Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google page redirects?


  • This topic is locked This topic is locked
19 replies to this topic

#1 Childsp

Childsp

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 05 September 2010 - 11:48 AM


DDS (Ver_10-03-17.01) - NTFSX64
Run by Childsp at 11:13:16.45 on Sun 09/05/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_19
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4094.2677 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Hawking\Common\RaUI.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Childsp\Downloads\HijackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Childsp\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mLocal Page = c:\windows\syswow64\blank.htm
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files (x86)\avg\avg9\toolbar\IEToolbar.dll
mWinlogon: Userinit=userinit.exe
BHO: AutorunsDisabled - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files (x86)\avg\avg9\avgssie.dll
uRun: [Skype] "c:\program files (x86)\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpybotSD TeaTimer] c:\program files (x86)\spybot - search & destroy\TeaTimer.exe
mRun: [LifeCam] "c:\program files (x86)\microsoft lifecam\LifeExp.exe"
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\users\childsp\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files (x86)\magicdisc\MagicDisc.exe
StartupFolder: c:\users\childsp\appdata\roaming\microsoft\windows\start menu\programs\startup\autorunsdisabled\29_.ahk
StartupFolder: c:\users\childsp\appdata\roaming\micros~1\windows\startm~1\programs\startup\autoru~1\openof~1.lnk - c:\program files (x86)\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\hwdn1w~1.lnk - c:\program files (x86)\hawking\common\RaUI.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\autoru~1\citrus~1.lnk - c:\program files (x86)\citrus alarm clock\Citrus Alarm Clock.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: AutorunsDisabled\linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files (x86)\avg\avg9\avgpp.dll
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files (x86)\avg\avg9\toolbar\IEToolbar.dll
BHO-X64: AutorunsDisabled - No File
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
AppInit_DLLs-X64: avgrssta.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\childsp\appdata\roaming\mozilla\firefox\profiles\21fsz237.default\
FF - component: c:\program files (x86)\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files (x86)\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\childsp\appdata\roaming\mozilla\firefox\profiles\21fsz237.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\program files (x86)\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files (x86)\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files (x86)\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\users\childsp\appdata\roaming\mozilla\firefox\profiles\21fsz237.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
FF - plugin: c:\windows\syswow64\macromed\flash\NPSWF32.dll
FF - HiddenExtension: XULRunner: {73F696E0-FCBD-49DD-BC11-2309451039B5} - c:\users\childsp\appdata\local\{73f696e0-fcbd-49dd-bc11-2309451039b5}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-8-26 69152]
R1 AvgLdx64;AVG Free AVI Loader Driver x64;c:\windows\system32\drivers\avgldx64.sys [2010-8-26 269904]
R1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64;c:\windows\system32\drivers\avgmfx64.sys [2010-8-26 35536]
R1 AvgTdiA;AVG Free Network Redirector x64;c:\windows\system32\drivers\avgtdia.sys [2010-8-26 317520]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 59904]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-4-3 240232]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-3-1 36720]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2010-8-9 344680]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2010-5-25 20568]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\lavasoft\ad-aware\kernexplorer64.sys [2010-8-12 16928]
S3 netr28ux;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\netr28ux.sys [2009-5-25 966144]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl64.sys [2009-10-16 50176]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 17920]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-5 1255736]
S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\avg\avg9\toolbar\ToolbarBroker.exe [2010-8-26 431432]
S4 avg9emc;AVG Free E-mail Scanner;c:\program files (x86)\avg\avg9\avgemc.exe [2010-8-26 921952]
S4 avg9wd;AVG Free WatchDog;c:\program files (x86)\avg\avg9\avgwdsvc.exe [2010-8-26 308136]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\lavasoft\ad-aware\AAWService.exe [2010-8-12 1355928]
S4 TFsExDisk;TFsExDisk;c:\windows\system32\drivers\TFsExDisk.sys [2010-7-29 16392]

=============== Created Last 30 ================

2010-09-05 05:14:28 0 d-----w- c:\windows\pss
2010-08-28 15:53:48 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-27 02:51:55 0 d-----w- c:\program files (x86)\ToniArts
2010-08-26 23:58:12 0 d--h--w- C:\$AVG
2010-08-26 23:33:44 13048 ----a-w- c:\windows\system32\avgrssta.dll
2010-08-26 23:33:42 317520 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2010-08-26 23:33:34 269904 ----a-w- c:\windows\system32\drivers\avgldx64.sys
2010-08-26 23:33:31 35536 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
2010-08-26 23:33:30 0 d-----w- c:\windows\system32\drivers\Avg
2010-08-26 23:33:28 0 d-----w- c:\programdata\AVG Security Toolbar
2010-08-26 23:28:33 0 d-----w- c:\program files (x86)\AVG
2010-08-26 23:28:08 0 d-----w- c:\programdata\avg9
2010-08-26 23:13:55 69152 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-26 23:13:24 0 dc-h--w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-26 23:12:42 0 d-----w- c:\program files (x86)\Lavasoft
2010-08-26 23:12:41 0 d-----w- c:\programdata\Lavasoft
2010-08-26 23:02:28 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-26 23:02:28 0 d-----w- c:\program files (x86)\Spybot - Search & Destroy
2010-08-14 23:03:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUsb_01007.Wdf
2010-08-14 22:56:40 708168 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2010-08-14 22:56:39 1490656 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-08-14 22:41:28 0 d-----w- c:\users\childsp\.android
2010-08-12 12:41:18 463360 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 12:41:18 404992 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-12 12:41:18 340992 ----a-w- c:\windows\system32\schannel.dll
2010-08-12 12:41:18 162304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-12 12:41:17 224256 ----a-w- c:\windows\syswow64\schannel.dll
2010-08-12 12:41:05 1896832 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-12 12:41:03 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-12 12:41:03 3955080 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-08-12 12:41:03 3899784 ----a-w- c:\windows\syswow64\ntoskrnl.exe
2010-08-11 19:33:30 0 d-----w- c:\users\childsp\Calibre Library
2010-08-11 19:33:28 0 d-----w- c:\users\childsp\appdata\roaming\calibre
2010-08-11 19:33:05 0 d-----w- c:\program files (x86)\Calibre2
2010-08-09 21:43:06 74272 ----a-w- c:\windows\system32\RtNicProp64.dll
2010-08-09 21:43:06 344680 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
2010-08-09 21:43:06 107552 ----a-w- c:\windows\system32\RTNUninst64.dll

==================== Find3M ====================

2010-07-29 06:30:34 82944 ----a-w- c:\windows\syswow64\iccvid.dll
2010-07-27 14:03:24 12867584 ----a-w- c:\windows\syswow64\shell32.dll
2010-06-30 07:13:46 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-06-30 06:25:31 978432 ----a-w- c:\windows\syswow64\wininet.dll
2010-06-30 06:25:18 1226240 ----a-w- c:\windows\syswow64\urlmon.dll
2010-06-30 06:22:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-06-30 06:22:34 5971456 ----a-w- c:\windows\syswow64\mshtml.dll
2010-06-30 06:22:33 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-06-30 06:21:57 48128 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-06-30 06:21:47 185856 ----a-w- c:\windows\syswow64\iepeers.dll
2010-06-30 06:21:47 176640 ----a-w- c:\windows\syswow64\ieui.dll
2010-06-30 06:21:46 10985472 ----a-w- c:\windows\syswow64\ieframe.dll
2010-06-30 06:21:44 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-06-30 06:19:16 12800 ----a-w- c:\windows\syswow64\msfeedssync.exe
2010-06-19 06:53:18 52224 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 06:23:50 37376 ----a-w- c:\windows\syswow64\rtutils.dll
2010-06-19 04:32:34 3122688 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 06:02:06 1233920 ----a-w- c:\windows\syswow64\msxml3.dll
2010-06-08 05:36:31 1877504 ----a-w- c:\windows\system32\msxml3.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-03-15 09:15:30 245760 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 11:14:03.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,581 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:15 PM

Posted 13 September 2010 - 04:25 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 Childsp

Childsp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 13 September 2010 - 10:46 AM

olt.txt:
OTL logfile created on: 9/13/2010 10:35:07 AM - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Users\Childsp\Downloads
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 57.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 227.03 Gb Total Space | 88.65 Gb Free Space | 39.05% Space Free | Partition Type: NTFS
Drive D: | 298.08 Gb Total Space | 30.01 Gb Free Space | 10.07% Space Free | Partition Type: NTFS
Drive E: | 1.26 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 1.26 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANDROMEDA
Current User Name: Childsp
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/13 10:34:33 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Childsp\Downloads\OTL.exe
PRC - [2010/09/11 11:09:35 | 002,969,496 | ---- | M] () -- C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
PRC - [2010/09/09 10:24:49 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
PRC - [2010/09/09 10:24:48 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2010/09/08 20:13:17 | 012,479,152 | ---- | M] (Mozilla Messaging) -- C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
PRC - [2010/04/03 16:59:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2010/01/13 17:45:58 | 001,552,736 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\Winamp\winamp.exe
PRC - [2009/11/24 12:32:22 | 000,234,792 | ---- | M] (Skype Technologies S.A.) -- C:\Program Files (x86)\Skype\Toolbars\Shared\SkypeNames2.exe
PRC - [2007/11/26 20:06:56 | 000,995,328 | ---- | M] (Hawking Technology) -- C:\Program Files (x86)\Hawking\Common\RaUI.exe


========== Modules (SafeList) ==========

MOD - [2010/09/13 10:34:33 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Childsp\Downloads\OTL.exe
MOD - [2009/07/13 20:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2009/07/13 20:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\Windows\SysNative\GameMon.des -- (npggsvc)
SRV:64bit: - [2010/06/29 12:49:27 | 000,128,752 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE)
SRV:64bit: - [2010/03/01 20:35:38 | 000,199,536 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS64.exe -- (MSCamSvc)
SRV:64bit: - [2009/07/13 20:41:56 | 000,195,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\umrdp.dll -- (UmRdpService)
SRV:64bit: - [2009/07/13 20:41:53 | 001,361,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\PeerDistSvc.dll -- (PeerDistSvc)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 20:40:24 | 000,689,152 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\cscsvc.dll -- (CscService)
SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2010/09/02 18:20:08 | 001,355,928 | ---- | M] (Lavasoft) [Disabled | Stopped] -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/08/26 18:31:15 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled | Stopped] -- C:\Program Files (x86)\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/08/26 18:31:08 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled | Stopped] -- C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/08/13 09:13:32 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®
SRV - [2010/06/30 14:22:46 | 000,431,432 | ---- | M] () [Disabled | Stopped] -- C:\Program Files (x86)\AVG\AVG9\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2010/04/03 16:59:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/02/24 11:43:00 | 003,461,116 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\SysWow64\GameMon.des -- (npggsvc)
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\npptNT2.sys -- (NPPTNT2)
DRV:64bit: - [2010/08/26 18:33:44 | 000,317,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtdia.sys -- (AvgTdiA)
DRV:64bit: - [2010/08/26 18:33:34 | 000,269,904 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgldx64.sys -- (AvgLdx64)
DRV:64bit: - [2010/08/26 18:33:34 | 000,035,536 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgmfx64.sys -- (AvgMfx64)
DRV:64bit: - [2010/08/12 07:15:20 | 000,069,152 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\Lbd.sys -- (Lbd)
DRV:64bit: - [2010/06/23 17:10:56 | 000,344,680 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2010/05/25 01:45:52 | 000,016,392 | ---- | M] (Teruten Inc) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\drivers\TFsExDisk.sys -- (TFsExDisk)
DRV:64bit: - [2010/05/25 01:45:38 | 000,020,568 | ---- | M] (Devguru Co., Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dgderdrv.sys -- (dgderdrv)
DRV:64bit: - [2010/03/01 20:35:38 | 000,036,720 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nx6000.sys -- (MSHUSBVideo)
DRV:64bit: - [2010/02/17 13:23:05 | 000,014,920 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2010/02/17 13:23:05 | 000,012,360 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2009/10/16 02:33:06 | 000,050,176 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2009/07/13 20:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 20:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 20:45:55 | 000,200,272 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vmbus.sys -- (vmbus)
DRV:64bit: - [2009/07/13 20:45:55 | 000,046,672 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vmstorfl.sys -- (storflt)
DRV:64bit: - [2009/07/13 20:45:55 | 000,034,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\storvsc.sys -- (storvsc)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 19:09:50 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usb8023x.sys -- (usb_rndisx)
DRV:64bit: - [2009/07/13 18:42:58 | 000,006,656 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vms3cap.sys -- (s3cap)
DRV:64bit: - [2009/07/13 18:42:44 | 000,021,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VMBusHID.sys -- (VMBusHID)
DRV:64bit: - [2009/07/13 18:24:27 | 000,514,048 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\csc.sys -- (CSC)
DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/25 05:38:20 | 000,966,144 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netr28ux.sys -- (netr28ux)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/02/24 18:35:44 | 000,255,552 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mcdbus.sys -- (mcdbus)
DRV:64bit: - [2006/12/19 19:19:26 | 000,640,512 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\BCMWL664.SYS -- (BCM43XX)
DRV - [2010/08/12 07:15:22 | 000,016,928 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys -- (Lavasoft Kernexplorer)
DRV - [2010/05/25 01:45:52 | 000,016,392 | ---- | M] (Teruten Inc) [File_System | Disabled | Stopped] -- C:\Windows\SysWOW64\drivers\TFsExDisk.Sys -- (TFsExDisk)
DRV - [2009/02/24 18:35:44 | 000,255,552 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\drivers\mcdbus.sys -- (mcdbus)
DRV - [2005/01/02 16:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\npptNT2.sys -- (NPPTNT2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 28 7D 6C 85 5B C1 CA 01 [binary data]
IE - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.69.1
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.7.1
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}:2.5.10.1
FF - prefs.js..extensions.enabledItems: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}:6.7.0.1
FF - prefs.js..extensions.enabledItems: {73F696E0-FCBD-49DD-BC11-2309451039B5}:1.9.1
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.845
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.90

FF - HKLM\software\mozilla\Firefox\Extensions\\{73F696E0-FCBD-49DD-BC11-2309451039B5}: C:\Users\Childsp\AppData\Local\{73F696E0-FCBD-49DD-BC11-2309451039B5}\ [2010/07/22 21:59:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files (x86)\AVG\AVG9\Firefox [2010/08/26 18:30:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared [2010/08/26 18:33:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.9\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/09/09 10:24:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.9\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/09/09 10:24:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.3\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2010/09/08 20:13:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.3\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins [2010/07/28 21:36:25 | 000,000,000 | ---D | M]

[2010/03/12 01:45:54 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Mozilla\Extensions
[2010/03/12 01:45:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Childsp\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/09/12 19:00:18 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Mozilla\Firefox\Profiles\21fsz237.default\extensions
[2010/05/22 00:20:24 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Users\Childsp\AppData\Roaming\Mozilla\Firefox\Profiles\21fsz237.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
[2010/06/26 11:52:49 | 000,000,000 | ---D | M] (iMacros for Firefox) -- C:\Users\Childsp\AppData\Roaming\Mozilla\Firefox\Profiles\21fsz237.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
[2010/08/19 07:56:10 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Childsp\AppData\Roaming\Mozilla\Firefox\Profiles\21fsz237.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/08/30 06:41:45 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Users\Childsp\AppData\Roaming\Mozilla\Firefox\Profiles\21fsz237.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/09/10 12:44:18 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Users\Childsp\AppData\Roaming\Mozilla\Firefox\Profiles\21fsz237.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/08/29 11:28:56 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Childsp\AppData\Roaming\Mozilla\Firefox\Profiles\21fsz237.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/07/13 13:33:29 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Mozilla\Firefox\Profiles\21fsz237.default\extensions\support@lastpass.com
[2010/09/12 19:00:18 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/03/12 01:55:55 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/01/13 17:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2009/06/10 16:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O4 - HKLM..\Run: [LifeCam] C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe ()
O4 - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKLM..\RunOnce: [Uninstall Adobe Download Manager] File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
O4 - Startup: C:\Users\Childsp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2010/09/04 23:58:38 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Users\Childsp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18:64bit: - Protocol\Handler\AutorunsDisabled\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgppa.dll (AVG Technologies CZ, s.r.o.)
O18:64bit: - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - Reg Error: Key error. File not found
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll ()
O20:64bit: - AppInit_DLLs: (avgrssta.dll) - C:\Windows\SysNative\avgrssta.dll (AVG Technologies CZ, s.r.o.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/14 04:29:38 | 000,000,122 | ---- | M] () - D:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/09/12 00:33:54 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Documents\The Lord of the Rings Online
[2010/09/12 00:33:54 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Local\The Lord of the Rings Online
[2010/09/11 14:17:06 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Recorded TV
[2010/09/11 14:17:06 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Recorded Audio
[2010/09/11 11:14:26 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Desktop\LOTRO Standard Res Installer Files
[2010/09/11 11:09:58 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Desktop\LOTRO High Res Installer Files
[2010/09/10 12:44:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NOS
[2010/09/08 23:12:23 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Documents\Dungeons and Dragons Online
[2010/09/08 22:53:18 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Roaming\Turbine
[2010/09/08 22:51:36 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Local\Turbine
[2010/09/08 22:48:51 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Local\ApplicationHistory
[2010/09/08 22:46:52 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\URTTEMP
[2010/09/08 22:25:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Turbine
[2010/09/08 20:27:51 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Desktop\DDO standard res install files
[2010/09/06 01:30:51 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Roaming\LolClient
[2010/09/06 00:35:29 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Desktop\LeagueofLegends
[2010/09/05 11:53:36 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Roaming\SUPERAntiSpyware.com
[2010/09/05 11:53:36 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/09/05 11:53:33 | 000,000,000 | ---D | C] -- C:\ProgramData\!SASCORE
[2010/09/05 11:53:31 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/09/05 11:41:54 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2010/09/05 00:14:28 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/09/04 23:58:35 | 000,000,000 | -H-D | C] -- C:\Users\Childsp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
[2010/09/04 23:58:34 | 000,000,000 | -H-D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
[2010/08/26 21:51:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ToniArts
[2010/08/26 19:01:45 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Local\AVG Security Toolbar
[2010/08/26 18:58:12 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/08/26 18:33:44 | 000,013,048 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\avgrssta.dll
[2010/08/26 18:33:42 | 000,317,520 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgtdia.sys
[2010/08/26 18:33:34 | 000,269,904 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgldx64.sys
[2010/08/26 18:33:31 | 000,035,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgmfx64.sys
[2010/08/26 18:33:30 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\Avg
[2010/08/26 18:33:28 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG Security Toolbar
[2010/08/26 18:28:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG
[2010/08/26 18:28:08 | 000,000,000 | ---D | C] -- C:\ProgramData\avg9
[2010/08/26 18:13:55 | 000,069,152 | ---- | C] (Lavasoft AB) -- C:\Windows\SysNative\drivers\Lbd.sys
[2010/08/26 18:13:44 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Local\Sunbelt Software
[2010/08/26 18:13:24 | 000,000,000 | -H-D | C] -- C:\ProgramData\{ECC164E0-3133-4C70-A831-F08DB2940F70}
[2010/08/26 18:12:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Lavasoft
[2010/08/26 18:12:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2010/08/26 18:02:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/08/26 18:02:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2010/08/14 17:41:28 | 000,000,000 | ---D | C] -- C:\Users\Childsp\.android
[2010/08/11 14:41:37 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Desktop\Melber, Derek
[2010/08/11 14:41:09 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Desktop\Unknown
[2010/08/11 14:33:30 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Calibre Library
[2010/08/11 14:33:28 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Roaming\calibre
[2010/08/11 14:33:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Calibre2
[2010/08/09 16:43:06 | 000,344,680 | ---- | C] (Realtek ) -- C:\Windows\SysNative\drivers\Rt64win7.sys
[2010/08/09 16:43:06 | 000,107,552 | ---- | C] (Realtek Semiconductor Corporation) -- C:\Windows\SysNative\RTNUninst64.dll
[2010/07/29 10:39:37 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Documents\Samsung
[2010/07/29 10:38:11 | 000,020,480 | ---- | C] (Teruten Inc) -- C:\Windows\SysWow64\FsExService64.Exe
[2010/07/29 10:38:11 | 000,016,392 | ---- | C] (Teruten Inc) -- C:\Windows\SysWow64\drivers\TFsExDisk.Sys
[2010/07/29 10:38:11 | 000,016,392 | ---- | C] (Teruten Inc) -- C:\Windows\SysNative\drivers\TFsExDisk.sys
[2010/07/29 10:37:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PC Connectivity Solution
[2010/07/29 10:37:49 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Roaming\Samsung
[2010/07/29 10:37:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Samsung
[2010/07/29 10:37:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MarkAny
[2010/07/29 10:37:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Samsung
[2010/07/29 10:37:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Samsung
[2010/07/29 10:27:48 | 000,000,000 | ---D | C] -- C:\Program Files\Samsung
[2010/07/29 10:18:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\CeRegEditor
[2010/07/22 21:59:24 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Local\{73F696E0-FCBD-49DD-BC11-2309451039B5}
[2010/07/22 00:35:56 | 000,703,352 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Childsp\Desktop\autoruns.exe
[2010/07/22 00:35:54 | 000,585,080 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Childsp\Desktop\autorunsc.exe
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/09/13 10:36:53 | 001,572,864 | -HS- | M] () -- C:\Users\Childsp\NTUSER.DAT
[2010/09/13 10:36:20 | 000,034,560 | ---- | M] () -- C:\Windows\SysWow64\drivers\Normandy.sys
[2010/09/12 00:28:17 | 000,002,229 | ---- | M] () -- C:\Users\Childsp\Desktop\The Lord of the Rings Online.lnk
[2010/09/11 14:16:00 | 000,002,023 | ---- | M] () -- C:\Users\Public\Desktop\Winamp Remote.lnk
[2010/09/10 10:34:15 | 000,023,360 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/10 10:34:15 | 000,023,360 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/10 01:37:23 | 000,001,674 | ---- | M] () -- C:\Users\Childsp\Desktop\dndlauncher - Shortcut.lnk
[2010/09/08 22:51:38 | 000,000,095 | ---- | M] () -- C:\Users\Childsp\AppData\Local\fusioncache.dat
[2010/09/08 22:48:40 | 000,743,126 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/09/08 22:48:40 | 000,623,890 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/09/08 22:48:40 | 000,107,522 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/09/08 18:14:43 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/08 18:14:29 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/08 18:14:27 | 3220,037,632 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/06 01:14:02 | 000,001,720 | ---- | M] () -- C:\Users\Public\Desktop\Play League of Legends.lnk
[2010/09/06 00:12:19 | 001,687,470 | -H-- | M] () -- C:\Users\Childsp\AppData\Local\IconCache.db
[2010/09/05 11:53:33 | 000,001,808 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/09/05 11:37:38 | 000,002,828 | ---- | M] () -- C:\Users\Childsp\Desktop\Attach.zip
[2010/09/05 00:01:09 | 002,432,079 | ---- | M] () -- C:\Users\Childsp\Documents\AutoRuns.arn
[2010/09/04 23:57:20 | 000,703,352 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Childsp\Desktop\autoruns.exe
[2010/09/04 23:57:20 | 000,585,080 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Childsp\Desktop\autorunsc.exe
[2010/09/04 23:57:19 | 000,048,904 | ---- | M] () -- C:\Users\Childsp\Desktop\autoruns.chm
[2010/09/04 18:01:59 | 064,319,035 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\incavi.avm
[2010/08/28 11:15:00 | 000,003,730 | ---- | M] () -- C:\Users\Childsp\AppData\Local\RT2870_{DAB6E7E4-54FB-4A05-BEE5-D0348141DB65}_prof
[2010/08/28 11:15:00 | 000,000,743 | ---- | M] () -- C:\Users\Childsp\AppData\Local\RT2870_{DAB6E7E4-54FB-4A05-BEE5-D0348141DB65}_sta
[2010/08/26 23:49:06 | 000,713,888 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/08/26 21:45:36 | 000,018,944 | ---- | M] () -- C:\Users\Childsp\Desktop\Philip Childs Resume.doc
[2010/08/26 18:33:46 | 000,013,048 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\avgrssta.dll
[2010/08/26 18:33:46 | 000,001,858 | ---- | M] () -- C:\Users\Public\Desktop\AVG Free 9.0.lnk
[2010/08/26 18:33:44 | 000,317,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgtdia.sys
[2010/08/26 18:33:34 | 000,269,904 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgldx64.sys
[2010/08/26 18:33:34 | 000,035,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgmfx64.sys
[2010/08/26 18:33:31 | 000,113,461 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\iavichjw.avm
[2010/08/26 18:13:21 | 000,001,166 | ---- | M] () -- C:\Users\Childsp\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/08/26 18:13:21 | 000,001,142 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/08/26 18:02:34 | 000,001,262 | ---- | M] () -- C:\Users\Childsp\Desktop\Spybot - Search & Destroy.lnk
[2010/08/26 17:59:13 | 000,073,754 | ---- | M] () -- C:\Users\Childsp\Desktop\AVG.html
[2010/08/24 10:54:21 | 000,001,616 | ---- | M] () -- C:\Users\Childsp\Desktop\DivX Movies.lnk
[2010/08/24 10:54:04 | 000,001,116 | ---- | M] () -- C:\Users\Public\Desktop\DivX Plus Player.lnk
[2010/08/17 10:29:19 | 000,027,834 | ---- | M] () -- C:\Users\Childsp\Desktop\resources_hna44.s2z
[2010/08/14 18:03:44 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_WinUsb_01007.Wdf
[2010/08/13 03:17:33 | 000,289,152 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/08/12 07:15:20 | 000,069,152 | ---- | M] (Lavasoft AB) -- C:\Windows\SysNative\drivers\Lbd.sys
[2010/08/12 07:15:20 | 000,015,880 | ---- | M] () -- C:\Windows\SysNative\lsdelete.exe
[2010/08/11 14:33:23 | 000,000,960 | ---- | M] () -- C:\Users\Public\Desktop\calibre - E-book management.lnk
[2010/08/09 16:38:29 | 000,001,106 | ---- | M] () -- C:\Users\Childsp\Desktop\EVEREST Home Edition.lnk
[2010/07/29 10:37:47 | 000,002,006 | ---- | M] () -- C:\aqua_bitmap.cpp
[2010/07/28 21:36:25 | 000,002,014 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/07/27 00:06:53 | 000,000,120 | ---- | M] () -- C:\Users\Childsp\AppData\Local\Pwiceyu.dat
[2010/07/27 00:06:53 | 000,000,000 | ---- | M] () -- C:\Users\Childsp\AppData\Local\Ljada.bin
[2010/06/23 17:10:56 | 000,344,680 | ---- | M] (Realtek ) -- C:\Windows\SysNative\drivers\Rt64win7.sys
[2010/06/21 11:03:20 | 000,291,840 | ---- | M] (Notausgang) -- C:\Users\Childsp\Desktop\HoN_ModMan.exe
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/12 00:28:17 | 000,002,229 | ---- | C] () -- C:\Users\Childsp\Desktop\The Lord of the Rings Online.lnk
[2010/09/10 01:37:23 | 000,001,674 | ---- | C] () -- C:\Users\Childsp\Desktop\dndlauncher - Shortcut.lnk
[2010/09/08 22:51:38 | 000,000,095 | ---- | C] () -- C:\Users\Childsp\AppData\Local\fusioncache.dat
[2010/09/08 22:47:23 | 000,743,126 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/09/06 01:14:02 | 000,001,720 | ---- | C] () -- C:\Users\Public\Desktop\Play League of Legends.lnk
[2010/09/05 11:53:33 | 000,001,808 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/09/05 11:37:38 | 000,002,828 | ---- | C] () -- C:\Users\Childsp\Desktop\Attach.zip
[2010/09/05 00:01:08 | 002,432,079 | ---- | C] () -- C:\Users\Childsp\Documents\AutoRuns.arn
[2010/08/28 10:53:48 | 000,015,880 | ---- | C] () -- C:\Windows\SysNative\lsdelete.exe
[2010/08/26 21:44:02 | 000,018,944 | ---- | C] () -- C:\Users\Childsp\Desktop\Philip Childs Resume.doc
[2010/08/26 18:33:46 | 000,001,858 | ---- | C] () -- C:\Users\Public\Desktop\AVG Free 9.0.lnk
[2010/08/26 18:33:31 | 000,113,461 | ---- | C] () -- C:\Windows\SysNative\drivers\Avg\iavichjw.avm
[2010/08/26 18:33:30 | 064,319,035 | ---- | C] () -- C:\Windows\SysNative\drivers\Avg\incavi.avm
[2010/08/26 18:13:21 | 000,001,166 | ---- | C] () -- C:\Users\Childsp\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/08/26 18:13:21 | 000,001,142 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/08/26 18:02:34 | 000,001,262 | ---- | C] () -- C:\Users\Childsp\Desktop\Spybot - Search & Destroy.lnk
[2010/08/26 17:59:11 | 000,073,754 | ---- | C] () -- C:\Users\Childsp\Desktop\AVG.html
[2010/08/17 10:30:24 | 000,027,834 | ---- | C] () -- C:\Users\Childsp\Desktop\resources_hna44.s2z
[2010/08/14 18:03:44 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_WinUsb_01007.Wdf
[2010/08/11 14:33:23 | 000,000,960 | ---- | C] () -- C:\Users\Public\Desktop\calibre - E-book management.lnk
[2010/08/09 16:43:06 | 000,074,272 | ---- | C] () -- C:\Windows\SysNative\RtNicProp64.dll
[2010/08/09 16:38:29 | 000,001,106 | ---- | C] () -- C:\Users\Childsp\Desktop\EVEREST Home Edition.lnk
[2010/07/29 10:37:10 | 000,002,006 | ---- | C] () -- C:\aqua_bitmap.cpp
[2010/07/22 21:59:29 | 000,000,120 | ---- | C] () -- C:\Users\Childsp\AppData\Local\Pwiceyu.dat
[2010/07/22 21:59:29 | 000,000,000 | ---- | C] () -- C:\Users\Childsp\AppData\Local\Ljada.bin
[2010/03/27 17:30:29 | 000,000,600 | ---- | C] () -- C:\Users\Childsp\AppData\Local\PUTTY.RND
[2010/03/18 21:57:06 | 000,000,262 | ---- | C] () -- C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
[2010/03/17 03:50:24 | 000,000,745 | ---- | C] () -- C:\Users\Childsp\AppData\Roaming\AtomicAlarmClock.ini
[2010/03/11 15:42:51 | 000,000,743 | ---- | C] () -- C:\Users\Childsp\AppData\Local\RT2870_{DAB6E7E4-54FB-4A05-BEE5-D0348141DB65}_sta
[2010/03/11 15:41:38 | 000,003,730 | ---- | C] () -- C:\Users\Childsp\AppData\Local\RT2870_{DAB6E7E4-54FB-4A05-BEE5-D0348141DB65}_prof
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2005/08/14 17:11:59 | 000,095,232 | ---- | C] () -- C:\Windows\SysWow64\mkx.dll
[2005/08/14 17:11:44 | 000,041,984 | ---- | C] () -- C:\Windows\SysWow64\avi.dll
[2005/08/14 17:11:28 | 000,057,856 | ---- | C] () -- C:\Windows\SysWow64\mp4.dll
[2005/08/09 17:12:28 | 003,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll
[2005/04/04 06:35:24 | 000,745,472 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2002/11/15 07:11:28 | 000,077,824 | ---- | C] () -- C:\Windows\SysWow64\MMSwitch.dll

========== LOP Check ==========

[2010/09/11 14:10:31 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\.purple
[2010/08/11 18:39:34 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\calibre
[2010/06/13 12:05:13 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Darkfall
[2010/06/13 11:48:12 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Darkfall US
[2010/03/12 19:09:43 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\GetRightToGo
[2010/04/30 22:03:41 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\GSC 2.00
[2010/09/06 01:30:51 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\LolClient
[2010/04/17 11:19:09 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
[2010/03/26 23:38:09 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\OpenOffice.org
[2010/03/17 03:52:18 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Orangeline Interactive
[2010/08/26 21:49:48 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Samsung
[2010/03/12 01:45:53 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Thunderbird
[2010/09/08 22:53:18 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Turbine
[2010/09/10 01:02:02 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\uTorrent
[2009/07/14 00:08:49 | 000,007,360 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >


Extras.txt:
OTL Extras logfile created on: 9/13/2010 10:35:08 AM - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Users\Childsp\Downloads
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 57.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 227.03 Gb Total Space | 88.65 Gb Free Space | 39.05% Space Free | Partition Type: NTFS
Drive D: | 298.08 Gb Total Space | 30.01 Gb Free Space | 10.07% Space Free | Partition Type: NTFS
Drive E: | 1.26 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 1.26 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANDROMEDA
Current User Name: Childsp
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3498346600-3206276682-1160050912-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" File not found
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{23170F69-40C1-2702-0465-000001000000}" = 7-Zip 4.65 (x64 edition)
"{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
"{393ADA10-CEC5-47E7-AE6D-A9591C125EEF}" = Microsoft LifeCam
"{4CE36E6A-300B-427C-BEC7-B261CC13814E}" = iTunes
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{8557397C-A42D-486F-97B3-A2CBC2372593}" = Microsoft_VC90_ATL_x86_x64
"{877924AA-E044-4266-B37D-E974CD799934}" = Bonjour
"{92A3CA0D-55CD-4C5D-BA95-5C2600C20F26}" = Microsoft_VC90_CRT_x86_x64
"{9C5A08BF-BB99-4998-81BD-F6CC32483B34}" = Microsoft Corporation
"{A472B9E4-0AFF-4F7B-B25D-F64F8E928AAB}" = Microsoft_VC90_MFC_x86_x64
"{CA4AF936-3312-4AF4-A191-527531490DCD}" = Apple Mobile Device Support
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}" = Ventrilo Client for Windows x64
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"SAMSUNG Android USB Modem" = SAMSUNG Android USB Modem Software

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 19
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{28DA7D8B-F9A4-4F18-8AA0-551B1E084D0D}" = HWDN1 Wireless LAN
"{2BD5C305-1B27-4D41-B690-7A61172D2FEB}" = Macromedia Flash 8
"{2D57FB4E-6277-4A6D-8739-304C38051B89}" = Jitbit Macro Recorder LITE
"{2FDBBCEA-62DB-45F4-B6E5-0E1FB2A1F29D}" = Visual C++ 8.0 Runtime Setup Package (x64)
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}" = Macromedia Fireworks 8
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{6ADD0603-16EF-400D-9F9E-486432835002}" = OpenOffice.org 3.2
"{6E9EF98E-259E-416D-B5F8-0ABDB99942CE}" = Adobe Flash Player 10 ActiveX
"{703FC30C-4435-4971-A296-9277ED5BFD22}" = calibre
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{885A63EA-382B-4DD4-A755-14809B8557D6}" = Macromedia Flash Player 8
"{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}" = Macromedia Flash 8 Video Encoder
"{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B9CA59A0-3B70-48F8-9054-67595DE6E72B}" = League of Legends
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE12677C-F7D2-45A8-BBF9-0FC0B972EDC3}" = League of Legends
"{CFC9F871-7C40-40B6-BE4A-B98A5B309716}" = Adobe Flash Professional CS5
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player
"{DEA314C4-0929-4250-BC92-98E4C105F28D}" = NVIDIA PhysX
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4CFE59F-3862-4231-9797-24367166BCE5}" = Darkfall US
"{F5346614-B7C4-4E94-826A-E2363155233D}" = EasyCleaner
"12bbe590-c890-11d9-9669-0800200c9a66_is1" = The Lord of the Rings Online™ v03.02.03.8013
"15b35190-c6f9-11d9-9669-0800200c9a66_is1" = Dungeons & Dragons Online ®: Eberron Unlimited ™ v01.12.00.803
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Atomic Alarm Clock_is1" = Atomic Alarm Clock 5.87
"AVG9Uninstall" = AVG Free 9.0
"CeRegEditor_is1" = CeRegEditor 0.0.4.4
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"Citrus Alarm Clock_is1" = Citrus Alarm Clock 2.2
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"DivX Setup.divx.com" = DivX Setup
"DivX Total Pack" = DivX Total Pack
"EVEREST Home Edition_is1" = EVEREST Home Edition v2.20
"EVEREST Ultimate Edition_is1" = EVEREST Ultimate Edition v5.30
"ffdshow" = ffdshow (remove only)
"gatesofandaron_is1" = Gates of Andaron
"Grand Chase" = Grand Chase
"GSC 2.00" = GSC 2.00
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"hon" = Heroes of Newerth
"Macro ToolsWorks" = Macro ToolsWorks
"Magic ISO Maker v5.5 (build 0281)" = Magic ISO Maker v5.5 (build 0281)
"MagicDisc 2.7.106" = MagicDisc 2.7.106
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.6.9)" = Mozilla Firefox (3.6.9)
"Mozilla Thunderbird (3.1.3)" = Mozilla Thunderbird (3.1.3)
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Orb" = Winamp Remote
"Pidgin" = Pidgin
"StarCraft II Beta" = StarCraft II Beta
"uTorrent" = µTorrent
"Warhammer Online - Age of Reckoning" = Warhammer Online - Age of Reckoning
"Winamp" = Winamp

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3498346600-3206276682-1160050912-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Winamp Detect" = Winamp Detector Plug-in

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/5/2010 1:23:27 AM | Computer Name = Andromeda | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Users\Childsp\AppData\Local\Temp\RarSFX0\redist.dll".
Dependent
Assembly Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.4148"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 9/5/2010 1:23:30 AM | Computer Name = Andromeda | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Users\Childsp\AppData\Local\Temp\RarSFX0\redist.dll".
Dependent
Assembly Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.4148"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 9/5/2010 1:25:36 AM | Computer Name = Andromeda | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 9/5/2010 1:26:21 AM | Computer Name = Andromeda | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 9/5/2010 12:02:30 PM | Computer Name = Andromeda | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 9/5/2010 12:03:16 PM | Computer Name = Andromeda | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 9/5/2010 12:54:48 PM | Computer Name = Andromeda | Source = Application Error | ID = 1000
Description = Faulting application name: fsbl.exe, version: 2.2.1092.0, time stamp:
0x48a543e2 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000005 Fault offset: 0x000cfc22 Faulting process id: 0x818 Faulting application
start time: 0x01cb4d1b00b9548e Faulting application path: C:\Users\Childsp\Downloads\fsbl.exe
Faulting
module path: unknown Report Id: 4a8c2881-b90e-11df-8192-001fd09c607c

Error - 9/12/2010 12:14:50 AM | Computer Name = Andromeda | Source = Application Hang | ID = 1002
Description = The program winamp.exe version 5.5.7.2830 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 904 Start
Time: 01cb5230e5ebf763 Termination Time: 30 Application Path: C:\Program Files (x86)\Winamp\winamp.exe

Report
Id: 3e84bfb8-be24-11df-aee0-001fd09c607c

Error - 9/12/2010 11:35:11 PM | Computer Name = Andromeda | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\Program Files (x86)\Common
Files\Adobe AIR\Versions\1.0\Adobe AIR.dll".Error in manifest or policy file "c:\Program
Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll" on line 3. The value
"MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute
"version" in element "assemblyIdentity" is invalid.

Error - 9/12/2010 11:35:41 PM | Computer Name = Andromeda | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files (x86)\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
attribute "language" in element "assemblyIdentity" is invalid.

[ System Events ]
Error - 9/5/2010 11:59:35 AM | Computer Name = Andromeda | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 9/5/2010 11:59:35 AM | Computer Name = Andromeda | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 9/5/2010 11:59:35 AM | Computer Name = Andromeda | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 9/5/2010 11:59:35 AM | Computer Name = Andromeda | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 9/5/2010 11:59:35 AM | Computer Name = Andromeda | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 9/5/2010 11:59:35 AM | Computer Name = Andromeda | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 9/6/2010 1:12:33 AM | Computer Name = Andromeda | Source = Service Control Manager | ID = 7016
Description = The NVIDIA Stereoscopic 3D Driver Service service has reported an
invalid current state 0.

Error - 9/8/2010 7:14:42 PM | Computer Name = Andromeda | Source = EventLog | ID = 6008
Description = The previous system shutdown at 3:18:35 PM on ?9/?8/?2010 was unexpected.

Error - 9/13/2010 11:36:20 AM | Computer Name = Andromeda | Source = Application Popup | ID = 1060
Description = \SystemRoot\SysWow64\Drivers\Normandy.SYS has been blocked from loading
due to incompatibility with this system. Please contact your software vendor for
a compatible version of the driver.

Error - 9/13/2010 11:38:00 AM | Computer Name = Andromeda | Source = Application Popup | ID = 1060
Description = \SystemRoot\SysWow64\Drivers\Normandy.SYS has been blocked from loading
due to incompatibility with this system. Please contact your software vendor for
a compatible version of the driver.


< End of report >


As for the UnhookerLE it returns with an error:

"Error Loading Driver, NTSTATUS code: 0xC000036B"

Is it possible that it isn't loading because I have a 64bit system?

Please let me know what you'd like me to do next.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,581 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:15 PM

Posted 13 September 2010 - 11:07 AM

Hello again, please let me know how things are after the following steps.


P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


UPDATE JAVA
------------------
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 Childsp

Childsp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 15 September 2010 - 11:09 AM

Ok, so I have the logs, but there are three of them, the first time it said it needed to restart to redo the scan, then it restarted and I had an even bigger spyware problem, so the second scan was when I was having popups all over my machine and I couldn't even use my ctrl-alt-delete buttons to shut it down. So the third scan was in safe mode with no networking and it went fine. Here are the results:

Scan 1:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4607

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

9/13/2010 12:31:51 PM
mbam-log-2010-09-13 (12-31-51).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 366416
Time elapsed: 1 hour(s), 15 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\OTGV1DNWQQ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\YXE7DXCQ37 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yxe7dxcq37 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Childsp\Downloads\Macromedia Studio 8 With Working Keygen- Dreamweaver 8, Flash 8 and Fireworks 8\Macromedia Dreamweaver 8, Flash 8 and Fireworks 8 Keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Childsp\AppData\Local\Temp\Ec1.exe (Trojan.FakeAlert) -> Delete on reboot.

Scan 2:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4607

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

9/13/2010 12:40:27 PM
mbam-log-2010-09-13 (12-40-27).txt

Scan type: Quick scan
Objects scanned: 131162
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jnsvnatq (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Childsp\AppData\Local\bocxpmkmo\bsfronnuqiw.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\Users\Childsp\AppData\Local\Temp\1.1844636230321411E7.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\Users\Childsp\AppData\Local\Temp\Ecz.exe (Trojan.Alureon) -> Quarantined and deleted successfully.

Scan 3:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4607

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

9/13/2010 2:02:00 PM
mbam-log-2010-09-13 (14-02-00).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 366459
Time elapsed: 1 hour(s), 21 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I also upgraded my java.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,581 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:15 PM

Posted 15 September 2010 - 12:06 PM

Can you please update MBAM and then run a quick scan. Does normal mode still give you pop ups and the like?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 Childsp

Childsp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 15 September 2010 - 08:05 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4623

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

9/15/2010 7:05:42 PM
mbam-log-2010-09-15 (19-05-42).txt

Scan type: Quick scan
Objects scanned: 132211
Time elapsed: 6 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Childsp\AppData\Local\Temp\Ec0.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Etysaa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

No more popups either

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,581 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:15 PM

Posted 16 September 2010 - 02:43 AM

Good to hear that. Do you have any problems left?

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  12. Push the button.
  13. Push

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 Childsp

Childsp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 16 September 2010 - 01:01 PM

It says cannot get update, is proxy configured?

This virus has been messing with my internet as well in the sense that it changed my settings to use proxies, I turned them back on my mozilla. but these proxy issues keep coming up on different programs


#10 Childsp

Childsp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 16 September 2010 - 01:03 PM

I just fixed it for my internet explorer as well.

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,581 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:15 PM

Posted 16 September 2010 - 01:33 PM

Please post a new OTL log so I can have a look for any proxies.

Edited by elise025, 17 September 2010 - 02:44 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#12 Childsp

Childsp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 16 September 2010 - 07:20 PM

OTL logfile created on: 9/16/2010 6:34:07 PM - Run 2
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Users\Childsp\Downloads
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 62.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 227.03 Gb Total Space | 86.02 Gb Free Space | 37.89% Space Free | Partition Type: NTFS
Drive D: | 298.08 Gb Total Space | 30.01 Gb Free Space | 10.07% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 1.26 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANDROMEDA
Current User Name: Childsp
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/16 11:59:08 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
PRC - [2010/09/16 11:59:07 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2010/09/13 10:34:33 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Childsp\Downloads\OTL.exe
PRC - [2010/09/11 11:09:35 | 002,969,496 | ---- | M] () -- C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
PRC - [2010/04/03 16:59:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009/11/24 12:32:22 | 000,234,792 | ---- | M] (Skype Technologies S.A.) -- C:\Program Files (x86)\Skype\Toolbars\Shared\SkypeNames2.exe
PRC - [2009/10/26 15:45:46 | 000,542,272 | ---- | M] (ESET) -- C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScannerApp.exe
PRC - [2009/10/26 15:45:38 | 000,843,032 | ---- | M] () -- C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2007/11/26 20:06:56 | 000,995,328 | ---- | M] (Hawking Technology) -- C:\Program Files (x86)\Hawking\Common\RaUI.exe


========== Modules (SafeList) ==========

MOD - [2010/09/13 10:34:33 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Childsp\Downloads\OTL.exe
MOD - [2009/07/13 20:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2009/07/13 20:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\Windows\SysNative\GameMon.des -- (npggsvc)
SRV:64bit: - [2010/06/29 12:49:27 | 000,128,752 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE)
SRV:64bit: - [2010/03/01 20:35:38 | 000,199,536 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS64.exe -- (MSCamSvc)
SRV:64bit: - [2009/07/13 20:41:56 | 000,195,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\umrdp.dll -- (UmRdpService)
SRV:64bit: - [2009/07/13 20:41:53 | 001,361,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\PeerDistSvc.dll -- (PeerDistSvc)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 20:40:24 | 000,689,152 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\cscsvc.dll -- (CscService)
SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2010/09/02 18:20:08 | 001,355,928 | ---- | M] (Lavasoft) [Disabled | Stopped] -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/08/26 18:31:15 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled | Stopped] -- C:\Program Files (x86)\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/08/26 18:31:08 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled | Stopped] -- C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/06/30 14:22:46 | 000,431,432 | ---- | M] () [Disabled | Stopped] -- C:\Program Files (x86)\AVG\AVG9\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2010/04/03 16:59:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/02/24 11:43:00 | 003,461,116 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\SysWow64\GameMon.des -- (npggsvc)
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\npptNT2.sys -- (NPPTNT2)
DRV:64bit: - [2010/08/26 18:33:44 | 000,317,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtdia.sys -- (AvgTdiA)
DRV:64bit: - [2010/08/26 18:33:34 | 000,269,904 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgldx64.sys -- (AvgLdx64)
DRV:64bit: - [2010/08/26 18:33:34 | 000,035,536 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgmfx64.sys -- (AvgMfx64)
DRV:64bit: - [2010/08/12 07:15:20 | 000,069,152 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\Lbd.sys -- (Lbd)
DRV:64bit: - [2010/06/23 17:10:56 | 000,344,680 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2010/05/25 01:45:52 | 000,016,392 | ---- | M] (Teruten Inc) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\drivers\TFsExDisk.sys -- (TFsExDisk)
DRV:64bit: - [2010/05/25 01:45:38 | 000,020,568 | ---- | M] (Devguru Co., Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dgderdrv.sys -- (dgderdrv)
DRV:64bit: - [2010/03/01 20:35:38 | 000,036,720 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nx6000.sys -- (MSHUSBVideo)
DRV:64bit: - [2010/02/17 13:23:05 | 000,014,920 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2010/02/17 13:23:05 | 000,012,360 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2009/10/16 02:33:06 | 000,050,176 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2009/07/13 20:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 20:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 20:45:55 | 000,200,272 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vmbus.sys -- (vmbus)
DRV:64bit: - [2009/07/13 20:45:55 | 000,046,672 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vmstorfl.sys -- (storflt)
DRV:64bit: - [2009/07/13 20:45:55 | 000,034,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\storvsc.sys -- (storvsc)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 19:09:50 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usb8023x.sys -- (usb_rndisx)
DRV:64bit: - [2009/07/13 18:42:58 | 000,006,656 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vms3cap.sys -- (s3cap)
DRV:64bit: - [2009/07/13 18:42:44 | 000,021,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VMBusHID.sys -- (VMBusHID)
DRV:64bit: - [2009/07/13 18:24:27 | 000,514,048 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\csc.sys -- (CSC)
DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/25 05:38:20 | 000,966,144 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netr28ux.sys -- (netr28ux)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/02/24 18:35:44 | 000,255,552 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mcdbus.sys -- (mcdbus)
DRV:64bit: - [2006/12/19 19:19:26 | 000,640,512 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\BCMWL664.SYS -- (BCM43XX)
DRV - [2010/09/13 10:39:31 | 000,034,560 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysWow64\drivers\Normandy.sys -- (Normandy)
DRV - [2010/08/12 07:15:22 | 000,016,928 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys -- (Lavasoft Kernexplorer)
DRV - [2010/05/25 01:45:52 | 000,016,392 | ---- | M] (Teruten Inc) [File_System | Disabled | Stopped] -- C:\Windows\SysWOW64\drivers\TFsExDisk.Sys -- (TFsExDisk)
DRV - [2009/02/24 18:35:44 | 000,255,552 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\drivers\mcdbus.sys -- (mcdbus)
DRV - [2005/01/02 16:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\npptNT2.sys -- (NPPTNT2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.69.1
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.7.1
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}:2.5.10.1
FF - prefs.js..extensions.enabledItems: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}:6.7.0.1
FF - prefs.js..extensions.enabledItems: {73F696E0-FCBD-49DD-BC11-2309451039B5}:1.9.1
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.845
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{73F696E0-FCBD-49DD-BC11-2309451039B5}: C:\Users\Childsp\AppData\Local\{73F696E0-FCBD-49DD-BC11-2309451039B5}\ [2010/07/22 21:59:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files (x86)\AVG\AVG9\Firefox [2010/08/26 18:30:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared [2010/08/26 18:33:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/09/16 11:59:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/09/16 11:59:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.3\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2010/09/08 20:13:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.3\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins [2010/07/28 21:36:25 | 000,000,000 | ---D | M]

[2010/03/12 01:45:54 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Mozilla\Extensions
[2010/03/12 01:45:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Childsp\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/09/15 20:13:55 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Mozilla\Firefox\Profiles\21fsz237.default\extensions
[2010/05/22 00:20:24 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Users\Childsp\AppData\Roaming\Mozilla\Firefox\Profiles\21fsz237.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
[2010/06/26 11:52:49 | 000,000,000 | ---D | M] (iMacros for Firefox) -- C:\Users\Childsp\AppData\Roaming\Mozilla\Firefox\Profiles\21fsz237.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
[2010/08/19 07:56:10 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Childsp\AppData\Roaming\Mozilla\Firefox\Profiles\21fsz237.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/08/30 06:41:45 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Users\Childsp\AppData\Roaming\Mozilla\Firefox\Profiles\21fsz237.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/08/29 11:28:56 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Childsp\AppData\Roaming\Mozilla\Firefox\Profiles\21fsz237.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/07/13 13:33:29 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Mozilla\Firefox\Profiles\21fsz237.default\extensions\support@lastpass.com
[2010/09/15 20:13:55 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/03/12 01:55:55 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/01/13 17:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2009/06/10 16:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll File not found
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [LifeCam] C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe ()
O4 - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found
O4 - Startup: C:\Users\Childsp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2010/09/04 23:58:38 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Users\Childsp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18:64bit: - Protocol\Handler\AutorunsDisabled\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgppa.dll (AVG Technologies CZ, s.r.o.)
O18:64bit: - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - Reg Error: Key error. File not found
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll ()
O20:64bit: - AppInit_DLLs: (avgrssta.dll) - C:\Windows\SysNative\avgrssta.dll (AVG Technologies CZ, s.r.o.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/09/16 12:25:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2010/09/15 11:23:03 | 000,074,840 | ---- | C] (Kaspersky Lab, SLA) -- C:\Windows\SysNative\drivers\klmd.sys
[2010/09/13 12:24:15 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Local\bocxpmkmo
[2010/09/13 11:20:31 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/09/13 11:09:21 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Roaming\Malwarebytes
[2010/09/13 11:09:13 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/09/13 11:09:12 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/09/13 11:09:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/09/13 11:09:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/09/13 11:02:48 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Documents\pwnagebot
[2010/09/12 00:33:54 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Documents\The Lord of the Rings Online
[2010/09/12 00:33:54 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Local\The Lord of the Rings Online
[2010/09/11 14:17:06 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Recorded TV
[2010/09/11 14:17:06 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Recorded Audio
[2010/09/11 11:14:26 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Desktop\LOTRO Standard Res Installer Files
[2010/09/11 11:09:58 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Desktop\LOTRO High Res Installer Files
[2010/09/08 23:12:23 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Documents\Dungeons and Dragons Online
[2010/09/08 22:53:18 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Roaming\Turbine
[2010/09/08 22:51:36 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Local\Turbine
[2010/09/08 22:48:51 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Local\ApplicationHistory
[2010/09/08 22:46:52 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\URTTEMP
[2010/09/08 22:25:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Turbine
[2010/09/08 20:27:51 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Desktop\DDO standard res install files
[2010/09/06 01:30:51 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Roaming\LolClient
[2010/09/06 00:35:29 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Desktop\LeagueofLegends
[2010/09/05 11:53:36 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Roaming\SUPERAntiSpyware.com
[2010/09/05 11:53:36 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/09/05 11:53:33 | 000,000,000 | ---D | C] -- C:\ProgramData\!SASCORE
[2010/09/05 11:53:31 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/09/05 11:41:54 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2010/09/05 00:14:28 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/09/04 23:58:35 | 000,000,000 | -H-D | C] -- C:\Users\Childsp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
[2010/09/04 23:58:34 | 000,000,000 | -H-D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
[2010/08/26 21:51:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ToniArts
[2010/08/26 19:01:45 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Local\AVG Security Toolbar
[2010/08/26 18:58:12 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/08/26 18:33:44 | 000,013,048 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\avgrssta.dll
[2010/08/26 18:33:42 | 000,317,520 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgtdia.sys
[2010/08/26 18:33:34 | 000,269,904 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgldx64.sys
[2010/08/26 18:33:31 | 000,035,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgmfx64.sys
[2010/08/26 18:33:30 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\Avg
[2010/08/26 18:33:28 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG Security Toolbar
[2010/08/26 18:28:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG
[2010/08/26 18:28:08 | 000,000,000 | ---D | C] -- C:\ProgramData\avg9
[2010/08/26 18:13:55 | 000,069,152 | ---- | C] (Lavasoft AB) -- C:\Windows\SysNative\drivers\Lbd.sys
[2010/08/26 18:13:44 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Local\Sunbelt Software
[2010/08/26 18:13:24 | 000,000,000 | -H-D | C] -- C:\ProgramData\{ECC164E0-3133-4C70-A831-F08DB2940F70}
[2010/08/26 18:12:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Lavasoft
[2010/08/26 18:12:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2010/08/26 18:02:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/08/26 18:02:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2010/08/14 17:41:28 | 000,000,000 | ---D | C] -- C:\Users\Childsp\.android
[2010/08/11 14:41:37 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Desktop\Melber, Derek
[2010/08/11 14:41:09 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Desktop\Unknown
[2010/08/11 14:33:30 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Calibre Library
[2010/08/11 14:33:28 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Roaming\calibre
[2010/08/11 14:33:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Calibre2
[2010/08/09 16:43:06 | 000,344,680 | ---- | C] (Realtek ) -- C:\Windows\SysNative\drivers\Rt64win7.sys
[2010/08/09 16:43:06 | 000,107,552 | ---- | C] (Realtek Semiconductor Corporation) -- C:\Windows\SysNative\RTNUninst64.dll
[2010/07/29 10:39:37 | 000,000,000 | ---D | C] -- C:\Users\Childsp\Documents\Samsung
[2010/07/29 10:38:11 | 000,020,480 | ---- | C] (Teruten Inc) -- C:\Windows\SysWow64\FsExService64.Exe
[2010/07/29 10:38:11 | 000,016,392 | ---- | C] (Teruten Inc) -- C:\Windows\SysWow64\drivers\TFsExDisk.Sys
[2010/07/29 10:38:11 | 000,016,392 | ---- | C] (Teruten Inc) -- C:\Windows\SysNative\drivers\TFsExDisk.sys
[2010/07/29 10:37:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PC Connectivity Solution
[2010/07/29 10:37:49 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Roaming\Samsung
[2010/07/29 10:37:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Samsung
[2010/07/29 10:37:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MarkAny
[2010/07/29 10:37:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Samsung
[2010/07/29 10:37:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Samsung
[2010/07/29 10:27:48 | 000,000,000 | ---D | C] -- C:\Program Files\Samsung
[2010/07/29 10:18:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\CeRegEditor
[2010/07/22 21:59:24 | 000,000,000 | ---D | C] -- C:\Users\Childsp\AppData\Local\{73F696E0-FCBD-49DD-BC11-2309451039B5}
[2010/07/22 00:35:56 | 000,703,352 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Childsp\Desktop\autoruns.exe
[2010/07/22 00:35:54 | 000,585,080 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Childsp\Desktop\autorunsc.exe
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/09/16 18:36:22 | 001,572,864 | -HS- | M] () -- C:\Users\Childsp\NTUSER.DAT
[2010/09/16 13:44:00 | 000,023,360 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/16 13:44:00 | 000,023,360 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/16 13:36:52 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/16 13:36:43 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/16 13:36:41 | 3220,037,632 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/16 13:31:39 | 001,883,716 | -H-- | M] () -- C:\Users\Childsp\AppData\Local\IconCache.db
[2010/09/15 11:23:03 | 000,074,840 | ---- | M] (Kaspersky Lab, SLA) -- C:\Windows\SysNative\drivers\klmd.sys
[2010/09/15 11:20:24 | 000,001,058 | ---- | M] () -- C:\Users\Childsp\Desktop\rkill - Shortcut.lnk
[2010/09/13 11:09:16 | 000,001,013 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/13 10:39:31 | 000,034,560 | ---- | M] () -- C:\Windows\SysWow64\drivers\Normandy.sys
[2010/09/12 00:28:17 | 000,002,229 | ---- | M] () -- C:\Users\Childsp\Desktop\The Lord of the Rings Online.lnk
[2010/09/11 14:16:00 | 000,002,023 | ---- | M] () -- C:\Users\Public\Desktop\Winamp Remote.lnk
[2010/09/10 01:37:23 | 000,001,674 | ---- | M] () -- C:\Users\Childsp\Desktop\dndlauncher - Shortcut.lnk
[2010/09/08 22:51:38 | 000,000,095 | ---- | M] () -- C:\Users\Childsp\AppData\Local\fusioncache.dat
[2010/09/08 22:48:40 | 000,743,126 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/09/08 22:48:40 | 000,623,890 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/09/08 22:48:40 | 000,107,522 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/09/06 01:14:02 | 000,001,720 | ---- | M] () -- C:\Users\Public\Desktop\Play League of Legends.lnk
[2010/09/05 11:53:33 | 000,001,808 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/09/05 11:37:38 | 000,002,828 | ---- | M] () -- C:\Users\Childsp\Desktop\Attach.zip
[2010/09/05 00:01:09 | 002,432,079 | ---- | M] () -- C:\Users\Childsp\Documents\AutoRuns.arn
[2010/09/04 23:57:20 | 000,703,352 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Childsp\Desktop\autoruns.exe
[2010/09/04 23:57:20 | 000,585,080 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Childsp\Desktop\autorunsc.exe
[2010/09/04 23:57:19 | 000,048,904 | ---- | M] () -- C:\Users\Childsp\Desktop\autoruns.chm
[2010/09/04 18:01:59 | 064,319,035 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\incavi.avm
[2010/08/28 11:15:00 | 000,003,730 | ---- | M] () -- C:\Users\Childsp\AppData\Local\RT2870_{DAB6E7E4-54FB-4A05-BEE5-D0348141DB65}_prof
[2010/08/28 11:15:00 | 000,000,743 | ---- | M] () -- C:\Users\Childsp\AppData\Local\RT2870_{DAB6E7E4-54FB-4A05-BEE5-D0348141DB65}_sta
[2010/08/26 23:49:06 | 000,713,888 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/08/26 21:45:36 | 000,018,944 | ---- | M] () -- C:\Users\Childsp\Desktop\Philip Childs Resume.doc
[2010/08/26 18:33:46 | 000,013,048 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\avgrssta.dll
[2010/08/26 18:33:46 | 000,001,858 | ---- | M] () -- C:\Users\Public\Desktop\AVG Free 9.0.lnk
[2010/08/26 18:33:44 | 000,317,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgtdia.sys
[2010/08/26 18:33:34 | 000,269,904 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgldx64.sys
[2010/08/26 18:33:34 | 000,035,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgmfx64.sys
[2010/08/26 18:33:31 | 000,113,461 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\iavichjw.avm
[2010/08/26 18:13:21 | 000,001,166 | ---- | M] () -- C:\Users\Childsp\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/08/26 18:13:21 | 000,001,142 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/08/26 18:02:34 | 000,001,262 | ---- | M] () -- C:\Users\Childsp\Desktop\Spybot - Search & Destroy.lnk
[2010/08/26 17:59:13 | 000,073,754 | ---- | M] () -- C:\Users\Childsp\Desktop\AVG.html
[2010/08/24 10:54:21 | 000,001,616 | ---- | M] () -- C:\Users\Childsp\Desktop\DivX Movies.lnk
[2010/08/24 10:54:04 | 000,001,116 | ---- | M] () -- C:\Users\Public\Desktop\DivX Plus Player.lnk
[2010/08/17 10:29:19 | 000,027,834 | ---- | M] () -- C:\Users\Childsp\Desktop\resources_hna44.s2z
[2010/08/14 18:03:44 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_WinUsb_01007.Wdf
[2010/08/13 03:17:33 | 000,289,152 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/08/12 07:15:20 | 000,069,152 | ---- | M] (Lavasoft AB) -- C:\Windows\SysNative\drivers\Lbd.sys
[2010/08/12 07:15:20 | 000,015,880 | ---- | M] () -- C:\Windows\SysNative\lsdelete.exe
[2010/08/11 14:33:23 | 000,000,960 | ---- | M] () -- C:\Users\Public\Desktop\calibre - E-book management.lnk
[2010/08/09 16:38:29 | 000,001,106 | ---- | M] () -- C:\Users\Childsp\Desktop\EVEREST Home Edition.lnk
[2010/07/29 10:37:47 | 000,002,006 | ---- | M] () -- C:\aqua_bitmap.cpp
[2010/07/28 21:36:25 | 000,002,014 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/07/27 00:06:53 | 000,000,120 | ---- | M] () -- C:\Users\Childsp\AppData\Local\Pwiceyu.dat
[2010/07/27 00:06:53 | 000,000,000 | ---- | M] () -- C:\Users\Childsp\AppData\Local\Ljada.bin
[2010/06/23 17:10:56 | 000,344,680 | ---- | M] (Realtek ) -- C:\Windows\SysNative\drivers\Rt64win7.sys
[2010/06/21 11:03:20 | 000,291,840 | ---- | M] (Notausgang) -- C:\Users\Childsp\Desktop\HoN_ModMan.exe
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/15 11:20:24 | 000,001,058 | ---- | C] () -- C:\Users\Childsp\Desktop\rkill - Shortcut.lnk
[2010/09/13 11:09:16 | 000,001,013 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/13 10:36:20 | 000,034,560 | ---- | C] () -- C:\Windows\SysWow64\drivers\Normandy.sys
[2010/09/12 00:28:17 | 000,002,229 | ---- | C] () -- C:\Users\Childsp\Desktop\The Lord of the Rings Online.lnk
[2010/09/10 01:37:23 | 000,001,674 | ---- | C] () -- C:\Users\Childsp\Desktop\dndlauncher - Shortcut.lnk
[2010/09/08 22:51:38 | 000,000,095 | ---- | C] () -- C:\Users\Childsp\AppData\Local\fusioncache.dat
[2010/09/08 22:47:23 | 000,743,126 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/09/06 01:14:02 | 000,001,720 | ---- | C] () -- C:\Users\Public\Desktop\Play League of Legends.lnk
[2010/09/05 11:53:33 | 000,001,808 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/09/05 11:37:38 | 000,002,828 | ---- | C] () -- C:\Users\Childsp\Desktop\Attach.zip
[2010/09/05 00:01:08 | 002,432,079 | ---- | C] () -- C:\Users\Childsp\Documents\AutoRuns.arn
[2010/08/28 10:53:48 | 000,015,880 | ---- | C] () -- C:\Windows\SysNative\lsdelete.exe
[2010/08/26 21:44:02 | 000,018,944 | ---- | C] () -- C:\Users\Childsp\Desktop\Philip Childs Resume.doc
[2010/08/26 18:33:46 | 000,001,858 | ---- | C] () -- C:\Users\Public\Desktop\AVG Free 9.0.lnk
[2010/08/26 18:33:31 | 000,113,461 | ---- | C] () -- C:\Windows\SysNative\drivers\Avg\iavichjw.avm
[2010/08/26 18:33:30 | 064,319,035 | ---- | C] () -- C:\Windows\SysNative\drivers\Avg\incavi.avm
[2010/08/26 18:13:21 | 000,001,166 | ---- | C] () -- C:\Users\Childsp\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/08/26 18:13:21 | 000,001,142 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/08/26 18:02:34 | 000,001,262 | ---- | C] () -- C:\Users\Childsp\Desktop\Spybot - Search & Destroy.lnk
[2010/08/26 17:59:11 | 000,073,754 | ---- | C] () -- C:\Users\Childsp\Desktop\AVG.html
[2010/08/17 10:30:24 | 000,027,834 | ---- | C] () -- C:\Users\Childsp\Desktop\resources_hna44.s2z
[2010/08/14 18:03:44 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_WinUsb_01007.Wdf
[2010/08/11 14:33:23 | 000,000,960 | ---- | C] () -- C:\Users\Public\Desktop\calibre - E-book management.lnk
[2010/08/09 16:43:06 | 000,074,272 | ---- | C] () -- C:\Windows\SysNative\RtNicProp64.dll
[2010/08/09 16:38:29 | 000,001,106 | ---- | C] () -- C:\Users\Childsp\Desktop\EVEREST Home Edition.lnk
[2010/07/29 10:37:10 | 000,002,006 | ---- | C] () -- C:\aqua_bitmap.cpp
[2010/07/22 21:59:29 | 000,000,120 | ---- | C] () -- C:\Users\Childsp\AppData\Local\Pwiceyu.dat
[2010/07/22 21:59:29 | 000,000,000 | ---- | C] () -- C:\Users\Childsp\AppData\Local\Ljada.bin
[2010/03/27 17:30:29 | 000,000,600 | ---- | C] () -- C:\Users\Childsp\AppData\Local\PUTTY.RND
[2010/03/18 21:57:06 | 000,000,262 | ---- | C] () -- C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
[2010/03/17 03:50:24 | 000,000,745 | ---- | C] () -- C:\Users\Childsp\AppData\Roaming\AtomicAlarmClock.ini
[2010/03/11 15:42:51 | 000,000,743 | ---- | C] () -- C:\Users\Childsp\AppData\Local\RT2870_{DAB6E7E4-54FB-4A05-BEE5-D0348141DB65}_sta
[2010/03/11 15:41:38 | 000,003,730 | ---- | C] () -- C:\Users\Childsp\AppData\Local\RT2870_{DAB6E7E4-54FB-4A05-BEE5-D0348141DB65}_prof
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2005/08/14 17:11:59 | 000,095,232 | ---- | C] () -- C:\Windows\SysWow64\mkx.dll
[2005/08/14 17:11:44 | 000,041,984 | ---- | C] () -- C:\Windows\SysWow64\avi.dll
[2005/08/14 17:11:28 | 000,057,856 | ---- | C] () -- C:\Windows\SysWow64\mp4.dll
[2005/08/09 17:12:28 | 003,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll
[2005/04/04 06:35:24 | 000,745,472 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2002/11/15 07:11:28 | 000,077,824 | ---- | C] () -- C:\Windows\SysWow64\MMSwitch.dll

========== LOP Check ==========

[2010/09/11 14:10:31 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\.purple
[2010/08/11 18:39:34 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\calibre
[2010/06/13 12:05:13 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Darkfall
[2010/06/13 11:48:12 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Darkfall US
[2010/03/12 19:09:43 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\GetRightToGo
[2010/04/30 22:03:41 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\GSC 2.00
[2010/09/06 01:30:51 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\LolClient
[2010/04/17 11:19:09 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
[2010/03/26 23:38:09 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\OpenOffice.org
[2010/03/17 03:52:18 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Orangeline Interactive
[2010/08/26 21:49:48 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Samsung
[2010/03/12 01:45:53 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Thunderbird
[2010/09/08 22:53:18 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\Turbine
[2010/09/14 01:41:47 | 000,000,000 | ---D | M] -- C:\Users\Childsp\AppData\Roaming\uTorrent
[2009/07/14 00:08:49 | 000,008,360 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,581 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:15 PM

Posted 17 September 2010 - 02:47 AM

Hi, indeed a proxy leftover there. Please follow the steps below then see again if the scan works.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy

OTL FIX
------------
We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :otl
    IE - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092

    :commands
    [emptytemp]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#14 Childsp

Childsp
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 17 September 2010 - 10:54 AM

Here is the report:

All processes killed
========== OTL ==========
HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\S-1-5-21-3498346600-3206276682-1160050912-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Childsp
->Temp folder emptied: 111424118 bytes
->Temporary Internet Files folder emptied: 3458854 bytes
->Java cache emptied: 2076309 bytes
->FireFox cache emptied: 74453272 bytes
->Flash cache emptied: 103273 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 8 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66356 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 770204 bytes

Total Files Cleaned = 184.00 mb


OTL by OldTimer - Version 3.2.12.0 log created on 09172010_104930

Files\Folders moved on Reboot...
C:\Users\Childsp\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,581 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:15 PM

Posted 17 September 2010 - 12:07 PM

Does the scan work now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users