Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with gaopdxserv.sys and others - Rootkits


  • This topic is locked This topic is locked
21 replies to this topic

#1 mcdonn123

mcdonn123

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 PM

Posted 02 August 2010 - 11:09 AM

I can't update any anti-virus nor Windows. When I use gmer.exe, it will scan for about an hour or so and before it can finish I will get a bluescreen. gmer.exe also seems to slow down my computer drasticly to the point where it might freeze if something like Firefox is open (this happens even when gmer.exe is not scanning and is idle). After the bluescreen caused by gmer.exe occurred and the computer rebooted, dds.scr and defrogger.exe stopped working for no apparent reason. When using Hijack_This.exe, the program starts but when I scanned I got this error after about 50 entries:
Run-time error '28':
Out of stack space

Also, according to Windows Task Manager, my CPU is at 100% but my computer isn't very slow. The process taking up the most CPU are:
GoogleToolbarNotifier.exe 50-75 CPU
avgdumpx.exe 45-50 (it dissapears and reapears often)

Also, when I try to save a .txt file with notepad.exe, it stops working. This probably happens with other programs, I just haven't opened other programs yet.

This is what I suspect to be the main problem:
Type: Service
Name: system32\drivers\gaopdxnhmgvpliqiepqsiwvcxxbyiageyvrtop.sys (*** hidden ***)
Value: [SYSTEM] gaopdxserv.sys


Here is the DDS.txt file from before the bluescreen:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Circuit City at 9:15:29.76 on Sun 08/01/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.1873 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Internet Security *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\Dwm.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TightVNC\tvnserver.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Windows\system32\WebUpdateSvc4.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\TightVNC\tvnserver.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Windows\System32\alg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Circuit City\Downloads\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AC-Pro: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\program files\autocompletepro\AutocompletePro.dll
BHO: TBSB08970 Class: {10abdd5a-e10e-4af2-95ba-fcb47c7c90a7} - c:\progra~1\powers~1\POWERS~1.DLL
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: Search Assistant: {1648e328-3e5a-4ea5-a9c6-e5f09ee272da} - c:\windows\system32\dcads_sidebar.dll
BHO: D: {7986bacf-f27a-307f-9374-c6b7eadb9058} - c:\windows\system32\xwr60069.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: SE Sidebar: {315108e4-e3af-460f-b264-f2acc9e1aceb} - c:\windows\system32\dcads_sidebar.dll
EB: mysidesearch browser optimizer: {38cc6eb4-3633-9c3c-8a30-20eb3483cb14} - c:\windows\system32\{119b2691-fb22-d0b6-8ec9-243272c64589}.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [notepad] rundll32.exe c:\users\circui~1\ntload.dll,_IWMPEvents@0
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [<NO NAME>]
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [notepad] rundll32.exe c:\windows\system32\notepad.dll,_IWMPEvents@0
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [tvncontrol] "c:\program files\tightvnc\tvnserver.exe" -controlservice -slave
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: SoftwareSASGeneration = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\circuit city\appdata\roaming\microsoft\windows\start menu\programs\imvu\Run IMVU.lnk
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
Trusted Zone: adobe.com\www
Trusted Zone: bitzi.com
Trusted Zone: kongregate.com\www
Trusted Zone: roblox.com\www
Trusted Zone: travian.com\s2
Trusted Zone: tribalwars.net\en23
Trusted Zone: youtube.com\www
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: NameServer = 85.255.112.25,85.255.112.165
TCP: {150B3CEB-DFED-42CE-A220-114CBE1A05B7} = 85.255.112.25,85.255.112.165
TCP: {4129B5DC-99F9-495A-8760-E0646DEAD679} = 85.255.112.25,85.255.112.165
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
IFEO: ctfmon.exe - c:\windows\system32\ctfmon_qj.exe
IFEO: iexplore.exe -

================= FIREFOX ===================

FF - ProfilePath - c:\users\circui~1\appdata\roaming\mozilla\firefox\profiles\i0crukjk.default\
FF - component: c:\users\circuit city\appdata\roaming\mozilla\firefox\profiles\i0crukjk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-9-8 12552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-25 130936]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2008-10-24 23832]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-8 325128]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2007-12-11 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-24 107272]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-9 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-9 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-1-9 1339600]
R2 tvnserver;TightVNC Server;c:\program files\tightvnc\tvnserver.exe [2010-7-8 815704]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2010-7-30 1590216]
R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2009-1-8 262360]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2009-11-5 28672]
R3 rt61x86;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\drivers\WMP54Gv41x86.sys [2007-3-12 286208]
S2 gupdate;Google Update Service;c:\program files\google\update\GoogleUpdate.exe [2008-7-17 133104]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-3-10 39424]

=============== Created Last 30 ================

2010-08-01 14:09:15 20 ----a-w- c:\users\circuit city\defogger_reenable
2010-08-01 05:03:44 358010238 ----a-w- c:\windows\MEMORY.DMP
2010-07-30 23:01:10 0 d-----w- c:\programdata\ALM
2010-07-30 22:48:33 0 d-----w- c:\program files\PowerISO
2010-07-30 21:10:39 0 d-----w- c:\users\circui~1\appdata\roaming\UltraVNC
2010-07-30 18:56:31 0 d-----w- c:\program files\UltraVNC
2010-07-28 18:31:07 0 d-----w- c:\program files\MixMeister BPM Analyzer
2010-07-26 16:52:30 0 d-----w- c:\users\circui~1\appdata\roaming\TightVNC
2010-07-26 16:51:38 0 d-----w- c:\program files\TightVNC
2010-07-26 16:38:23 0 d-----w- c:\users\circui~1\appdata\roaming\SmartCode Solutions
2010-07-25 15:40:15 0 d-----w- c:\programdata\OptiTex
2010-07-25 15:33:15 0 d-----w- c:\users\circui~1\appdata\roaming\DAZ 3D
2010-07-25 15:32:50 0 d-----w- c:\program files\common files\DAZ
2010-07-25 15:32:31 0 d-----w- c:\program files\DAZ 3D
2010-07-24 15:26:14 181 ----a-w- c:\windows\w32demo8.ini
2010-07-22 02:25:57 0 d-----w- c:\users\circui~1\appdata\roaming\Secunia CSI
2010-07-22 02:25:54 0 d-----w- c:\program files\Secunia
2010-07-21 16:53:52 0 d-----w- c:\programdata\PMB Files
2010-07-21 16:53:41 0 d-----w- c:\program files\Pando Networks
2010-07-20 19:28:52 0 d-----w- c:\programdata\123VDM
2010-07-20 19:28:52 0 d-----w- C:\123VideoMagic
2010-07-19 22:04:34 0 d-----w- c:\program files\Sonic Foundry
2010-07-19 22:04:34 0 d-----w- c:\program files\Pure Motion
2010-07-19 22:04:23 0 d-----w- c:\program files\DebugMode
2010-07-19 18:20:16 0 d-----w- c:\program files\AKVIS
2010-07-19 15:40:31 10122678 ----a-w- c:\windows\system32\105.skb
2010-07-19 15:25:16 10124688 ----a-w- c:\windows\system32\104.skb
2010-07-18 15:50:58 0 d-----w- c:\users\circui~1\appdata\roaming\Free Mp3 Wma Ogg Converter
2010-07-18 15:50:54 0 d-----w- c:\program files\AutocompletePro
2010-07-15 14:56:01 22 ----a-w- c:\windows\system32\mskthml.skt
2010-07-15 14:56:01 22 ----a-w- c:\windows\mskthml.skt

==================== Find3M ====================

2010-07-31 21:14:11 86016 ----a-w- c:\windows\inf\infstor.dat
2010-07-31 21:14:11 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-31 21:14:11 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2008-06-11 08:07:53 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-04-20 04:11:41 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-04-15 22:50:08 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-04-15 22:50:08 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-04-15 22:50:08 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-01-19 07:34:36 27136 --sha-w- c:\windows\system32\notepad.dll
2008-01-19 07:34:36 27136 --sha-w- c:\windows\system32\config\systemprofile\ntload.dll
2010-03-04 22:54:38 198656 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\av.exe
2008-03-23 17:47:24 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008032320080324\index.dat
2008-01-19 07:34:36 27136 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\startup\scandisk.dll
2007-10-30 21:04:20 16384 --sha-w- c:\windows\temp\cookies\index.dat
2007-10-30 21:04:20 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2007-10-30 21:04:20 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 9:17:17.40 ===============


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:25 PM

Posted 09 August 2010 - 04:54 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 mcdonn123

mcdonn123
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 PM

Posted 13 August 2010 - 03:45 PM

Now I can save files on notepad.exe and other programs. Started working after I restarted my computer.

When I scanned with OTL, I got an error message:

Windows - No Disk
Exception Processing Message 0xc0000013 Parameters 0x757392A0 0x00000004 0x757392A0 0x75739A0
Cancel Try Again Continue

Try Again didn't work so I continued, which also didn't work. However the scan eventually continued.

OTL.txt:
OTL logfile created on: 8/13/2010 3:23:58 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Circuit City\Downloads
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 56.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 363.82 Gb Total Space | 205.20 Gb Free Space | 56.40% Space Free | Partition Type: NTFS
Drive D: | 8.79 Gb Total Space | 1.01 Gb Free Space | 11.48% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 3.73 Gb Total Space | 0.10 Gb Free Space | 2.75% Space Free | Partition Type: FAT32

Computer Name: LOGANS
Current User Name: Circuit City
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/13 15:22:57 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Circuit City\Downloads\OTL.exe
PRC - [2010/07/30 17:44:10 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/07/30 17:44:09 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/07/21 11:53:43 | 002,937,528 | ---- | M] () -- C:\Program Files\Pando Networks\Media Booster\PMB.exe
PRC - [2010/06/15 11:09:58 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
PRC - [2010/06/05 16:59:10 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2010/05/17 21:26:53 | 000,322,352 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2009/01/15 10:07:42 | 000,592,128 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/01/15 10:07:40 | 001,339,600 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgfws8.exe
PRC - [2009/01/09 10:01:36 | 000,687,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/01/09 10:01:36 | 000,484,120 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/01/09 10:01:34 | 000,832,280 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgam.exe
PRC - [2009/01/09 10:01:32 | 000,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/01/09 10:01:28 | 000,903,960 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/01/09 10:01:21 | 001,601,304 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/10/14 21:38:56 | 000,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2007/10/30 16:04:19 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/03/12 18:30:14 | 000,517,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
PRC - [2006/09/28 08:42:24 | 000,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe


========== Modules (SafeList) ==========

MOD - [2010/08/13 15:22:57 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Circuit City\Downloads\OTL.exe
MOD - [2008/01/19 02:34:36 | 000,027,136 | -HS- | M] (Microsoft) -- C:\Windows\System32\notepad.dll
MOD - [2008/01/19 02:33:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2008/01/19 02:26:34 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
MOD - [2006/11/02 03:33:13 | 000,003,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\lz32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- c:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - File not found [Auto | Stopped] -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (LiveUpdate Notice Ex)
SRV - [2010/06/05 16:59:10 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/01/15 10:07:40 | 001,339,600 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgfws8.exe -- (avgfws8)
SRV - [2009/01/09 10:01:32 | 000,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/01/09 10:01:28 | 000,903,960 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2008/01/19 02:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/19 02:36:55 | 000,376,832 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - [2007/03/12 18:30:14 | 000,517,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- (LiveUpdate Notice Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Auto | Stopped] -- C:\Windows\System32\DRIVERS\xaudio.sys -- (XAudio)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\HSX_CNXT.sys -- (winachsf)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | Auto | Stopped] -- C:\Windows\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\HSXHWBS2.sys -- (HSXHWBS2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\HSX_DP.sys -- (HSF_DP)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\EagleNT.sys -- (EagleNT)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2010/04/09 16:21:28 | 000,004,608 | ---- | M] (RealVNC Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vncmirror.sys -- (vncmirror)
DRV - [2009/01/27 21:05:21 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/01/15 10:07:42 | 000,325,128 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/01/09 10:01:36 | 000,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/01/09 10:01:34 | 000,012,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\Drivers\avgrkx86.sys -- (AvgRkx86)
DRV - [2009/01/09 10:01:26 | 000,107,272 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/01/09 10:01:26 | 000,023,832 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgfwd6x.sys -- (Avgfwfd)
DRV - [2008/05/22 21:49:00 | 007,465,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/01/19 00:53:39 | 000,007,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\umpass.sys -- (UMPass)
DRV - [2008/01/15 19:19:04 | 002,047,576 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/05 19:51:47 | 000,008,413 | ---- | M] (RealNetworks, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\mcstrm.sys -- (MCSTRM)
DRV - [2007/10/26 19:51:24 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/06/29 15:47:34 | 000,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2007/05/04 02:29:10 | 001,065,384 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2007/03/20 12:33:26 | 000,028,672 | ---- | M] (http://libusb-win32.sourceforge.net) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\libusb0.sys -- (libusb0)
DRV - [2007/03/12 10:00:00 | 000,286,208 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\WMP54Gv41x86.sys -- (rt61x86)
DRV - [2006/11/02 04:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 04:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 04:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 04:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 04:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 04:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 04:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 04:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 04:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 04:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 04:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 04:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 04:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 04:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 04:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 04:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 04:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 04:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 04:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 04:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 04:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 04:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 04:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 04:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 04:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 04:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 04:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 04:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 04:49:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/02 04:49:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/02 04:49:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 03:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 03:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 03:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 03:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 03:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 03:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 02:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 02:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/03/10 16:55:18 | 000,039,424 | ---- | M] (National Instruments Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\fantom.sys -- (FANTOM)
DRV - [2005/12/12 12:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PS2.sys -- (Ps2)
DRV - [2005/10/27 02:06:30 | 000,356,096 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rt61.sys -- (RT61) Linksys Wireless-G PCI Adapter Driver(RT61)
DRV - [2004/06/26 13:22:00 | 000,004,736 | ---- | M] (RDV Soft) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vncdrv.sys -- (vncdrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.7
FF - prefs.js..extensions.enabledItems: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}:3.5
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.3
FF - prefs.js..extensions.enabledItems: {53A03D43-5363-4669-8190-99061B2DEBA5}:1.3.7
FF - prefs.js..extensions.enabledItems: {02450954-cdd9-410f-b1da-db804e18c671}:0.96.3
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.64

FF - HKLM\software\mozilla\Firefox\Extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files\Google\Google Gears\Firefox\ [2010/03/05 20:56:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\support@predictad.com: C:\Program Files\AutocompletePro\support@predictad.com [2010/07/18 10:50:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/30 17:44:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/30 17:44:11 | 000,000,000 | ---D | M]

[2009/06/18 17:50:52 | 000,000,000 | ---D | M] -- C:\Users\Circuit City\AppData\Roaming\mozilla\Extensions
[2009/03/18 22:44:18 | 000,000,000 | ---D | M] -- C:\Users\Circuit City\AppData\Roaming\mozilla\Extensions\mozswing@mozswing.org
[2010/08/07 10:09:41 | 000,000,000 | ---D | M] -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions
[2010/03/27 13:28:26 | 000,000,000 | ---D | M] (Screengrab) -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
[2010/07/28 19:29:22 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/03/27 13:28:26 | 000,000,000 | ---D | M] (ScrapBook) -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\{53A03D43-5363-4669-8190-99061B2DEBA5}
[2010/03/27 13:28:20 | 000,000,000 | ---D | M] (History Submenus) -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\{7102aba3-045c-4ec2-b921-46d87636d84b}
[2010/04/25 21:09:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2010/02/19 19:12:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}(155)
[2010/07/28 19:29:23 | 000,000,000 | ---D | M] (Easy Youtube Video Downloader) -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
[2010/07/14 16:15:58 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/07/14 16:16:02 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/02/19 19:12:18 | 000,000,000 | ---D | M] (SearchPreview) -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6}(156)
[2010/07/28 19:29:28 | 000,000,000 | ---D | M] -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\FirefoxAddon@similarWeb.com
[2010/03/04 16:56:54 | 000,000,000 | ---D | M] -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\foxmarks@kei(154).com
[2010/07/14 16:16:01 | 000,000,000 | ---D | M] -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\foxmarks@kei.com
[2010/04/16 16:44:23 | 000,000,000 | ---D | M] -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\personas@christopher.beard
[2010/06/12 11:05:01 | 000,000,000 | ---D | M] -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\smarterwiki@wikiatic.com
[2010/07/14 16:16:02 | 000,000,000 | ---D | M] -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\tineye@ideeinc.com
[2009/11/15 16:04:05 | 000,000,000 | ---D | M] -- C:\Users\Circuit City\AppData\Roaming\mozilla\Firefox\Profiles\i0crukjk.default\extensions\yyginstantplay@yoyogames.com
[2010/08/07 10:09:41 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/21 11:53:43 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AC-Pro) - {0FB6A909-6086-458F-BD92-1F8EE10042A0} - C:\Program Files\AutocompletePro\AutocompletePro.dll (SimplyGen)
O2 - BHO: (TBSB08970 Class) - {10ABDD5A-E10E-4AF2-95BA-FCB47C7C90A7} - C:\PROGRA~1\POWERS~1\POWERS~1.DLL File not found
O2 - BHO: (StumbleUpon Launcher) - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (stumbleupon.com)
O2 - BHO: (Search Assistant) - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - C:\Windows\System32\dcads_sidebar.dll File not found
O2 - BHO: (D) - {7986BACF-F27A-307F-9374-C6B7EADB9058} - C:\Windows\System32\xwr60069.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (StumbleUpon Toolbar) - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (stumbleupon.com)
O3 - HKLM\..\Toolbar: (ALOT Toolbar) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll File not found
O3 - HKLM\..\Toolbar: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [KBD] C:\hp\KBD\KbdStub.exe ()
O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe File not found
O4 - HKLM..\Run: [notepad] C:\Windows\System32\notepad.DLL (Microsoft)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000..\Run: [notepad] C:\Users\Logan\ntload.dll File not found
O4 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SoftwareSASGeneration = 1
O8 - Extra context menu item: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\Circuit City\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\..Trusted Domains: adobe.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\..Trusted Domains: bitzi.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\..Trusted Domains: kongregate.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\..Trusted Domains: roblox.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\..Trusted Domains: travian.com ([s2] http in Trusted sites)
O15 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\..Trusted Domains: tribalwars.net ([en23] http in Trusted sites)
O15 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\..Trusted Domains: youtube.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.25,85.255.112.165
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\sdra64.exe) - C:\Windows\System32\sdra64.exe File not found
O24 - Desktop WallPaper: C:\Users\Circuit City\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Circuit City\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O27 - HKLM IFEO\ctfmon.exe: Debugger - C:\Windows\system32\ctfmon_qj.exe ()
O27 - HKLM IFEO\iexplore.exe: Debugger - File not found
O29 - HKLM SecurityProviders - (credssp.dll) - credssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/25 14:12:32 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/03/16 00:10:20 | 000,000,415 | RHS- | M] () - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/03/16 00:10:20 | 000,000,408 | RHS- | M] () - D:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{35df78d3-0e8f-11dd-ac18-001bb952568d}\Shell - "" = AutoRun
O33 - MountPoints2\{35df78d3-0e8f-11dd-ac18-001bb952568d}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- File not found
O33 - MountPoints2\{6dc58c4a-41ff-11dc-a399-001bb952568d}\Shell - "" = AutoRun
O33 - MountPoints2\{6dc58c4a-41ff-11dc-a399-001bb952568d}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- File not found
O33 - MountPoints2\{857125d0-2e0f-11de-a6a4-001bb952568d}\Shell - "" = AutoRun
O33 - MountPoints2\{857125d0-2e0f-11de-a6a4-001bb952568d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\K\Shell - "" = AutoRun
O33 - MountPoints2\K\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- File not found
O33 - MountPoints2\L\Shell - "" = AutoRun
O33 - MountPoints2\L\Shell\AutoRun\command - "" = L:\dvdcheck.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - Service
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\System32\Microsoft
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 11.0.3
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 11.0.3
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - C:\Windows\System32\Microsoft
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Reg Error: Value error.
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

Drivers32: aux - wdmaud.drv (Microsoft Corporation)
Drivers32: midi - wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - midimap.dll (Microsoft Corporation)
Drivers32: mixer - wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.avis - ff_acm.acm ()
Drivers32: msacm.imaadpcm - imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.msadpcm - msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - msg711.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - msgsm32.acm (Microsoft Corporation)
Drivers32: vidc.cvid - iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - DivX.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - ff_vfw.dll ()
Drivers32: vidc.iyuv - iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.mrle - msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.tscc - tsccvid.dll (TechSmith Corporation)
Drivers32: vidc.uyvy - msyuv.dll (Microsoft Corporation)
Drivers32: vidc.VP60 - C:\Windows\System32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\Windows\System32\vp6vfw.dll (On2.com)
Drivers32: vidc.yuy2 - msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yv12 - DivX.dll (DivX, Inc.)
Drivers32: vidc.yvu9 - tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - msyuv.dll (Microsoft Corporation)
Drivers32: wave - wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - msacm32.drv (Microsoft Corporation)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/08/08 18:03:27 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\Documents\Red Kawa
[2010/08/08 18:03:27 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\AppData\Roaming\Red Kawa
[2010/08/08 17:46:57 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\AppData\Roaming\Regensoft
[2010/08/07 09:31:46 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\AppData\Local\Geckofx
[2010/08/07 09:31:25 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\Documents\Regensoft
[2010/08/06 08:23:45 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\Documents\Version Cue
[2010/08/05 08:59:52 | 000,000,000 | ---D | C] -- C:\Program Files\War Rock
[2010/08/04 09:42:51 | 000,000,000 | ---D | C] -- C:\Program Files\Optimize
[2010/08/03 13:52:34 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\Documents\The KMPlayer
[2010/07/30 18:01:10 | 000,000,000 | ---D | C] -- C:\ProgramData\ALM
[2010/07/30 16:10:39 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\AppData\Roaming\UltraVNC
[2010/07/30 13:56:31 | 000,000,000 | ---D | C] -- C:\Program Files\UltraVNC
[2010/07/28 13:31:07 | 000,000,000 | ---D | C] -- C:\Program Files\MixMeister BPM Analyzer
[2010/07/26 11:52:30 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\AppData\Roaming\TightVNC
[2010/07/26 11:51:38 | 000,000,000 | ---D | C] -- C:\Program Files\TightVNC
[2010/07/26 11:38:26 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\AppData\Local\IsolatedStorage
[2010/07/26 11:38:23 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\AppData\Roaming\SmartCode Solutions
[2010/07/25 10:40:15 | 000,000,000 | ---D | C] -- C:\ProgramData\OptiTex
[2010/07/25 10:33:15 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\AppData\Roaming\DAZ 3D
[2010/07/21 21:25:57 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\AppData\Roaming\Secunia CSI
[2010/07/21 21:25:54 | 000,000,000 | ---D | C] -- C:\Program Files\Secunia
[2010/07/21 11:54:43 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\AppData\Local\GamersFirst LIVE!
[2010/07/21 11:53:54 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\AppData\Local\PMB Files
[2010/07/21 11:53:52 | 000,000,000 | ---D | C] -- C:\ProgramData\PMB Files
[2010/07/21 11:53:41 | 000,000,000 | ---D | C] -- C:\Program Files\Pando Networks
[2010/07/20 14:28:52 | 000,000,000 | ---D | C] -- C:\ProgramData\123VDM
[2010/07/19 17:04:34 | 000,000,000 | ---D | C] -- C:\Program Files\Sonic Foundry
[2010/07/19 17:04:23 | 000,000,000 | ---D | C] -- C:\Program Files\DebugMode
[2010/07/19 13:20:16 | 000,000,000 | ---D | C] -- C:\Program Files\AKVIS
[2010/07/18 10:50:58 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\AppData\Roaming\Free Mp3 Wma Ogg Converter
[2010/07/18 10:50:54 | 000,000,000 | ---D | C] -- C:\Program Files\AutocompletePro
[2009/06/08 07:37:39 | 000,049,152 | ---- | C] ( ) -- C:\Windows\System32\csnphv71.dll
[5 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/13 15:29:12 | 008,126,464 | -HS- | M] () -- C:\Users\Circuit City\ntuser.dat
[2010/08/13 15:15:01 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/13 15:11:04 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/08/13 15:11:04 | 000,595,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/08/13 15:11:04 | 000,101,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/08/13 15:10:11 | 000,000,436 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{A9F4DD0C-40BF-4ED2-BF44-FA5BE4D28BC6}.job
[2010/08/13 15:08:23 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2010/08/13 15:05:48 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/13 15:05:47 | 000,003,952 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/08/13 15:05:47 | 000,003,952 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/08/13 15:05:47 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/08/13 15:05:43 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/08/13 15:05:40 | 3085,328,384 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/09 22:40:42 | 000,524,288 | -HS- | M] () -- C:\Users\Circuit City\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/08/09 22:40:42 | 000,065,536 | -HS- | M] () -- C:\Users\Circuit City\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/08/08 18:04:48 | 000,116,224 | ---- | M] () -- C:\Users\Circuit City\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/08 11:08:13 | 004,210,420 | -H-- | M] () -- C:\Users\Circuit City\AppData\Local\IconCache.db
[2010/08/07 09:31:25 | 000,001,933 | ---- | M] () -- C:\Users\Public\Desktop\YouTube Downloader App.lnk
[2010/08/07 09:31:21 | 000,002,009 | ---- | M] () -- C:\Users\Public\Desktop\Videora iPod touch Converter.lnk
[2010/08/05 09:27:35 | 000,000,955 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk
[2010/08/05 09:27:35 | 000,000,921 | ---- | M] () -- C:\Users\Public\Desktop\GamersFirst LIVE!.lnk
[2010/08/05 09:23:39 | 000,000,816 | ---- | M] () -- C:\Users\Public\Desktop\War Rock.lnk
[2010/08/04 21:32:05 | 258,937,978 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/08/04 21:00:06 | 000,000,964 | ---- | M] () -- C:\Users\Public\Desktop\War Rock g1.lnk
[2010/08/04 09:57:52 | 001,724,648 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/08/04 09:55:19 | 000,107,288 | ---- | M] () -- C:\Users\Circuit City\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/08/03 11:38:28 | 165,726,465 | RH-- | M] () -- C:\Users\Circuit City\Documents\Occult.rar
[2010/08/01 09:09:24 | 000,000,020 | ---- | M] () -- C:\Users\Circuit City\defogger_reenable
[2010/07/30 13:56:39 | 000,000,765 | ---- | M] () -- C:\Users\Circuit City\Documents\Desktop\UltraVNC Viewer.lnk
[2010/07/30 13:56:39 | 000,000,748 | ---- | M] () -- C:\Users\Circuit City\Documents\Desktop\UltraVNC Server.lnk
[2010/07/28 13:31:07 | 000,000,850 | ---- | M] () -- C:\Users\Circuit City\Documents\Desktop\MixMeister BPM Analyzer.lnk
[2010/07/26 11:45:11 | 000,000,600 | ---- | M] () -- C:\Users\Circuit City\AppData\Local\PUTTY.RND
[2010/07/25 09:06:42 | 000,000,443 | ---- | M] () -- C:\Windows\geodas_.ini
[2010/07/24 10:33:13 | 000,000,181 | ---- | M] () -- C:\Windows\w32demo8.ini
[2010/07/19 10:40:34 | 010,122,678 | ---- | M] () -- C:\Windows\System32\105.skb
[2010/07/19 10:25:18 | 010,124,688 | ---- | M] () -- C:\Windows\System32\104.skb
[2010/07/15 09:56:01 | 000,000,022 | ---- | M] () -- C:\Windows\System32\mskthml.skt
[2010/07/15 09:56:01 | 000,000,022 | ---- | M] () -- C:\Windows\mskthml.skt
[2010/07/15 09:56:01 | 000,000,002 | ---- | M] () -- C:\Users\Circuit City\AppData\Roaming\keyboardlayout.bmp
[5 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/07 09:31:25 | 000,001,933 | ---- | C] () -- C:\Users\Public\Desktop\YouTube Downloader App.lnk
[2010/08/07 09:31:21 | 000,002,009 | ---- | C] () -- C:\Users\Public\Desktop\Videora iPod touch Converter.lnk
[2010/08/05 09:23:39 | 000,000,816 | ---- | C] () -- C:\Users\Public\Desktop\War Rock.lnk
[2010/08/04 09:11:27 | 000,000,955 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk
[2010/08/03 11:35:46 | 165,726,465 | RH-- | C] () -- C:\Users\Circuit City\Documents\Occult.rar
[2010/08/02 14:04:19 | 3085,328,384 | -HS- | C] () -- C:\hiberfil.sys
[2010/08/01 09:09:15 | 000,000,020 | ---- | C] () -- C:\Users\Circuit City\defogger_reenable
[2010/08/01 00:03:44 | 258,937,978 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/07/30 13:56:39 | 000,000,765 | ---- | C] () -- C:\Users\Circuit City\Documents\Desktop\UltraVNC Viewer.lnk
[2010/07/30 13:56:39 | 000,000,748 | ---- | C] () -- C:\Users\Circuit City\Documents\Desktop\UltraVNC Server.lnk
[2010/07/28 13:31:07 | 000,000,850 | ---- | C] () -- C:\Users\Circuit City\Documents\Desktop\MixMeister BPM Analyzer.lnk
[2010/07/27 08:14:38 | 000,000,964 | ---- | C] () -- C:\Users\Public\Desktop\War Rock g1.lnk
[2010/07/24 10:26:14 | 000,000,181 | ---- | C] () -- C:\Windows\w32demo8.ini
[2010/07/21 11:53:21 | 000,000,921 | ---- | C] () -- C:\Users\Public\Desktop\GamersFirst LIVE!.lnk
[2010/07/19 10:40:31 | 010,122,678 | ---- | C] () -- C:\Windows\System32\105.skb
[2010/07/19 10:25:16 | 010,124,688 | ---- | C] () -- C:\Windows\System32\104.skb
[2010/07/15 09:56:01 | 000,000,022 | ---- | C] () -- C:\Windows\System32\mskthml.skt
[2010/07/15 09:56:01 | 000,000,022 | ---- | C] () -- C:\Windows\mskthml.skt
[2010/07/15 09:56:01 | 000,000,002 | ---- | C] () -- C:\Users\Circuit City\AppData\Roaming\keyboardlayout.bmp
[2010/06/05 17:10:24 | 002,463,976 | ---- | C] () -- C:\Windows\System32\NPSWF32.dll
[2009/06/08 07:37:40 | 000,015,584 | ---- | C] () -- C:\Windows\snphv71.ini
[2009/06/08 07:37:39 | 000,188,928 | ---- | C] () -- C:\Windows\System32\drivers\snphv71.sys
[2009/06/08 07:37:39 | 000,061,440 | ---- | C] () -- C:\Windows\System32\dsnphv71.dll
[2009/06/08 07:37:39 | 000,036,864 | ---- | C] () -- C:\Windows\System32\vsnphv71.dll
[2009/04/25 15:20:25 | 000,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/02/26 01:07:27 | 000,000,196 | ---- | C] () -- C:\Windows\QTW.INI
[2009/02/08 10:22:49 | 000,000,443 | ---- | C] () -- C:\Windows\geodas_.ini
[2009/02/03 00:42:50 | 000,000,047 | ---- | C] () -- C:\Windows\SIERRA.INI
[2009/01/28 08:29:17 | 000,043,520 | ---- | C] () -- C:\Windows\System32\CmdLineExt03.dll
[2008/12/21 16:38:10 | 000,000,060 | ---- | C] () -- C:\Windows\SimPose7.ini
[2008/09/13 16:43:37 | 000,000,046 | ---- | C] () -- C:\Windows\smsafari.ini
[2008/09/10 19:11:56 | 000,002,554 | ---- | C] () -- C:\Windows\WAVEMIX.INI
[2008/09/10 19:11:53 | 000,000,163 | ---- | C] () -- C:\Windows\SimTower.ini
[2008/07/23 11:47:34 | 000,000,416 | ---- | C] () -- C:\Windows\System32\dtu100.dll.manifest
[2008/07/23 11:47:34 | 000,000,416 | ---- | C] () -- C:\Windows\System32\dpl100.dll.manifest
[2008/07/23 11:46:38 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2008/06/13 15:30:05 | 000,045,056 | ---- | C] () -- C:\Windows\System32\PManager.dll
[2008/05/22 17:22:18 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/03/20 09:09:34 | 000,110,592 | ---- | C] () -- C:\Windows\System32\bcshellext.dll
[2008/02/09 11:12:32 | 000,159,992 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2008/01/17 04:35:30 | 000,000,004 | ---- | C] () -- C:\Windows\info147.sys
[2008/01/01 20:31:10 | 000,002,112 | ---- | C] () -- C:\Windows\AutostarSuite.ini
[2007/12/07 19:55:27 | 000,000,232 | ---- | C] () -- C:\Windows\CROCCLIP.INI
[2007/12/07 18:23:38 | 000,000,000 | ---- | C] () -- C:\Windows\PROTOCOL.INI
[2007/11/26 21:56:28 | 000,151,415 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2007/10/28 10:46:44 | 000,053,248 | ---- | C] () -- C:\Windows\System32\zlib.dll
[2007/07/23 10:03:32 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2007/07/23 10:03:32 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2007/07/23 10:03:32 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2007/07/23 10:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2007/07/23 10:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2007/07/23 10:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2007/07/23 10:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2007/07/23 10:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2007/07/23 10:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2007/04/25 13:39:48 | 000,327,680 | ---- | C] () -- C:\Windows\System32\pythoncom24.dll
[2007/04/25 13:39:48 | 000,102,400 | ---- | C] () -- C:\Windows\System32\pywintypes24.dll
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2004/03/30 02:15:02 | 000,051,200 | ---- | C] () -- C:\Windows\System32\ThriXXX010205PNG.dll
[2004/03/30 02:15:01 | 000,056,832 | ---- | C] () -- C:\Windows\System32\ThriXXX015003JP2.dll
[2004/03/30 02:15:01 | 000,023,040 | ---- | C] () -- C:\Windows\System32\ThriXXX010104Z.dll
[2003/05/23 05:08:52 | 000,107,008 | ---- | C] () -- C:\Windows\System32\vorbis.dll
[2003/05/23 05:08:52 | 000,020,992 | ---- | C] () -- C:\Windows\System32\ogg.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/19 02:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/19 02:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2006/11/02 04:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
[2006/11/02 04:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/01/19 02:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\drivers\atapi.sys
[2008/01/19 02:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/19 02:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 04:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/02/13 04:04:20 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2008/02/13 04:04:20 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008/02/13 04:04:19 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2008/01/19 02:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/19 02:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2006/11/02 04:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2008/01/19 02:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\System32\netlogon.dll
[2008/01/19 02:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVRAID.SYS >
[2008/01/19 02:43:01 | 000,102,968 | ---- | M] (NVIDIA Corporation) MD5=2EDF9E7751554B42CBB60116DE727101 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvraid.sys
[2008/01/19 02:43:01 | 000,102,968 | ---- | M] (NVIDIA Corporation) MD5=2EDF9E7751554B42CBB60116DE727101 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvraid.sys
[2006/11/02 04:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) MD5=E69E946F80C1C31C53003BFBF50CBB7C -- C:\Windows\System32\drivers\nvraid.sys
[2006/11/02 04:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) MD5=E69E946F80C1C31C53003BFBF50CBB7C -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvraid.sys

< MD5 for: NVRD32.SYS >
[2007/10/26 19:51:26 | 000,131,616 | ---- | M] (NVIDIA Corporation) MD5=049E81B6FB41C73619ED3FE4DF7D8638 -- C:\Windows\System32\DriverStore\FileRepository\nvrd32.inf_0f6358b4\nvrd32.sys
[2008/08/18 19:58:00 | 000,133,152 | ---- | M] (NVIDIA Corporation) MD5=7894FFC354DDD5A0600BC112FFEC2DD0 -- C:\NVIDIA\nForceWinVista\15.23\IS\IDE\WinVista\sataraid\nvrd32.sys

< MD5 for: NVSTOR.SYS >
[2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/19 02:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/19 02:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: NVSTOR32.SYS >
[2007/03/19 08:58:50 | 000,101,672 | ---- | M] (NVIDIA Corporation) MD5=019054D997F65358DCA63ECAE5103F97 -- C:\hp\DRIVERS\NVIDIA_Serial_ATA\nvstor32.sys
[2007/03/19 08:58:50 | 000,101,672 | ---- | M] (NVIDIA Corporation) MD5=019054D997F65358DCA63ECAE5103F97 -- C:\Windows\System32\DriverStore\FileRepository\nvstor32.inf_1306af02\nvstor32.sys
[2008/08/18 19:58:00 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=2A0CC26D67B38460CC7563BC8313C1D6 -- C:\NVIDIA\nForceWinVista\15.23\IS\IDE\WinVista\sataraid\nvstor32.sys
[2007/10/26 19:51:24 | 000,110,624 | ---- | M] (NVIDIA Corporation) MD5=7EBA6C9A0A295B1559EFB9062E701218 -- C:\Windows\System32\drivers\nvstor32.sys
[2007/10/26 19:51:24 | 000,110,624 | ---- | M] (NVIDIA Corporation) MD5=7EBA6C9A0A295B1559EFB9062E701218 -- C:\Windows\System32\DriverStore\FileRepository\nvrd32.inf_0f6358b4\nvstor32.sys
[2008/08/18 19:58:00 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=8EE374B6FB3CB2BB8D70395218B464A5 -- C:\NVIDIA\nForceWinVista\15.23\IS\IDE\WinVista\sata_ide\nvstor32.sys
[2008/08/18 19:58:00 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=8EE374B6FB3CB2BB8D70395218B464A5 -- C:\Windows\System32\DriverStore\FileRepository\nvstor32.inf_d87a3a1f\nvstor32.sys

< MD5 for: SCECLI.DLL >
[2008/01/19 02:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\System32\scecli.dll
[2008/01/19 02:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2006/11/02 04:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/01/19 02:38:03 | 000,242,744 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2008/01/19 02:36:10 | 000,225,792 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll
[5 C:\Windows\system32\*.tmp files -> C:\Windows\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 05:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 05:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 05:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /90 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:D1B5B4F1
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:5EC637CB
@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:1AD5880D
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:1CD23587
@Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:F1175E1D
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:DE73B0FE
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:FA989048
< End of report >



Extras.txt:
OTL Extras logfile created on: 8/13/2010 3:23:58 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Circuit City\Downloads
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 56.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 363.82 Gb Total Space | 205.20 Gb Free Space | 56.40% Space Free | Partition Type: NTFS
Drive D: | 8.79 Gb Total Space | 1.01 Gb Free Space | 11.48% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 3.73 Gb Total Space | 0.10 Gb Free Space | 2.75% Space Free | Partition Type: FAT32

Computer Name: LOGANS
Current User Name: Circuit City
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-808472312-2103218499-2355469710-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with &IrfanView] -- "C:\Program Files\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
"UacDisableNotify" = 1
"InternetSettingsDisableNotify" = 1
"AutoUpdateDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-808472312-2103218499-2355469710-1000]
"EnableNotifications" = 1
"EnableNotificationsRef" = 3

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
"DoNotAllowExceptions" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- File not found
"C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe" = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox -- File not found
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- File not found
"C:\Program Files\Orbitdownloader\orbitdm.exe" = C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files\Orbitdownloader\orbitnet.exe" = C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit -- (Orbitdownloader.com)


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{036ECF19-CAB1-494A-A959-DA3EC72D5FFF}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{08167DB1-F10F-4138-9A42-5B99C51653ED}" = lport=68 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{099B0D0D-5159-4EB6-9D36-BFEA20F251EF}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{0EFC4C5E-F07C-4C72-9320-F1FC32FF070F}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{14A8E5C9-E08E-46B6-A286-C978375E950D}" = lport=445 | protocol=6 | dir=in | app=system |
"{1731FF41-0B5A-45AB-BF5C-0DBEAB2D8279}" = rport=10243 | protocol=6 | dir=out | app=system |
"{17B6BDEA-01D9-49C5-A42D-19CDF8EEE19A}" = rport=139 | protocol=6 | dir=out | app=system |
"{196853CA-7353-4CB0-AF1D-82F3B9CDC9A1}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{19A8A2FE-C0D7-4DBC-A300-06F93051A0E8}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{1ED58FD5-4B72-4A97-903C-1109DAB65127}" = lport=10244 | protocol=6 | dir=in | app=system |
"{1FD1771F-BB03-49F0-871B-CFCB16618F85}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{28FB43BF-353A-4A6D-964B-303AABFD589F}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=c:\windows\system32\svchost.exe |
"{2CCDB140-178D-4D95-A76D-B0CBDC910D69}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{2DDB4707-41DA-42CC-B158-19B0097C42F4}" = lport=138 | protocol=17 | dir=in | app=system |
"{31B558C2-3884-4E69-8B47-57D61AD61D25}" = rport=445 | protocol=6 | dir=out | app=system |
"{33801DC1-1D3B-4B88-9C23-6B2139FAB4D8}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{3D9F298F-4609-453F-B2B2-EF0DF45E0AFC}" = lport=139 | protocol=6 | dir=in | app=system |
"{462231CB-29D2-44B7-B3EB-19C1C44CA58B}" = rport=10244 | protocol=6 | dir=out | app=system |
"{476515D6-8C8B-4BF5-BCB7-6C597C207D82}" = lport=3390 | protocol=6 | dir=in | app=system |
"{4B5C479C-AD86-4968-A257-199F98D287B2}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=c:\windows\system32\svchost.exe |
"{562E2C25-7780-455D-987D-71E643926D15}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{59C17B11-A50B-431B-B7FD-52ABCDBE751F}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{6B9609B9-2543-48B4-8A23-AAF6A28A5B20}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{6FBFDCF9-E55B-448A-B4DC-6F25F0A8F73D}" = lport=53 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{7B74703A-AB31-4477-9D69-3CA4BD55FF36}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{80EDF459-D1C6-4341-A9D3-CCBD10401B60}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{81D04433-C702-4888-A578-FB2CBA96C2D0}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{8876E570-2354-41AC-B5DF-03A59F2AB09F}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{89CA901A-98AF-4824-A2AD-77BD1F178DE7}" = lport=2869 | protocol=6 | dir=in | app=system |
"{8CDA5561-46B7-4F34-9B33-9F6D9363F900}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{8EFDD3E8-E17E-4679-83DD-B2BFD2258045}" = lport=2869 | protocol=6 | dir=in | app=system |
"{8F155B4C-2D83-41F2-98B5-AA4ED5B3D3C8}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{8FD48708-6128-4D7F-9186-D2D144B83FDF}" = lport=547 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{9538FDD8-F451-43B9-8BF1-12CE59338FCD}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=c:\windows\system32\svchost.exe |
"{A3BB85C5-BC3F-4F5A-A758-50340A4EDD0A}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A5DAA07C-6D5F-4A8C-B6CC-A9BDABF5448F}" = lport=3390 | protocol=6 | dir=in | app=system |
"{A7708B25-27A5-439E-BC5D-8EACA1E178B6}" = rport=138 | protocol=17 | dir=out | app=system |
"{AE7321FA-9410-42C4-9C61-7EDED58FF14D}" = rport=137 | protocol=17 | dir=out | app=system |
"{AF899AFC-B1F3-4129-AAA0-57C830721192}" = lport=10243 | protocol=6 | dir=in | app=system |
"{B0259FBD-E34D-4C51-9763-7B2A6477AD8C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{B66CB99D-7725-423D-B30C-C05D55D8FDE3}" = lport=2869 | protocol=6 | dir=in | app=system |
"{BF128902-927C-409D-B3F9-C29EDC756B3D}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{CA710986-997E-405F-820B-6146469BBF29}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{CE678F48-88ED-4DCA-8C88-02E05E982385}" = rport=2869 | protocol=6 | dir=out | app=system |
"{CF1BE1F4-B82D-4254-833E-8C5C5E7E57DA}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=c:\windows\system32\svchost.exe |
"{D5C178FC-FAD6-48FA-84B0-6B75B213A9A2}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{D981BF70-68FA-4551-BA26-D6781BF1E51E}" = lport=10244 | protocol=6 | dir=in | app=system |
"{E26BECBD-1A1B-4E0E-827A-09AFCCFFFE47}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{E5456C27-74A6-4C3E-B149-C093A69922DC}" = lport=137 | protocol=17 | dir=in | app=system |
"{E8768678-BD78-4D68-9629-80EA2184077F}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{ED72E682-40D6-4DE2-9068-59AB80FD6148}" = lport=67 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{FD5EA4B9-F4E2-4966-B9D1-706155BBEEFC}" = rport=10244 | protocol=6 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01DE4B25-B122-49C7-932A-AA436512E713}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{0C819783-CAFC-40FF-B421-BD0A7413F7C3}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{10DC1BEE-5088-4B94-8892-E52C51918A9A}" = protocol=6 | dir=out | svc=upnphost | app=c:\windows\system32\svchost.exe |
"{13877A14-0E3C-4F76-8348-D58B98D18957}" = protocol=6 | dir=in | app=c:\windows\system32\wercon.exe |
"{13C14B09-261B-4FA1-AF15-7B1279A2D9FA}" = dir=out | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{143A07D3-7BE3-48B5-BE59-DE3E435AF0BE}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"{152B1B19-B102-4226-8FD3-1A050AE7117B}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"{16038CBA-88F8-42A5-B706-EA84EDC3B75E}" = protocol=6 | dir=out | svc=upnphost | app=c:\windows\system32\svchost.exe |
"{18718965-414F-49B4-AC76-F3E282FB4254}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{19E23982-628E-4FB9-B7A2-65C2CC05D914}" = protocol=6 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
"{1AE7B342-6AE5-4F6F-A516-4C919C714ABB}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{1CB4CA29-FE14-4028-9F6E-677C1BB4395E}" = dir=in | app=c:\program files\avg\avg8\avgemc.exe |
"{1D2FB409-9FEA-4256-BAB4-A091ACA1B7EB}" = protocol=17 | dir=in | app=c:\program files\windows media player\wmpnetwk.exe |
"{1E10FCFD-E1ED-4334-A53C-3305D8F9813F}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{28E65F7C-BD2F-4E82-913B-60EA43511DCC}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{29BB0782-B68E-4D01-96A2-3D1D22127E69}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{2A846E32-512F-4AE5-A826-1F968FB926DB}" = protocol=6 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{31F6B986-D2B2-4CBC-A494-3EF71A663234}" = protocol=17 | dir=in | app=c:\program files\dna\btdna.exe |
"{32CCDF58-8D36-4087-A22A-18B2F72C163C}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{35C5308C-DB4A-408D-9431-8A41CA109EC7}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{36F46D01-9E9F-48AC-B11D-B2596A184909}" = dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{37077233-DEFF-462B-88A6-A7B4218FE749}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{3978C607-F7FB-45AD-B61E-06AF02D17063}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{3D6D1B20-E542-4998-84AF-995D7230533C}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{424616C6-6F79-4DAA-A138-7FB4E2F1556A}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{430D6157-6CE0-48BE-81F7-7136756A5DB5}" = protocol=17 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{47ECE7B8-D460-48B5-9D7A-36845BE87824}" = protocol=58 | dir=in | name=@hnetcfg.dll,-148 |
"{4955A2F6-DF0D-4EBB-B935-FEC9E2C6E81D}" = protocol=6 | dir=out | app=system |
"{4D12BD47-6C08-48B0-B230-F3FFBCB31291}" = protocol=17 | dir=in | app=c:\program files\avg\avg8\avgui.exe |
"{5831D960-CEC5-4F11-88C5-A0C1818148DE}" = protocol=6 | dir=out | app=system |
"{58B6A852-36DD-4CF8-A624-9992AAE286AE}" = dir=in | app=c:\program files\avg\avg8\avgupd.exe |
"{5939A73E-C9DB-4131-96B9-A30AF225DC57}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{5A27EBF0-E701-428E-A1A8-E2E6B65E09CD}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{5DEE7F79-CADA-4C2D-9736-858A32A1145A}" = protocol=6 | dir=in | app=c:\program files\tightvnc\tvnserver.exe |
"{5EE5183B-433E-4E72-B5ED-41AB9E7C2A80}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{631A8E77-EEE4-45E1-B9F2-020E3EBD2EAE}" = protocol=6 | dir=in | app=c:\program files\ultravnc\vncviewer.exe |
"{66B9F04D-C1E0-40CB-BCB1-4F04DF4FF6EE}" = protocol=17 | dir=in | app=c:\program files\malwarebytes' anti-malware\mbam.exe |
"{68B24EC3-538A-4F62-9A24-5E694EBA1F25}" = protocol=6 | dir=in | app=c:\program files\tightvnc\vncviewer.exe |
"{6960A3B8-EF50-45AA-89BA-8158F58A0C95}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{744425EE-9C95-4131-894D-2779E87940FB}" = protocol=6 | dir=in | app=c:\program files\ultravnc\winvnc.exe |
"{78F5F5F8-F3F7-4591-9B9C-1DDDDB866E4D}" = protocol=17 | dir=in | app=c:\program files\yahoo!\yahoo! music jukebox\yahoomusicengine.exe |
"{7AB528A1-44DD-4854-AC77-63B0C16A8D35}" = protocol=17 | dir=in | app=c:\program files\avg\avg8\avgtray.exe |
"{7B5434FA-6D8C-4C1A-B8E5-34DDD66EF3C6}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{7D2D9585-9D8D-4353-A79F-AA5987F5D9C5}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{814F93C2-7B13-4EBB-9A5D-65C5659D121A}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{89D8C6DF-484F-454F-9ACB-431631C528B3}" = protocol=17 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
"{8BEC4027-3C81-44D3-B33C-4102397004AB}" = protocol=6 | dir=in | app=c:\program files\dna\btdna.exe |
"{8D2F1AC1-D635-49C0-B339-9D6CFD5BEBFC}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{92E05FE4-3308-477A-9A22-A88687C46E4F}" = protocol=17 | dir=in | app=c:\program files\windows media player\wmplayer.exe |
"{95BA26C2-B7CF-4230-9172-DE2584A3E41D}" = protocol=6 | dir=in | app=c:\program files\windows media player\wmpnetwk.exe |
"{97B1C25E-4DB7-4D74-9908-FBEDAA7E34AD}" = protocol=17 | dir=in | app=c:\windows\system32\wercon.exe |
"{9856ACCB-B217-403A-8DF5-8E9CB584608B}" = protocol=6 | dir=in | app=c:\program files\poweriso\poweriso.exe |
"{A1B1474B-B131-4399-BE2C-52DB201C9C40}" = protocol=17 | dir=in | app=c:\program files\vuze\azureus.exe |
"{A673F09F-DBE8-4C69-ACE8-91A63733BF2D}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{AA5B25BE-5773-4CCB-B87E-CE5FC7DDD0D3}" = protocol=17 | dir=in | app=c:\program files\ultravnc\winvnc.exe |
"{AF1FF288-D600-48E8-B90F-AFC25316A188}" = protocol=17 | dir=in | app=c:\program files\poweriso\poweriso.exe |
"{B4E8D51F-2384-4634-8CF4-5A603ABBABC0}" = protocol=6 | dir=in | app=c:\program files\yahoo!\yahoo! music jukebox\yahoomusicengine.exe |
"{B66F6D90-913B-4425-9AAF-28321763DADD}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{B70B3733-309C-4BE2-A0A5-07217A655B97}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{C6F82A0F-5338-4612-9B94-113155D91780}" = dir=in | app=c:\program files\avg\avg8\avgnsx.exe |
"{CB6B324E-EC5E-4CC2-B153-905932BDC024}" = protocol=6 | dir=in | app=c:\program files\avg\avg8\avgui.exe |
"{CCAF04B1-3734-45F7-93EE-7D0E98120BB5}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{D062AA14-C884-4165-A0DC-C74A1BB0D02C}" = protocol=17 | dir=in | app=c:\program files\poweriso\pwrisovm.exe |
"{D1F6E43C-06F7-496F-9839-F2C32D72FC50}" = protocol=17 | dir=in | app=c:\program files\tightvnc\tvnserver.exe |
"{DE2F1E36-13F7-4880-A4AD-54C7EAC290A6}" = protocol=17 | dir=in | app=c:\program files\tightvnc\vncviewer.exe |
"{E123DAB3-C576-4AFF-B083-FBC66135637E}" = protocol=6 | dir=in | app=c:\program files\malwarebytes' anti-malware\mbam.exe |
"{E2D1FA66-4567-4F0B-BE9D-3FC939DBBAEA}" = protocol=17 | dir=out | app=c:\program files\windows media player\wmpnetwk.exe |
"{E4BAA766-1725-447A-AD47-96DAA2FC7611}" = protocol=17 | dir=in | app=c:\program files\google\google earth\googleearth.exe |
"{E5B9A386-16C0-4CFB-A186-87EE5793506E}" = protocol=6 | dir=out | app=c:\windows\system32\wudfhost.exe |
"{E8BF02A5-C750-44B2-80F7-88D1DAEE2600}" = protocol=6 | dir=in | app=c:\program files\poweriso\pwrisovm.exe |
"{EA4939D0-0CEF-4F77-8C08-2A2C86F31071}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{EADEBB65-210B-43EA-AF66-39B5469B3E7A}" = protocol=6 | dir=out | app=c:\program files\windows media player\wmpnetwk.exe |
"{F0125D2C-DD89-400D-BE72-5CEFB5388A18}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{F034000C-3979-4B1C-992F-9F3544396D5B}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{F0B5824E-3A46-4E2E-9BFE-427C11BC1DF2}" = protocol=6 | dir=in | app=c:\program files\google\google earth\googleearth.exe |
"{F58D030F-7BFE-48B8-8005-DB3AC6410D9F}" = protocol=6 | dir=in | app=c:\program files\avg\avg8\avgtray.exe |
"{F8F4AED2-967A-4F2E-85E1-20D9365DD13B}" = protocol=17 | dir=in | app=c:\program files\ultravnc\vncviewer.exe |
"{FB6124C3-13A9-4B0D-8535-60D931177E1E}" = protocol=6 | dir=in | app=c:\program files\vuze\azureus.exe |
"TCP Query User{1BC988C2-0854-4A25-A9C6-000C97FD3B68}C:\program files\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"TCP Query User{465E6793-62C9-430F-95C1-205D23DF5D3E}C:\users\circuit city\program files\dna\btdna.exe" = protocol=6 | dir=in | app=c:\users\circuit city\program files\dna\btdna.exe |
"TCP Query User{8B104001-4AAF-4ECB-A58B-87EAC5386BB0}C:\program files\vuze\azureus.exe" = protocol=6 | dir=in | app=c:\program files\vuze\azureus.exe |
"TCP Query User{A9BAC337-199C-4E74-A471-191286D89094}C:\program files\orbitdownloader\orbitnet.exe" = protocol=6 | dir=in | app=c:\program files\orbitdownloader\orbitnet.exe |
"TCP Query User{ADAF890D-D86A-4246-9155-FE35826C98CE}C:\users\circuit city\program files\dna\btdna.exe" = protocol=6 | dir=in | app=c:\users\circuit city\program files\dna\btdna.exe |
"TCP Query User{DBFCF212-958B-4838-9643-5487E61F5AB2}C:\program files\hp games\wheel of fortune\wheel of fortune.exe" = protocol=6 | dir=in | app=c:\program files\hp games\wheel of fortune\wheel of fortune.exe |
"TCP Query User{E518322F-B2E2-4DEA-9269-114A54D05736}C:\users\circuit city\documents\limewire\limewire saved\programs\pc games - age of empires ii (works perfect!)\age2_x1.exe" = protocol=6 | dir=in | app=c:\users\circuit city\documents\limewire\limewire saved\programs\pc games - age of empires ii (works perfect!)\age2_x1.exe |
"TCP Query User{EB832C27-D9AF-4D99-8419-B95F8C0F946D}C:\program files\rhapsody\rhapsody.exe" = protocol=6 | dir=in | app=c:\program files\rhapsody\rhapsody.exe |
"TCP Query User{F94EE677-6316-4F96-9309-A43810260E41}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{06851CF1-9BFC-425C-839F-EE71CB4D3B8E}C:\program files\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{113E1058-F7FE-4B00-A7D8-479326901F60}C:\program files\rhapsody\rhapsody.exe" = protocol=17 | dir=in | app=c:\program files\rhapsody\rhapsody.exe |
"UDP Query User{42477D45-F67D-4C08-A73E-CD3C84FA6A9E}C:\users\circuit city\documents\limewire\limewire saved\programs\pc games - age of empires ii (works perfect!)\age2_x1.exe" = protocol=17 | dir=in | app=c:\users\circuit city\documents\limewire\limewire saved\programs\pc games - age of empires ii (works perfect!)\age2_x1.exe |
"UDP Query User{735C06F4-16AA-4D20-BB20-F7555259845C}C:\users\circuit city\program files\dna\btdna.exe" = protocol=17 | dir=in | app=c:\users\circuit city\program files\dna\btdna.exe |
"UDP Query User{AC7D9A32-0B02-416F-BAB7-B53994399314}C:\program files\vuze\azureus.exe" = protocol=17 | dir=in | app=c:\program files\vuze\azureus.exe |
"UDP Query User{C0D0D70F-A2BA-47DB-ACE4-3390F40E2247}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{D3199873-9ACD-4A8D-8C72-61E2E3194088}C:\program files\orbitdownloader\orbitnet.exe" = protocol=17 | dir=in | app=c:\program files\orbitdownloader\orbitnet.exe |
"UDP Query User{FD6B5A53-230E-4A13-B8CF-6F0DD9EED100}C:\program files\hp games\wheel of fortune\wheel of fortune.exe" = protocol=17 | dir=in | app=c:\program files\hp games\wheel of fortune\wheel of fortune.exe |
"UDP Query User{FF78FCF0-2B23-45BB-9162-AA31813B6671}C:\users\circuit city\program files\dna\btdna.exe" = protocol=17 | dir=in | app=c:\users\circuit city\program files\dna\btdna.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3
"{041C432A-E1B5-4713-9F2A-3D38382C991E}" = Microsoft CCR and DSS Runtime 2008
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}" = Adobe After Effects CS3 Presets
"{212125C1-E5A3-4810-A057-C20FB2A79327}" = Majesty - Gold Edition
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23484C5A-E7AE-4F59-B7DF-88D63BEF18F4}" = Meade LPI
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{291B3A3B-F808-45B8-8113-DF232FCB6C82}" = Microsoft .NET Compact Framework 3.5
"{2990BC81-3B19-4E53-A53E-30DE3F1BFFA8}" = HP Total Care Advisor
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2C65AEAA-EDF4-42E0-AA43-D74A5362CA02}" = Adobe Setup
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{2FA41EBB-3F5A-35C3-85D6-51EC72A11FBD}" = Google Gears
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Roxio Activation Module
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3E4153AF-3D74-4062-8812-B1FDCE6B1F37}" = LEGO® MINDSTORMS® NXT - English Language Pack
"{40F7AED3-0C7D-4582-99F6-484A515C73F2}" = HP Easy Setup - Frontend
"{4377F918-E6C9-4ECA-A7F5-754B310B7ED8}" = Sid Meier's Civilization 4
"{4458C442-7376-4CF9-AF58-E8CEA6722363}" = Adobe Setup
"{485ACF57-F364-440A-8496-E1E81C8FA1AA}" = Adobe Premiere Pro CS3 Third Party Content
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4D87DC92-C328-46EC-A7B4-9C88129DC696}" = Dead Space™
"{4F0C7CCF-5666-474B-B02E-AC514A95EC93}" = NVIDIA GAME System Software 2.8.1
"{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}" = Adobe Setup
"{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}" = Adobe Premiere Pro CS3 Functional Content
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{55718B4B90B54F7EADC5621C750A14E6}" = DivX Author 1.5
"{55979C41-7D6A-49CC-B591-64AC1BBE2C8B}" = HP Picasso Media Center Add-In
"{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}" = Adobe Premiere Pro CS3
"{597E70FF-7C46-4EED-8092-91B7C2E0529D}" = Google SketchUp 7
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6ADD0603-16EF-400D-9F9E-486432835002}" = OpenOffice.org 3.2
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6B976ADF-8AE8-434E-B282-A06C7F624D2F}" = Python 2.5.2
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{75E71ADD-042C-4F30-BFAC-A9EC42351313}" = Python 2.4.3
"{765E50AF-5550-4F7E-84F4-524D1BF2C49D}" = MSM2MSI_gstudio
"{7ACFB90E-8FD0-4397-AD3A-5195412623A3}" = Adobe Help Viewer CS3
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{800218C2-2E07-461C-85D6-8FDB4F9161D9}" = FPS Creator Free
"{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}" = Adobe Video Profiles
"{8718DC03-D066-4957-94E5-50C3C5042E8E}" = Adobe Creative Suite 3 Master Collection
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{907B4640-266B-4A21-92FB-CD1A86CD0F63}" = RollerCoaster Tycoon 3 Platinum
"{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}" = Microsoft Games for Windows - LIVE Redistributable
"{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9DBA770F-BF73-4D39-B1DF-6035D95268FC}" = HP Customer Feedback
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{9FD6F1A8-5550-46AF-8509-271DF0E768B5}" = Dual-Core Optimizer
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB5E289E-76BF-4251-9F3F-9B763F681AE0}" = HP Customer Experience Enhancements
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.3
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}" = Adobe Flash Player 9 ActiveX
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{BED27751-CD2A-4C2F-9813-00B9B60C76FE}" = Railroad Tycoon II - Platinum
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}" = Sid Meier's Civilization 4
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D5A31AB1-345D-47C7-A87B-036A669F6DF1}" = Adobe XMP Panels CS3
"{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}" = LiveUpdate Notice (Symantec Corporation)
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{EC2A8F27-4FBF-4E41-B27B-FE822511B761}" = iTunes
"{EDDF99D9-9FE3-4871-A7DB-D1522C51EE9A}" = Microsoft .NET Compact Framework 2.0 SP2
"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3
"{F0A4913F-46A5-48F2-BC73-EE41A6C81EB3}" = Microsoft DirectX SDK (August 2007)
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"Adobe Acrobat 8 Professional" = Adobe Acrobat 8.1.3 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_4dcfd9b7e901b57f81f667144603236" = Add or Remove Adobe Creative Suite 3 Master Collection
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"Adobe_71c180716438072ebd356ce2549df41" = Adobe Premiere Pro CS3 Third Party Content
"Adobe_a04a925a57548091300ada368235fc6" = Adobe Illustrator CS3
"Aleks 3.8" = Aleks 3.8
"Astroburn Lite" = Astroburn Lite
"Audacity_is1" = Audacity 1.2.6
"AutocompletePro2_is1" = AutocompletePro
"Autostar Suite" = Autostar Suite
"AVG8Uninstall" = AVG 8.0
"AviSynth" = AviSynth 2.5
"ffdshow_is1" = ffdshow [rev 2583] [2009-01-05]
"FileZilla Client" = FileZilla Client 3.3.2.1
"Frets on Fire" = Frets On Fire
"GamersFirst LIVE!" = GamersFirst LIVE!
"GamersFirst War Rock" = War Rock
"Google Updater" = Google Updater
"GTK2-Runtime" = GTK2-Runtime
"InstallShield_{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"IrfanView" = IrfanView (remove only)
"LibUSB-Win32_is1" = LibUSB-Win32-0.1.12.1
"LimeWire" = LimeWire 5.2.13
"Mall Tycoon" = Mall Tycoon
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MixMeister BPM Analyzer_is1" = MixMeister BPM Analyzer 1.0
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"MSNINST" = MSN
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"NVIDIA Drivers" = NVIDIA Drivers
"OpenAL" = OpenAL
"OpenTTD" = OpenTTD 1.0.0
"Orbit_is1" = Orbit Downloader
"PC-Doctor 5 for Windows" = Hardware Diagnostic Tools
"Picasa 3" = Picasa 3
"RTP 1.32 Add-On for RM2k" = RTP 1.32 Add-On for RM2k
"RTP for RM2K (Png, Wav, Midi, Fonts)" = RTP for RM2K (Png, Wav, Midi, Fonts)
"Secunia CSI" = Secunia CSI
"SimCopterv1.0" = SimCopter
"ST6UNST #1" = Anything's an Icon (Shareware)
"StreetsOfSimCityv1" = Streets of SimCity
"StumbleUponIEToolbar" = StumbleUpon IE Toolbar
"SystemRequirementsLab" = System Requirements Lab
"The KMPlayer" = The KMPlayer (remove only)
"Time Stoper 1.00" = Time Stoper 1.00
"TreeSize Free_is1" = TreeSize Free V2.3.1
"Ultravnc2_is1" = UltraVNC 1.0.8.2
"uTorrent" = µTorrent
"Videora iPod touch Converter" = Videora iPod touch Converter 5.04
"Warzone 2100" = Warzone 2100
"WildTangent wildgames Master Uninstall" = WildGames
"WinRAR archiver" = WinRAR archiver
"YouTube Downloader App" = YouTube Downloader App 2.03

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:25 PM

Posted 15 August 2010 - 10:20 AM

Hi,

could you please try to run gmer without the option devices checked. Let me know if it still freezes.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 mcdonn123

mcdonn123
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 PM

Posted 15 August 2010 - 01:54 PM

It seems that it the freezing is caused by gmer. My CPU before I start it is relatively low (around 16%); when I start gmer the CPU increases as expected (around 50%, mostly used by gmer); but when I close gmer the CPU goes to and stays at 100% without going down at all (the processes that take up most of the space are avgwdsvc.exe (AVG Watch Dog Service), svchost.exe, and other avg processes sometimes start to take up more CPU than usual, though most of it is caused by the previously mentioned processes. A while after exiting gmer.exe, a bluescreen pops up (even if I restart the computer before it pops up it will still appear). I can remember some of the stuff that it said, but I couldn't grab my camera and take a snapshot quickly enough. It said something along the lines of: a system file (started with an "A", I think the first three letters where "apx" or "axl" or some combination of P, X, or L) has been changed or something. I will have to look at the bluescreen again to figure out exactly what it said.

Anyway, here is the Log files from gmer that I managed to collect:


Here is a scan of everything except Devices, IAT/EAT, and Files (will scan tonight)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-15 13:20:45
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\CIRCUI~1\AppData\Local\Temp\axldapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8EC0F340, 0x3DA8C7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[3908] kernel32.dll!SetUnhandledExceptionFilter 77846E2D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x85 0xF4 0x1A 0x1E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x9B 0xB5 0xF8 0x7A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x22 0x02 0xE2 0xD1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x85 0xF4 0x1A 0x1E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x9B 0xB5 0xF8 0x7A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x22 0x02 0xE2 0xD1 ...

---- EOF - GMER 1.0.15 ----



Here is a can from 8/02/10 that scanned for System, Sections, and Devices


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-02 14:20:01
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\CIRCUI~1\AppData\Local\Temp\axldapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x82DDE282]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x82DDE474]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x82DDDF32]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x82DDE67C]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 43C 822D5A00 3 Bytes [82, E2, DD] {AND DL, -0x23}
.text ntkrnlpa.exe!KeSetTimerEx + 440 822D5A04 3 Bytes [74, E4, DD]
.text ntkrnlpa.exe!KeSetTimerEx + 854 822D5E18 3 Bytes [32, DF, DD]
.text ntkrnlpa.exe!KeSetTimerEx + 918 822D5EDC 3 Bytes [7C, E6, DD]
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8E204340, 0x3DA8C7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\AVG\AVG8\avgfws8.exe[12] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\PROGRA~1\AVG\AVG8\avgfws8.exe[12] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\PROGRA~1\AVG\AVG8\avgfws8.exe[12] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\PROGRA~1\AVG\AVG8\avgfws8.exe[12] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\csrss.exe[656] KERNEL32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\csrss.exe[656] KERNEL32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\csrss.exe[656] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\csrss.exe[656] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\wininit.exe[708] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\wininit.exe[708] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\wininit.exe[708] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\wininit.exe[708] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\csrss.exe[716] KERNEL32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\csrss.exe[716] KERNEL32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\csrss.exe[716] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\csrss.exe[716] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\services.exe[752] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\services.exe[752] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\services.exe[752] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\services.exe[752] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\lsass.exe[764] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\lsass.exe[764] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\lsm.exe[776] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\lsm.exe[776] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\lsm.exe[776] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\lsm.exe[776] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\winlogon.exe[852] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\winlogon.exe[852] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\winlogon.exe[852] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\winlogon.exe[852] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Users\Circuit City\Downloads\AntiVirus\gmer\gmer.exe[928] kernel32.dll!TerminateProcess 766018EF 6 Bytes PUSH 10002C59; RET
.text C:\Users\Circuit City\Downloads\AntiVirus\gmer\gmer.exe[928] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Users\Circuit City\Downloads\AntiVirus\gmer\gmer.exe[928] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Users\Circuit City\Downloads\AntiVirus\gmer\gmer.exe[928] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Users\Circuit City\Downloads\AntiVirus\gmer\gmer.exe[928] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\nvvsvc.exe[1008] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\nvvsvc.exe[1008] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\svchost.exe[1036] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\svchost.exe[1036] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\svchost.exe[1036] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\svchost.exe[1036] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\System32\svchost.exe[1076] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\System32\svchost.exe[1076] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1144] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1144] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1144] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1144] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\System32\svchost.exe[1180] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\System32\svchost.exe[1180] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\System32\svchost.exe[1180] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\System32\svchost.exe[1180] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\AUDIODG.EXE[1316] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\AUDIODG.EXE[1316] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\AUDIODG.EXE[1316] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\AUDIODG.EXE[1316] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\SLsvc.exe[1352] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\SLsvc.exe[1352] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\rundll32.exe[1396] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET C:\Windows\system32\NVSVC.DLL (NVIDIA Driver Helper Service, Version 175.21/NVIDIA Corporation)
.text C:\Windows\system32\rundll32.exe[1396] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET C:\Windows\system32\NVSVC.DLL (NVIDIA Driver Helper Service, Version 175.21/NVIDIA Corporation)
.text C:\Windows\system32\rundll32.exe[1396] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET C:\Windows\system32\NVSVC.DLL (NVIDIA Driver Helper Service, Version 175.21/NVIDIA Corporation)
.text C:\Windows\system32\rundll32.exe[1396] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET C:\Windows\system32\NVSVC.DLL (NVIDIA Driver Helper Service, Version 175.21/NVIDIA Corporation)
.text C:\Windows\ehome\ehmsas.exe[1544] kernel32.dll!TerminateProcess 766018EF 6 Bytes PUSH 10002C59; RET
.text C:\Windows\ehome\ehmsas.exe[1544] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\ehome\ehmsas.exe[1544] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\ehome\ehmsas.exe[1544] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\ehome\ehmsas.exe[1544] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[1556] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[1556] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1604] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1604] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1604] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1604] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\svchost.exe[1608] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\svchost.exe[1608] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\svchost.exe[1608] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\svchost.exe[1608] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe[1660] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe[1660] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe[1660] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe[1660] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\System32\spoolsv.exe[1828] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\System32\spoolsv.exe[1828] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\System32\spoolsv.exe[1828] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\System32\spoolsv.exe[1828] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\WUDFHost.exe[1916] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\WUDFHost.exe[1916] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\WUDFHost.exe[1916] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\WUDFHost.exe[1916] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1956] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1956] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1956] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1956] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\Dwm.exe[1996] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET C:\Windows\system32\nvd3dum.dll (NVIDIA Compatible Vista WDDM D3D Driver, Version 175.21 /NVIDIA Corporation)
.text C:\Windows\system32\Dwm.exe[1996] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET C:\Windows\system32\nvd3dum.dll (NVIDIA Compatible Vista WDDM D3D Driver, Version 175.21 /NVIDIA Corporation)
.text C:\Windows\system32\Dwm.exe[1996] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET C:\Windows\system32\nvd3dum.dll (NVIDIA Compatible Vista WDDM D3D Driver, Version 175.21 /NVIDIA Corporation)
.text C:\Windows\system32\Dwm.exe[1996] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET C:\Windows\system32\nvd3dum.dll (NVIDIA Compatible Vista WDDM D3D Driver, Version 175.21 /NVIDIA Corporation)
.text C:\Windows\Explorer.EXE[2136] kernel32.dll!TerminateProcess 766018EF 6 Bytes PUSH 10002C59; RET
.text C:\Windows\Explorer.EXE[2136] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\Explorer.EXE[2136] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\Explorer.EXE[2136] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\Explorer.EXE[2136] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Program Files\Bonjour\mDNSResponder.exe[2172] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Program Files\Bonjour\mDNSResponder.exe[2172] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Program Files\Bonjour\mDNSResponder.exe[2172] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Program Files\Bonjour\mDNSResponder.exe[2172] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2260] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2260] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2260] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2260] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\WebUpdateSvc4.exe[2332] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\WebUpdateSvc4.exe[2332] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\WebUpdateSvc4.exe[2332] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\WebUpdateSvc4.exe[2332] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\System32\svchost.exe[2456] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\System32\svchost.exe[2456] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2580] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (PIF Engine/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2580] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (PIF Engine/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2580] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (PIF Engine/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2580] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (PIF Engine/Symantec Corporation)
.text C:\PROGRA~1\AVG\AVG8\avgam.exe[2732] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\PROGRA~1\AVG\AVG8\avgam.exe[2732] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\PROGRA~1\AVG\AVG8\avgam.exe[2732] Advapi32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\PROGRA~1\AVG\AVG8\avgam.exe[2732] Advapi32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[2748] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[2748] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[2748] Advapi32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[2748] Advapi32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2756] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2756] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2756] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2756] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\svchost.exe[2804] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\svchost.exe[2804] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\svchost.exe[2804] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\svchost.exe[2804] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\svchost.exe[2832] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\svchost.exe[2832] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\svchost.exe[2832] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\svchost.exe[2832] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\wuauclt.exe[3112] kernel32.dll!TerminateProcess 766018EF 6 Bytes PUSH 10002C59; RET
.text C:\Windows\system32\wuauclt.exe[3112] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\wuauclt.exe[3112] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\wuauclt.exe[3112] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\wuauclt.exe[3112] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\hp\support\hpsysdrv.exe[3212] kernel32.dll!TerminateProcess 766018EF 6 Bytes PUSH 10002C59; RET
.text C:\hp\support\hpsysdrv.exe[3212] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\hp\support\hpsysdrv.exe[3212] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\hp\support\hpsysdrv.exe[3212] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\hp\support\hpsysdrv.exe[3212] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Program Files\AVG\AVG8\avgtray.exe[3300] kernel32.dll!TerminateProcess 766018EF 6 Bytes PUSH 10002C59; RET
.text C:\Program Files\AVG\AVG8\avgtray.exe[3300] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Program Files\AVG\AVG8\avgtray.exe[3300] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Program Files\AVG\AVG8\avgtray.exe[3300] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Program Files\AVG\AVG8\avgtray.exe[3300] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\System32\rundll32.exe[3368] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET C:\Windows\system32\NvMcTray.dll (NVIDIA Media Center Library/NVIDIA Corporation)
.text C:\Windows\System32\rundll32.exe[3368] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET C:\Windows\system32\NvMcTray.dll (NVIDIA Media Center Library/NVIDIA Corporation)
.text C:\Windows\System32\rundll32.exe[3368] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET C:\Windows\system32\NvMcTray.dll (NVIDIA Media Center Library/NVIDIA Corporation)
.text C:\Windows\System32\rundll32.exe[3368] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET C:\Windows\system32\NvMcTray.dll (NVIDIA Media Center Library/NVIDIA Corporation)
.text C:\Windows\System32\rundll32.exe[3408] kernel32.dll!TerminateProcess 766018EF 6 Bytes PUSH 10002C59; RET
.text C:\Windows\System32\rundll32.exe[3408] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\System32\rundll32.exe[3408] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\System32\rundll32.exe[3408] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\System32\rundll32.exe[3408] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3500] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3500] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3500] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3500] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3512] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET C:\Program Files\Adobe\Acrobat 8.0\Acrobat\asneu.dll (AsnEndUser Dynamic Link Library/Adobe Systems Inc.)
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3512] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET C:\Program Files\Adobe\Acrobat 8.0\Acrobat\asneu.dll (AsnEndUser Dynamic Link Library/Adobe Systems Inc.)
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3512] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET C:\Program Files\Adobe\Acrobat 8.0\Acrobat\asneu.dll (AsnEndUser Dynamic Link Library/Adobe Systems Inc.)
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3512] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET C:\Program Files\Adobe\Acrobat 8.0\Acrobat\asneu.dll (AsnEndUser Dynamic Link Library/Adobe Systems Inc.)
.text C:\Windows\system32\taskeng.exe[3540] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\taskeng.exe[3540] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\taskeng.exe[3540] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\taskeng.exe[3540] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\ehome\ehtray.exe[3568] kernel32.dll!TerminateProcess 766018EF 6 Bytes PUSH 10002C59; RET
.text C:\Windows\ehome\ehtray.exe[3568] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\ehome\ehtray.exe[3568] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\ehome\ehtray.exe[3568] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\ehome\ehtray.exe[3568] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3576] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\gtn.dll (GoogleToolbarNotifier/Google Inc.)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3576] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\gtn.dll (GoogleToolbarNotifier/Google Inc.)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3576] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\gtn.dll (GoogleToolbarNotifier/Google Inc.)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3576] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\gtn.dll (GoogleToolbarNotifier/Google Inc.)
.text C:\Program Files\uTorrent\uTorrent.exe[3668] kernel32.dll!TerminateProcess 766018EF 6 Bytes PUSH 10002C59; RET
.text C:\Program Files\uTorrent\uTorrent.exe[3668] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Program Files\uTorrent\uTorrent.exe[3668] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Program Files\uTorrent\uTorrent.exe[3668] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Program Files\uTorrent\uTorrent.exe[3668] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3684] kernel32.dll!TerminateProcess 766018EF 6 Bytes PUSH 10002C59; RET
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3684] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3684] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3684] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3684] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[3740] kernel32.dll!SetUnhandledExceptionFilter 76626E2D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[3740] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET C:\Program Files\Pando Networks\Media Booster\nspr4.dll (NSPR Library/Mozilla Foundation)
.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[3740] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET C:\Program Files\Pando Networks\Media Booster\nspr4.dll (NSPR Library/Mozilla Foundation)
.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[3740] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET C:\Program Files\Pando Networks\Media Booster\nspr4.dll (NSPR Library/Mozilla Foundation)
.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[3740] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET C:\Program Files\Pando Networks\Media Booster\nspr4.dll (NSPR Library/Mozilla Foundation)
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[4144] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[4144] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[4144] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[4144] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\PROGRA~1\AVG\AVG8\avgdumpx.exe[4280] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\PROGRA~1\AVG\AVG8\avgdumpx.exe[4280] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\PROGRA~1\AVG\AVG8\avgdumpx.exe[4280] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\PROGRA~1\AVG\AVG8\avgdumpx.exe[4280] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\svchost.exe[4524] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\svchost.exe[4524] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\svchost.exe[4524] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\svchost.exe[4524] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\Windows\system32\svchost.exe[4676] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\Windows\system32\svchost.exe[4676] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\Windows\system32\svchost.exe[4676] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\Windows\system32\svchost.exe[4676] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET
.text C:\hp\kbd\kbd.exe[5328] kernel32.dll!TerminateProcess 766018EF 6 Bytes PUSH 10002C59; RET
.text C:\hp\kbd\kbd.exe[5328] kernel32.dll!FindNextFileW 7662A6C1 6 Bytes PUSH 10001C87; RET
.text C:\hp\kbd\kbd.exe[5328] kernel32.dll!FindNextFileA 76631329 6 Bytes PUSH 10001C53; RET
.text C:\hp\kbd\kbd.exe[5328] ADVAPI32.dll!RegDeleteValueA 764AA565 6 Bytes PUSH 10001BBC; RET
.text C:\hp\kbd\kbd.exe[5328] ADVAPI32.dll!RegDeleteValueW 764ABC79 6 Bytes PUSH 10001BE4; RET

---- EOF - GMER 1.0.15 ----


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:25 PM

Posted 15 August 2010 - 02:11 PM

Hi,

yes the option devices causes freezes sometimes. I suspect the file you saw was: axldapow.sys, could that fit?

Please run ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 mcdonn123

mcdonn123
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 PM

Posted 15 August 2010 - 08:46 PM

That's it! It was axldapow.sys

I'll run Combofix.exe and post the report and what happens

#8 mcdonn123

mcdonn123
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 PM

Posted 15 August 2010 - 10:44 PM

ComboFix 10-08-15.01 - Circuit City 08/15/2010 22:06:57.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.2041 [GMT -5:00]
Running from: c:\users\Circuit City\Documents\Desktop\ComboFix.exe
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\ntldrs
c:\programdata\sysReserve.ini
c:\users\Circuit City\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.dll
c:\users\Circuit City\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.lnk
c:\users\Circuit City\ntload.dll
c:\windows\system32\config\systemprofile\ntload.dll
c:\windows\system32\ctfmon_qj.exe
c:\windows\system32\drivers\gaopdxnhmgvpliqiepqsiwvcxxbyiageyvrtop.sys.rmv
c:\windows\system32\gaopdxcounter.rmv
c:\windows\system32\notepad.dll
c:\windows\system32\wr60069.dll
D:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-07-16 to 2010-08-16 )))))))))))))))))))))))))))))))
.

2010-08-16 03:19 . 2010-08-16 03:21 -------- d-----w- c:\users\Circuit City\AppData\Local\temp
2010-08-16 03:19 . 2010-08-16 03:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-14 20:43 . 2010-08-14 20:43 -------- d-----w- c:\program files\Safari
2010-08-13 21:34 . 2010-08-13 21:34 47616 ---ha-w- c:\windows\system32\hdwwplui.dll
2010-08-08 23:03 . 2010-08-08 23:03 -------- d-----w- c:\users\Circuit City\AppData\Roaming\Red Kawa
2010-08-08 22:46 . 2010-08-08 22:46 -------- d-----w- c:\users\Circuit City\AppData\Roaming\Regensoft
2010-08-07 14:31 . 2010-08-07 14:31 -------- d-----w- c:\users\Circuit City\AppData\Local\Geckofx
2010-08-05 13:59 . 2010-08-13 22:07 -------- d-----w- c:\program files\War Rock
2010-08-04 14:42 . 2010-08-04 14:55 -------- d-----w- c:\program files\Optimize
2010-07-30 23:01 . 2010-07-30 23:01 -------- d-----w- c:\programdata\ALM
2010-07-30 21:10 . 2010-07-30 21:10 -------- d-----w- c:\users\Circuit City\AppData\Roaming\UltraVNC
2010-07-30 18:56 . 2010-07-30 18:59 -------- d-----w- c:\program files\UltraVNC
2010-07-28 18:31 . 2010-07-28 18:31 -------- d-----w- c:\program files\MixMeister BPM Analyzer
2010-07-26 16:52 . 2010-07-26 19:12 -------- d-----w- c:\users\Circuit City\AppData\Roaming\TightVNC
2010-07-26 16:51 . 2010-08-03 16:59 -------- d-----w- c:\program files\TightVNC
2010-07-26 16:38 . 2010-07-26 16:38 -------- d-----w- c:\users\Circuit City\AppData\Local\IsolatedStorage
2010-07-26 16:38 . 2010-07-26 16:38 -------- d-----w- c:\users\Circuit City\AppData\Roaming\SmartCode Solutions
2010-07-25 15:40 . 2010-07-25 15:40 -------- d-----w- c:\programdata\OptiTex
2010-07-25 15:33 . 2010-07-25 15:33 -------- d-----w- c:\users\Circuit City\AppData\Roaming\DAZ 3D
2010-07-22 02:25 . 2010-07-22 02:25 -------- d-----w- c:\users\Circuit City\AppData\Roaming\Secunia CSI
2010-07-22 02:25 . 2010-07-22 02:25 -------- d-----w- c:\program files\Secunia
2010-07-21 16:54 . 2010-08-05 14:27 -------- d-----w- c:\users\Circuit City\AppData\Local\GamersFirst LIVE!
2010-07-21 16:53 . 2010-08-16 03:18 -------- d-----w- c:\users\Circuit City\AppData\Local\PMB Files
2010-07-21 16:53 . 2010-08-05 14:26 -------- d-----w- c:\programdata\PMB Files
2010-07-21 16:53 . 2010-07-21 16:53 -------- d-----w- c:\program files\Pando Networks
2010-07-20 19:28 . 2010-07-25 13:58 -------- d-----w- c:\programdata\123VDM
2010-07-19 22:04 . 2010-07-19 22:04 -------- d-----w- c:\program files\Sonic Foundry
2010-07-19 22:04 . 2010-07-20 18:35 -------- d-----w- c:\program files\DebugMode
2010-07-19 18:20 . 2010-07-19 18:20 -------- d-----w- c:\program files\AKVIS
2010-07-18 15:50 . 2010-07-18 15:50 -------- d-----w- c:\users\Circuit City\AppData\Roaming\Free Mp3 Wma Ogg Converter
2010-07-18 15:50 . 2010-07-18 15:50 -------- d-----w- c:\program files\AutocompletePro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 03:23 . 2009-09-26 17:56 -------- d-----w- c:\users\Circuit City\AppData\Roaming\uTorrent
2010-08-15 22:07 . 2007-10-30 21:04 -------- d-----w- c:\programdata\Google Updater
2010-08-14 20:45 . 2009-02-28 01:09 175696 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-14 14:24 . 2009-10-22 22:36 -------- d-----w- c:\program files\Warzone 2100
2010-08-10 03:40 . 2009-04-22 04:13 -------- d-----w- c:\users\Circuit City\AppData\Roaming\Orbit
2010-08-10 02:06 . 2009-09-03 22:34 -------- d-----w- c:\users\Circuit City\AppData\Roaming\LimeWire
2010-08-09 06:39 . 2009-01-28 13:04 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-08-04 14:57 . 2009-04-25 05:02 -------- d-----w- c:\program files\Spyware Doctor
2010-08-04 14:55 . 2007-07-09 13:29 107288 ----a-w- c:\users\Circuit City\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-04 13:49 . 2008-02-09 04:52 -------- d-----w- c:\program files\WarRock
2010-08-03 17:06 . 2007-04-25 19:11 -------- d-----w- c:\program files\Common Files\Real
2010-08-03 17:05 . 2007-04-25 19:12 -------- d-----w- c:\program files\Common Files\muvee Technologies
2010-08-03 17:05 . 2007-04-25 18:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-03 16:57 . 2007-04-25 19:01 -------- d-----w- c:\programdata\HP
2010-08-02 00:56 . 2010-06-06 00:30 -------- d-----w- c:\programdata\FLEXnet
2010-07-31 21:39 . 2007-04-25 19:15 -------- d-----w- c:\programdata\Microsoft Help
2010-07-31 21:29 . 2007-04-25 18:43 -------- d-----w- c:\program files\Hewlett-Packard
2010-07-31 21:09 . 2007-04-25 19:24 -------- d-----w- c:\program files\Yahoo!
2010-07-26 16:54 . 2009-12-22 14:48 -------- d-----w- c:\users\Circuit City\AppData\Roaming\FileZilla
2010-07-26 16:32 . 2007-04-25 19:17 -------- d-----w- c:\program files\Microsoft.NET
2010-07-26 16:32 . 2008-07-17 22:13 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-07-21 16:53 . 2009-06-14 20:44 -------- d-----w- c:\program files\GamersFirst
2010-06-22 01:19 . 2009-04-25 20:20 -------- d-----w- c:\program files\ffdshow
2010-06-22 01:18 . 2008-12-26 07:13 -------- d-----w- c:\program files\AviSynth 2.5
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-03-04 22:54 . 2010-03-04 22:54 198656 --sha-w- c:\windows\System32\config\systemprofile\AppData\Local\av.exe
2008-01-19 07:34 . 2008-04-18 00:46 27136 --sha-w- c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7986BACF-F27A-307F-9374-C6B7EADB9058}]
2009-04-11 14:47 200704 ----a-w- c:\windows\System32\xwr60069.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-30 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-18 322352]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-07-21 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
GamersFirst LIVE!.lnk - c:\program files\GamersFirst\LIVE!\Live.exe [2010-7-6 2805104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 02:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-808472312-2103218499-2355469710-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000003

R2 gupdate;Google Update Service;c:\program files\Google\Update\GoogleUpdate.exe [2008-09-03 133104]
R3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\DRIVERS\fantom.sys [2006-03-10 39424]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-01-28 717296]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2007-03-20 28672]
S3 rt61x86;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\DRIVERS\WMP54Gv41x86.sys [2007-03-12 286208]

.
Contents of the 'Scheduled Tasks' folder

2010-08-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-30 04:47]

2010-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-17 22:33]

2010-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-17 22:33]

2010-08-15 c:\windows\Tasks\User_Feed_Synchronization-{A9F4DD0C-40BF-4ED2-BF44-FA5BE4D28BC6}.job
- c:\windows\system32\msfeedssync.exe [2008-04-18 07:33]
.
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Circuit City\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: adobe.com\www
Trusted Zone: bitzi.com
Trusted Zone: kongregate.com\www
Trusted Zone: roblox.com\www
Trusted Zone: travian.com\s2
Trusted Zone: tribalwars.net\en23
Trusted Zone: youtube.com\www
FF - ProfilePath - c:\users\Circuit City\AppData\Roaming\Mozilla\Firefox\Profiles\i0crukjk.default\
FF - component: c:\users\Circuit City\AppData\Roaming\Mozilla\Firefox\Profiles\i0crukjk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Microsoft Works Update Detection - c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
AddRemove-Mall Tycoon - c:\program files\Take2 Interactive\Mall Tycoon\Uninst.isu
AddRemove-OpenAL - c:\program files\OpenAL\oalinst.exe
AddRemove-Simtowerv1.0 - c:\maxis\Simtower\DeIsL1.isu
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\S-1-5-21-808472312-2103218499-2355469710-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:19,a9,17,2a,8e,89,c4,d0,db,81,f4,9a,b6,d8,7a,73,47,72,17,e6,e2,
0d,1d,45,b0,8b,1c,9c,60,1f,f0,ec,62,02,c8,cc,81,db,26,bf,25,00,4c,8b,89,74,\
"rkeysecu"=hex:53,59,84,79,ab,93,52,e1,3c,c8,3c,c4,f4,bc,4e,0c
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\hp\kbd\kbd.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-08-15 22:31:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-16 03:31

Pre-Run: 220,141,338,624 bytes free
Post-Run: 223,946,727,424 bytes free

- - End Of File - - 1E9E774C95BDEEE4E864BBECCF42F36A


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:25 PM

Posted 16 August 2010 - 02:22 PM

Hi,

There are a couple of leftovers, please do the following:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\System32\config\systemprofile\AppData\Local\av.exe
c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.dll


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 mcdonn123

mcdonn123
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 PM

Posted 16 August 2010 - 08:34 PM

ComboFix 10-08-16.01 - Circuit City 08/16/2010 18:21:46.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.1800 [GMT -5:00]
Running from: c:\users\Circuit City\Documents\Desktop\ComboFix.exe
Command switches used :: c:\users\Circuit City\Documents\Desktop\CFScript.txt
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\System32\config\systemprofile\AppData\Local\av.exe"
"c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\config\systemprofile\AppData\Local\av.exe
c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.dll
c:\windows\system32\xwr60069.dll

.
((((((((((((((((((((((((( Files Created from 2010-07-16 to 2010-08-16 )))))))))))))))))))))))))))))))
.

2010-08-16 23:28 . 2010-08-16 23:28 -------- d-----w- c:\users\Circuit City\AppData\Local\temp
2010-08-16 23:28 . 2010-08-16 23:28 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-16 23:28 . 2010-08-16 23:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-16 23:28 . 2010-08-16 23:28 -------- d-----w- c:\users\Circuit_City\AppData\Local\temp
2010-08-16 08:11 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-08-16 08:11 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-08-16 08:11 . 2010-08-16 08:11 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-08-16 08:06 . 2010-04-14 17:47 293376 ----a-w- c:\windows\system32\psisdecd.dll
2010-08-16 08:06 . 2010-04-14 17:46 428544 ----a-w- c:\windows\system32\EncDec.dll
2010-08-16 08:03 . 2009-11-08 15:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-08-16 08:03 . 2009-11-08 15:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-08-16 08:03 . 2009-11-08 15:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-08-16 08:03 . 2009-11-08 15:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-08-16 08:03 . 2009-11-08 15:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-08-16 08:02 . 2010-02-20 23:39 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-08-16 08:02 . 2010-02-20 23:37 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-08-16 08:02 . 2010-02-20 21:18 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-08-16 08:01 . 2010-08-16 08:01 -------- d-----w- c:\program files\MSXML 4.0
2010-08-16 05:30 . 2010-06-11 15:31 274432 ----a-w- c:\windows\system32\schannel.dll
2010-08-16 05:28 . 2010-06-11 15:30 1257472 ----a-w- c:\windows\system32\msxml3.dll
2010-08-16 05:28 . 2009-10-19 14:27 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-08-16 05:28 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-16 05:28 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2010-08-16 05:28 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-08-16 05:28 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-08-16 05:28 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-08-16 05:28 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-08-16 05:28 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-08-16 05:28 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-08-16 05:28 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2010-08-16 05:25 . 2008-12-06 04:42 376832 ----a-w- c:\windows\system32\winhttp.dll
2010-08-16 05:25 . 2010-04-05 16:07 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-08-16 05:25 . 2010-03-04 18:54 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-08-16 05:25 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2010-08-16 05:25 . 2010-04-16 16:05 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-08-16 05:25 . 2010-04-16 14:17 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-08-16 05:22 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-08-16 05:21 . 2010-06-18 14:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-16 05:21 . 2010-06-18 14:43 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-16 05:21 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-08-16 05:21 . 2010-01-25 12:48 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-08-16 05:21 . 2010-01-25 12:48 472064 ----a-w- c:\windows\system32\secproc.dll
2010-08-16 05:21 . 2010-01-25 08:35 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-08-16 05:21 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-08-16 05:21 . 2010-01-25 08:34 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-08-16 05:21 . 2010-01-25 08:34 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-08-16 05:21 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-08-16 05:21 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-08-16 05:21 . 2010-01-25 12:45 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-08-16 05:17 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-08-16 05:16 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2010-08-16 05:16 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2010-08-16 05:16 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2010-08-16 05:16 . 2009-09-10 15:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-08-16 04:49 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-08-16 04:49 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
2010-08-16 04:42 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-08-16 04:42 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2010-08-16 04:42 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2010-08-16 04:42 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-08-16 04:42 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2010-08-16 04:42 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2010-08-16 04:42 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-08-16 04:42 . 2009-08-07 00:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-08-16 04:42 . 2009-08-06 23:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-08-14 20:43 . 2010-08-14 20:43 -------- d-----w- c:\program files\Safari
2010-08-13 21:34 . 2010-08-13 21:34 47616 ---ha-w- c:\windows\system32\hdwwplui.dll
2010-08-08 23:03 . 2010-08-08 23:03 -------- d-----w- c:\users\Circuit City\AppData\Roaming\Red Kawa
2010-08-08 22:46 . 2010-08-08 22:46 -------- d-----w- c:\users\Circuit City\AppData\Roaming\Regensoft
2010-08-07 14:31 . 2010-08-07 14:31 -------- d-----w- c:\users\Circuit City\AppData\Local\Geckofx
2010-08-05 13:59 . 2010-08-13 22:07 -------- d-----w- c:\program files\War Rock
2010-08-04 14:42 . 2010-08-04 14:55 -------- d-----w- c:\program files\Optimize
2010-08-03 16:56 . 2007-01-12 16:36 1089536 ------w- c:\programdata\HP\Installer\Temp\hpzscr01.exe
2010-08-03 16:56 . 2007-01-12 16:29 1126400 ------w- c:\programdata\HP\Installer\Temp\hpzmsi01.exe
2010-07-30 23:01 . 2010-07-30 23:01 -------- d-----w- c:\programdata\ALM
2010-07-30 21:10 . 2010-07-30 21:10 -------- d-----w- c:\users\Circuit City\AppData\Roaming\UltraVNC
2010-07-30 18:56 . 2010-07-30 18:59 -------- d-----w- c:\program files\UltraVNC
2010-07-29 00:29 . 2010-07-23 22:22 1496064 ----a-w- c:\users\Circuit City\AppData\Roaming\Mozilla\Firefox\Profiles\i0crukjk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-29 00:29 . 2010-07-23 22:22 43008 ----a-w- c:\users\Circuit City\AppData\Roaming\Mozilla\Firefox\Profiles\i0crukjk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-29 00:29 . 2010-07-23 22:22 338944 ----a-w- c:\users\Circuit City\AppData\Roaming\Mozilla\Firefox\Profiles\i0crukjk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-29 00:29 . 2010-07-23 22:22 346112 ----a-w- c:\users\Circuit City\AppData\Roaming\Mozilla\Firefox\Profiles\i0crukjk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-07-28 18:31 . 2010-07-28 18:31 -------- d-----w- c:\program files\MixMeister BPM Analyzer
2010-07-26 16:52 . 2010-07-26 19:12 -------- d-----w- c:\users\Circuit City\AppData\Roaming\TightVNC
2010-07-26 16:51 . 2010-08-03 16:59 -------- d-----w- c:\program files\TightVNC
2010-07-26 16:38 . 2010-07-26 16:38 -------- d-----w- c:\users\Circuit City\AppData\Local\IsolatedStorage
2010-07-26 16:38 . 2010-07-26 16:38 -------- d-----w- c:\users\Circuit City\AppData\Roaming\SmartCode Solutions
2010-07-25 15:40 . 2010-07-25 15:40 -------- d-----w- c:\programdata\OptiTex
2010-07-25 15:33 . 2010-07-25 15:33 -------- d-----w- c:\users\Circuit City\AppData\Roaming\DAZ 3D
2010-07-23 11:13 . 2010-07-23 11:13 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe
2010-07-22 02:25 . 2010-07-22 02:25 -------- d-----w- c:\users\Circuit City\AppData\Roaming\Secunia CSI
2010-07-22 02:25 . 2010-07-22 02:25 -------- d-----w- c:\program files\Secunia
2010-07-21 16:54 . 2010-08-05 14:27 -------- d-----w- c:\users\Circuit City\AppData\Local\GamersFirst LIVE!
2010-07-21 16:53 . 2010-08-16 23:28 -------- d-----w- c:\users\Circuit City\AppData\Local\PMB Files
2010-07-21 16:53 . 2010-08-05 14:26 -------- d-----w- c:\programdata\PMB Files
2010-07-21 16:53 . 2010-07-21 16:53 -------- d-----w- c:\program files\Pando Networks
2010-07-20 19:28 . 2010-07-25 13:58 -------- d-----w- c:\programdata\123VDM
2010-07-19 22:04 . 2010-07-19 22:04 -------- d-----w- c:\program files\Sonic Foundry
2010-07-19 22:04 . 2010-07-20 18:35 -------- d-----w- c:\program files\DebugMode
2010-07-19 18:20 . 2010-07-19 18:20 -------- d-----w- c:\program files\AKVIS
2010-07-18 15:50 . 2010-07-18 15:50 -------- d-----w- c:\users\Circuit City\AppData\Roaming\Free Mp3 Wma Ogg Converter
2010-07-18 15:50 . 2010-07-18 15:50 -------- d-----w- c:\program files\AutocompletePro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 23:08 . 2007-10-30 21:04 -------- d-----w- c:\programdata\Google Updater
2010-08-16 12:59 . 2009-09-26 17:56 -------- d-----w- c:\users\Circuit City\AppData\Roaming\uTorrent
2010-08-16 08:36 . 2007-07-09 13:29 107856 ----a-w- c:\users\Circuit City\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-16 08:30 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-16 08:03 . 2007-04-25 19:15 -------- d-----w- c:\program files\Microsoft Works
2010-08-15 19:16 . 2008-11-05 00:17 1 ----a-w- c:\users\Circuit City\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-08-14 20:45 . 2009-02-28 01:09 175696 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-14 14:24 . 2009-10-22 22:36 -------- d-----w- c:\program files\Warzone 2100
2010-08-10 03:40 . 2009-04-22 04:13 -------- d-----w- c:\users\Circuit City\AppData\Roaming\Orbit
2010-08-10 02:06 . 2009-09-03 22:34 -------- d-----w- c:\users\Circuit City\AppData\Roaming\LimeWire
2010-08-09 06:39 . 2009-01-28 13:04 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-08-04 14:57 . 2009-04-25 05:02 -------- d-----w- c:\program files\Spyware Doctor
2010-08-04 13:49 . 2008-02-09 04:52 -------- d-----w- c:\program files\WarRock
2010-08-03 17:06 . 2007-04-25 19:11 -------- d-----w- c:\program files\Common Files\Real
2010-08-03 17:05 . 2007-04-25 19:12 -------- d-----w- c:\program files\Common Files\muvee Technologies
2010-08-03 17:05 . 2007-04-25 18:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-03 16:57 . 2007-04-25 19:01 -------- d-----w- c:\programdata\HP
2010-08-02 00:56 . 2010-06-06 00:30 -------- d-----w- c:\programdata\FLEXnet
2010-07-31 21:39 . 2007-04-25 19:15 -------- d-----w- c:\programdata\Microsoft Help
2010-07-31 21:29 . 2007-04-25 18:43 -------- d-----w- c:\program files\Hewlett-Packard
2010-07-31 21:09 . 2007-04-25 19:24 -------- d-----w- c:\program files\Yahoo!
2010-07-26 16:54 . 2009-12-22 14:48 -------- d-----w- c:\users\Circuit City\AppData\Roaming\FileZilla
2010-07-26 16:32 . 2007-04-25 19:17 -------- d-----w- c:\program files\Microsoft.NET
2010-07-26 16:32 . 2008-07-17 22:13 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-07-21 16:53 . 2009-06-14 20:44 -------- d-----w- c:\program files\GamersFirst
2010-06-28 16:17 . 2010-08-16 05:27 833024 ----a-w- c:\windows\system32\wininet.dll
2010-06-28 16:13 . 2010-08-16 05:27 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-22 01:19 . 2009-04-25 20:20 -------- d-----w- c:\program files\ffdshow
2010-06-22 01:18 . 2008-12-26 07:13 -------- d-----w- c:\program files\AviSynth 2.5
2010-06-21 13:18 . 2010-08-16 05:23 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-06-18 16:43 . 2010-08-16 05:23 36352 ----a-w- c:\windows\system32\rtutils.dll
2010-06-16 15:59 . 2010-08-16 05:20 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-08 17:00 . 2010-08-16 05:22 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-08 17:00 . 2010-08-16 05:22 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-27 19:16 . 2010-08-16 05:27 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-05-26 16:16 . 2010-08-16 05:23 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:25 . 2010-08-16 05:23 289792 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-30 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-18 322352]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-07-21 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
GamersFirst LIVE!.lnk - c:\program files\GamersFirst\LIVE!\Live.exe [2010-7-6 2805104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 02:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-808472312-2103218499-2355469710-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000003

R2 gupdate;Google Update Service;c:\program files\Google\Update\GoogleUpdate.exe [2008-09-03 133104]
R3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\DRIVERS\fantom.sys [2006-03-10 39424]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-01-28 717296]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2007-03-20 28672]
S3 rt61x86;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\DRIVERS\WMP54Gv41x86.sys [2007-03-12 286208]

.
Contents of the 'Scheduled Tasks' folder

2010-08-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-30 04:47]

2010-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-17 22:33]

2010-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-17 22:33]

2010-08-16 c:\windows\Tasks\User_Feed_Synchronization-{A9F4DD0C-40BF-4ED2-BF44-FA5BE4D28BC6}.job
- c:\windows\system32\msfeedssync.exe [2008-04-18 07:33]
.
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Circuit City\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: adobe.com\www
Trusted Zone: bitzi.com
Trusted Zone: kongregate.com\www
Trusted Zone: roblox.com\www
Trusted Zone: travian.com\s2
Trusted Zone: tribalwars.net\en23
Trusted Zone: youtube.com\www
FF - ProfilePath - c:\users\Circuit City\AppData\Roaming\Mozilla\Firefox\Profiles\i0crukjk.default\
FF - component: c:\users\Circuit City\AppData\Roaming\Mozilla\Firefox\Profiles\i0crukjk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{7986BACF-F27A-307F-9374-C6B7EADB9058} - c:\windows\system32\xwr60069.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 18:28
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\S-1-5-21-808472312-2103218499-2355469710-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:19,a9,17,2a,8e,89,c4,d0,db,81,f4,9a,b6,d8,7a,73,47,72,17,e6,e2,
0d,1d,45,b0,8b,1c,9c,60,1f,f0,ec,62,02,c8,cc,81,db,26,bf,25,00,4c,8b,89,74,\
"rkeysecu"=hex:53,59,84,79,ab,93,52,e1,3c,c8,3c,c4,f4,bc,4e,0c
.
Completion time: 2010-08-16 18:31:29
ComboFix-quarantined-files.txt 2010-08-16 23:31
ComboFix2.txt 2010-08-16 03:31

Pre-Run: 227,033,776,128 bytes free
Post-Run: 226,995,871,744 bytes free

- - End Of File - - 4AA1360EFE659EBEEAC978F2F3853224


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:25 PM

Posted 18 August 2010 - 04:02 PM

Hi,

the log is looking good. How is the PC doing?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 mcdonn123

mcdonn123
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 PM

Posted 18 August 2010 - 05:56 PM

It seems to be going very well!
Thank you very much!!
thumbup.gif

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:25 PM

Posted 18 August 2010 - 06:30 PM

Hi,

that is great! smile.gif Please run a scan with Eset next to check for leftovers:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 mcdonn123

mcdonn123
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 PM

Posted 19 August 2010 - 08:04 AM

C:\Program Files\War Rock\system\WarRock.exe a variant of Win32/Packed.Themida application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\autorun.inf.vir INF/Autorun.gen trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\ntldrs.vir Win32/Spy.Zbot.UN trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Circuit City\ntload.dll.vir a variant of Win32/Kryptik.BLS trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Circuit City\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.dll.vir a variant of Win32/Kryptik.BLS trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\ctfmon_qj.exe.vir a variant of Win32/BHO.NOU trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\notepad.dll.vir a variant of Win32/Kryptik.BLS trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\wr60069.dll.vir Win32/BHO.NRO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\xwr60069.dll.vir Win32/BHO.NRO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\config\systemprofile\ntload.dll.vir a variant of Win32/Kryptik.BLS trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\config\systemprofile\AppData\Local\av.exe.vir a variant of Win32/Kryptik.CSL trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.dll.vir a variant of Win32/Kryptik.BLS trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\drivers\gaopdxnhmgvpliqiepqsiwvcxxbyiageyvrtop.sys.rmv.vir a variant of Win32/Kryptik.UZ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\D\autorun.inf.vir INF/Autorun.gen trojan cleaned by deleting - quarantined
C:\Users\Circuit City\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\42d2050f-63d3834e multiple threats deleted - quarantined
C:\Users\Circuit City\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\4c3fce10-73911c10 Java/TrojanDownloader.Agent.NAQ trojan deleted - quarantined
C:\Users\Circuit City\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\2c3b3a57-2ff53a07 Java/TrojanDownloader.Agent.NAP trojan deleted - quarantined
C:\Users\Circuit City\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\11dcc79b-4cd15a56 multiple threats deleted - quarantined
C:\Users\Circuit City\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2938ae1-6aa03941 Java/TrojanDownloader.Agent.NAM trojan deleted - quarantined
C:\Users\Circuit City\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2a72d0a1-720ca931 multiple threats deleted - quarantined
C:\Users\Circuit City\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\5b744b61-57f32551 multiple threats deleted - quarantined
C:\Users\Circuit City\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\15115563-42df8a9b a variant of OSX/Exploit.Smid.C trojan deleted - quarantined
C:\Users\Circuit City\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\6bafd9a6-4cb41bd1 Java/TrojanDownloader.Agent.NBM trojan deleted - quarantined
C:\Users\Circuit City\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\b2b4eb5-2823e9c6 multiple threats deleted - quarantined
C:\Users\Circuit City\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\481ee53d-72be1f3b probably a variant of Win32/Agent.ERYPENX trojan deleted - quarantined
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\JnteZAVORP1CORV0.htmlZoU2773a43bH9198eb30V03009f35002R91adf88c108Tda436812Q000002fc900801F0020000aJ12000601l0409325 a variant of Win32/Cimag.CJ trojan deleted - quarantined
C:\Windows\System32\hdwwplui.dll a variant of Win32/Kryptik.GBK trojan cleaned by deleting - quarantined


#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:25 PM

Posted 19 August 2010 - 08:51 AM

Hi,

please repost a log from OTL, there may be some malware left.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users