faulting application setup_wm.exe, version 11.0.5721.5146, faulting
module unknown, version 0.0.0.0, fault address 0x715b9e59.

Error - 5/1/2010 3:41:00 PM | Computer Name = MARK-61BBD9EDC5 | Source = Application Error | ID = 1000
Description = Faulting application winrar.exe, version 3.90.0.0, faulting module
winrar.exe, version 3.90.0.0, fault address 0x00007082.

Error - 5/1/2010 3:41:11 PM | Computer Name = MARK-61BBD9EDC5 | Source = Application Error | ID = 1000
Description = Faulting application winrar.exe, version 3.90.0.0, faulting module
winrar.exe, version 3.90.0.0, fault address 0x00007082.

Error - 5/1/2010 3:41:58 PM | Computer Name = MARK-61BBD9EDC5 | Source = Application Error | ID = 1000
Description = Faulting application winrar.exe, version 3.90.0.0, faulting module
winrar.exe, version 3.90.0.0, fault address 0x00007082.

Error - 5/2/2010 12:23:21 AM | Computer Name = MARK-61BBD9EDC5 | Source = Application Error | ID = 1000
Description = Faulting application setup_wm.exe, version 11.0.5721.5146, faulting
module unknown, version 0.0.0.0, fault address 0x715b9e59.

Error - 5/3/2010 3:38:40 PM | Computer Name = MARK-61BBD9EDC5 | Source = Application Error | ID = 1000
Description = Faulting application setup_wm.exe, version 11.0.5721.5146, faulting
module unknown, version 0.0.0.0, fault address 0x715b9e59.

Error - 5/4/2010 6:24:15 PM | Computer Name = MARK-61BBD9EDC5 | Source = Application Error | ID = 1000
Description = Faulting application setup_wm.exe, version 11.0.5721.5146, faulting
module unknown, version 0.0.0.0, fault address 0x715b9e59.

Error - 5/5/2010 2:25:58 AM | Computer Name = MARK-61BBD9EDC5 | Source = .NET Runtime 2.0 Error Reporting | ID = 1000
Description = Faulting application ds3_tool.exe, version 0.4.0.0, stamp 4b552eec,
faulting module mscorwks.dll, version 2.0.50727.3603, stamp 4a7cd88e, debug? 0,
fault address 0x00097d9a.

[ OSession Events ]
Error - 9/9/2009 6:17:04 PM | Computer Name = MARK-61BBD9EDC5 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 5204
seconds with 2100 seconds of active time. This session ended with a crash.

Error - 10/26/2009 1:32:29 AM | Computer Name = MARK-61BBD9EDC5 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 8560
seconds with 120 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 5/4/2010 5:10:44 PM | Computer Name = MARK-61BBD9EDC5 | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 5/4/2010 5:10:44 PM | Computer Name = MARK-61BBD9EDC5 | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 5/4/2010 5:10:44 PM | Computer Name = MARK-61BBD9EDC5 | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 5/4/2010 5:10:44 PM | Computer Name = MARK-61BBD9EDC5 | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 5/4/2010 5:10:44 PM | Computer Name = MARK-61BBD9EDC5 | Source = Service Control Manager | ID = 7001
Description = The Bonjour Service service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 5/4/2010 5:10:44 PM | Computer Name = MARK-61BBD9EDC5 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 5/4/2010 5:10:44 PM | Computer Name = MARK-61BBD9EDC5 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD AvgLdx86 AvgMfx86 AvgTdiX BANTExt Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss
sptd
Tcpip

Error - 5/4/2010 5:11:31 PM | Computer Name = MARK-61BBD9EDC5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/4/2010 5:12:36 PM | Computer Name = MARK-61BBD9EDC5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 5/4/2010 5:35:30 PM | Computer Name = MARK-61BBD9EDC5 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}


< End of report >

Attached Files



#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:29 PM

Posted 05 May 2010 - 02:04 AM

Hi Itlan,




Go into the Control Panel (Classic View) and double-click the Java Icon. (looks like a coffee cup). On the Update tab, click on Update Now buttons. When done, press Apply and OK the button. Then clear your java cache as instructed in this thread .


Step1.
  1. Please go to Virus Total for scanning 1 suspicious file.
  2. Copy /paste the below file path into the text box next to the Browse button at the top of the page
    CODE
    D:\WINDOWS\system32\routhare.dll
  3. Click Send File button and copy "Scanner results", or direct link in your next reply.

Step2
  1. Please start OTL on your desktop.
  2. Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box.
    CODE
    :OTL
    DRV - [2010/04/30 12:09:57 | 000,003,584 | ---- | M] () [Kernel | On_Demand | Running] -- D:\WINDOWS\Temp\drv1.tmp -- (NTProcDrv)
    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]
  3. Click Run Fix button on the top.
  4. Click OK and let it run unhindered.
  5. OTL will ask to reboot the machine. Please OK the prompt.
  6. A report will open. Copy and Paste that report in your next reply.

Step3
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.


In your next reply, please post back:

1.OTL log
2.ComboFix log

Tell me if you have any remaining issues on your pc.

#9 Itlan

Itlan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 05 May 2010 - 12:34 PM

http://www.virustotal.com/reanalisis.html?...343d-1273080791

Running OTL now.

UPDATE: OTL scan finished, here's the report.
All processes killed
========== OTL ==========
Service NTProcDrv stopped successfully!
Service NTProcDrv deleted successfully!
D:\WINDOWS\Temp\drv1.tmp moved successfully.
========== COMMANDS ==========
D:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Mark Andrew
->Temp folder emptied: 1593404 bytes
->Temporary Internet Files folder emptied: 49152 bytes
->Java cache emptied: 1 bytes
->FireFox cache emptied: 2747164 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 725555 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 17747540 bytes
%systemroot%\System32 .tmp files removed: 1162769 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 60004 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23937950 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 347455 bytes

Total Files Cleaned = 46.00 mb


OTL by OldTimer - Version 3.2.4.1 log created on 05052010_133505

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Downloading Combofix now.

EDIT: Ran Combofix, had some problems. I agreed to the EULA, but it stated I didn't. Combofix continue running anyway, however, and I attached the log. Running OTL one more time for an updated log of that as well.

EDIT: All finished. I'll let you know if any problems persist.

Attached Files

  • Attached File  log.txt   19.07KB   6 downloads
  • Attached File  OTL.Txt   84.3KB   7 downloads

Edited by Itlan, 05 May 2010 - 01:19 PM.


#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:29 PM

Posted 05 May 2010 - 06:55 PM

Hi Itlan,



Step1
  1. Please start OTL on your desktop.
  2. Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box.
    CODE
    :OTL
    MOD - [2010/04/16 17:49:28 | 000,042,496 | -H-- | M] () -- D:\WINDOWS\system32\routhare.dll
    O20 - Winlogon\Notify\avgrsstarter: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
    O36 - AppCertDlls: contsink - (D:\WINDOWS\system32\routhare.dll) - D:\WINDOWS\system32\routhare.dll ()
    @Alternate Data Stream - 117 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:63238B95
    :Commands
    [emptytemp]
    [Reboot]
  3. Click Run Fix button on the top.
  4. Click OK and let it run unhindered.
  5. OTL will ask to reboot the machine. Please OK the prompt.
  6. A report will open. Copy and Paste that report in your next reply.


In your next reply, please post back:

1.OTL log

Let me know how things are. Good luck! thumbup2.gif

#11 Itlan

Itlan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 06 May 2010 - 12:44 PM

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\\contsink:D:\WINDOWS\system32\routhare.dll deleted successfully.
D:\WINDOWS\system32\routhare.dll moved successfully.
ADS D:\Documents and Settings\All Users\Application Data\TEMP:63238B95 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Mark Andrew
->Temp folder emptied: 427921987 bytes
->Temporary Internet Files folder emptied: 49152 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3204930 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 38761425 bytes

Total Files Cleaned = 448.00 mb


OTL by OldTimer - Version 3.2.4.1 log created on 05062010_133840

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


I think I'm having registry issues. My AVG isn't working correctly, I reinstalled it but it's still not working how it used to. And I attempted to add/remove a program, and the list was blank. This also happens with things like Windows Media Player, where everything will be blank. I close it out, restart it, and it appears, but that didn't work for add/remove programs. Any idea?

Attached Files

  • Attached File  OTL.Txt   84.3KB   5 downloads


#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:29 PM

Posted 06 May 2010 - 07:51 PM

Hi Itlan,



If IE was not working properly, the control panel applet for Add and Remove Programs would not work. Download this utility to fix your IE.

Click Start > Run > Type regsvr32 appwiz.cpl and click OK. Click OK on the dialog box that appears. Restart your pc.

Make sure to run AVG Remover after uninstalling AVG via Add/Remove Programs if you desire to reinstall AVG. Refer to This Page if you need guidance.

BTW, the OTL log you attached is an old log. Let me know how things went.

#13 Itlan

Itlan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 07 May 2010 - 11:26 AM

AVG Remover worked beautifully.

IE Fixer not so much - Add/Remove still blank.

Uploaded OTL.

Things seem to be working better, thank you.

Attached Files

  • Attached File  OTL.Txt   66.72KB   8 downloads


#14 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:29 PM

Posted 07 May 2010 - 01:29 PM

Hi Itlan,



Is your Add/Remove Programs the same as this picture ? If yes, please refer to this thread for your reference. Otherwise, you may need XP Home Edition Service Pack 3 installation disc to get a repair install .

Lets do the final check with Kas Online Scanner. It will take some time to run the full course. Please be patient and do the following:


Step1

  1. Please download TFC to your desktop
  2. Save any unsaved work. TFC will close all open application windows.
  3. Double-click TFC.exe to run the program.
  4. If prompted, click Yes to reboot.


Step2

Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  1. Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  2. Click Accept button on the "Requirements and limitations".
  3. When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  4. It will be Downloading and installing the program and Updating the database.
  5. When Updating the database have finished, click on Settings.
  6. Make sure all boxes are checked. then click on the Save button.
  7. Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  8. Once the scan is completed, Click on View Scan Report.
  9. You may see a list of infected items over there. Click on Save Report As.
  10. Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  11. Please post the contents in your next reply.
  12. You can refer to this animation

Note for Internet Explorer 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

In your next reply, please post back:

1.Kas Online Scanner Report.

Let me know how things went.

#15 Itlan

Itlan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 08 May 2010 - 10:57 AM

Still having some problems, but they're not as common. Pages sometimes stop loading and I need to restart firefox, etc.

Attached Files

  • Attached File  KAS.txt   940bytes   5 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users