Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown malware or possible rootkit defy extraction


  • This topic is locked This topic is locked
36 replies to this topic

#1 majorwest

majorwest

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Home
  • Local time:02:18 AM

Posted 23 September 2010 - 11:13 PM

Have been working with Boopme on the "AM I INFECTED" forum and he suggested escalating my problem to the next level on this forum.

http://www.bleepingcomputer.com/forums/topic346528.html

Brief description: Intel i7 6gb ram Vista64 running Avira Antivir. Two weeks ago after reboot Vista reported security service center was not running. Tried to start the service but was denied. Desktop was extremely sluggish like memory maxed out. Certain folders/apps wouldn't start, just hang. After several reboots it progressed to almost nothing would run - random behavior, sometimes task mgr would open, next reboot it wouldn't. None of my security apps would run at all. After working in the other forum, it eventually progressed to a black screen after reboot that would persist for up to an hour before desktop would appear, but then still not able to run most apps. The black screen behavior is odd, today after two different reboots the desktop appeared instantly with no black screen. On third reboot, black screen again. The only thing that I did in each instance was run exehelper and malwarebytes/quickscan in safe mode. However, in all instances, as soon as desktop appeared still was not able to run most apps.

Due to the conditions in normal mode, I could only run steps 6-9 of the prep guide in SAFE mode. I was unable to get my settings for GMER to look like the one in the prep guide, presumably because it must be run in normal mode. So I did not run it, and do not have a log to post.

DDS


DDS (Ver_10-03-17.01) - NTFSX64 NETWORK
Run by Dad at 22:10:33.05 on Thu 09/23/2010
Internet Explorer: 8.0.6001.18943
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.6134.5343 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Dad\Desktop\INFECTION\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
mLocal Page = c:\windows\syswow64\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files (x86)\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files (x86)\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files (x86)\windows live toolbar\msntb.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [uTorrent] "c:\program files (x86)\utorrent\uTorrent.exe"
uRun: [AutoStartNPSAgent] c:\program files (x86)\samsung\samsung new pc studio\NPSAgent.exe
uRun: [PlayOn] c:\program files (x86)\mediamall\PlayOn.exe
mRun: [TurboV] "c:\program files\asus\turbov\TurboV.exe"
mRun: [avgnt] "c:\program files (x86)\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NPSStartup]
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files (x86)\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] "c:\program files (x86)\malwarebytes' anti-malware\mbamgui.exe" /install /silent
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
Trusted Zone: one-time-offer.com
Trusted Zone: pizzahut.com\quikorder
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} - hxxp://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
TB-X64: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe
mRun-x64: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
mRun-x64: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun-x64: [lxdumon.exe] "c:\program files (x86)\lexmark 5600-6600 series\lxdumon.exe"
mRun-x64: [lxduamon] "c:\program files (x86)\lexmark 5600-6600 series\lxduamon.exe"

============= SERVICES / DRIVERS ===============

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\avira\antivir desktop\sched.exe [2009-7-22 108289]
S2 AntiVirService;Avira AntiVir Guard;c:\program files (x86)\avira\antivir desktop\avguard.exe [2009-7-22 185089]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\asus\assysctrlservice\1.00.00\AsSysCtrlService.exe [2008-8-15 86016]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-22 74880]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [2008-11-26 323584]
S2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
S2 MediaMall Server;MediaMall Server;c:\program files (x86)\mediamall\MediaMallServer.exe [2010-2-16 3856752]
S2 Norton Internet Security;Norton Internet Security;"c:\program files (x86)\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files (x86)\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files (x86)\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-6-29 40464]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-7-14 239648]
S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [2010-1-13 35840]
S3 ENTECH64;ENTECH64;c:\windows\system32\drivers\Entech64.sys [2008-6-27 12744]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]
S3 PS3 Media Server;PS3 Media Server;c:\program files (x86)\ps3 media server\win32\service\wrapper.exe [2010-1-12 217088]
S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [2009-5-13 116224]
S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [2010-6-14 18944]
S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [2010-6-14 158208]
S3 TFsExDisk;TFsExDisk;c:\windows\system32\drivers\TFsExDisk.sys [2010-6-14 16392]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl64.sys [2010-4-19 50688]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework64\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-7-22 93184]

============== File Associations ===============

JSEFile=c:\windows\syswow64\WScript.exe "%1" %*

=============== Created Last 30 ================

2010-09-23 22:47:39 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-09-23 17:36:09 524288 --sha-w- c:\users\dad\ntuser.dat{d04c8696-c738-11df-8a9c-0026187765e0}.TMContainer00000000000000000002.regtrans-ms
2010-09-23 17:36:08 65536 --sha-w- c:\users\dad\ntuser.dat{d04c8696-c738-11df-8a9c-0026187765e0}.TM.blf
2010-09-23 17:36:08 524288 --sha-w- c:\users\dad\ntuser.dat{d04c8696-c738-11df-8a9c-0026187765e0}.TMContainer00000000000000000001.regtrans-ms
2010-09-22 11:15:05 0 d-----w- c:\programdata\Gosu(41)
2010-09-21 14:07:44 0 d-----w- c:\users\dad\appdata\roaming\Bitrix Security
2010-09-20 13:02:19 664576 ----a-w- C:\hotfix.bak
2010-09-14 04:39:59 0 d-----w- c:\windows\pss
2010-09-13 19:01:33 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-13 19:01:33 0 d-----w- c:\program files (x86)\Spybot - Search & Destroy
2010-09-12 04:38:43 65536 --sha-w- c:\users\dad\ntuser.dat{10760285-be20-11df-bb48-0026187765e0}.TM.blf
2010-09-12 04:38:43 524288 --sha-w- c:\users\dad\ntuser.dat{10760285-be20-11df-bb48-0026187765e0}.TMContainer00000000000000000002.regtrans-ms
2010-09-12 04:38:43 524288 --sha-w- c:\users\dad\ntuser.dat{10760285-be20-11df-bb48-0026187765e0}.TMContainer00000000000000000001.regtrans-ms
2010-09-12 02:15:54 0 d-----w- c:\programdata\WindowsSearch
2010-09-12 01:32:33 65536 --sha-w- c:\users\dad\ntuser.dat{9785f76b-bda0-11df-8063-0026187765e0}.TM.blf
2010-09-12 01:32:33 524288 --sha-w- c:\users\dad\ntuser.dat{9785f76b-bda0-11df-8063-0026187765e0}.TMContainer00000000000000000002.regtrans-ms
2010-09-12 01:32:33 524288 --sha-w- c:\users\dad\ntuser.dat{9785f76b-bda0-11df-8063-0026187765e0}.TMContainer00000000000000000001.regtrans-ms
2010-09-12 01:10:45 0 d-----w- c:\users\dad\appdata\roaming\KillProcess
2010-09-12 01:10:24 0 d-----w- c:\program files (x86)\KillProcess
2010-09-11 11:57:17 0 d-----w- c:\users\dad\appdata\roaming\SUPERAntiSpyware.com
2010-09-11 11:57:17 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-09-11 11:57:12 0 d-----w- c:\program files\SUPERAntiSpyware
2010-09-10 20:11:36 0 d-----w- C:\Autoruns
2010-09-10 13:20:20 0 d-----w- c:\program files (x86)\ESET
2010-09-10 13:15:06 0 d-----w- c:\program files (x86)\Panda Security
2010-09-10 00:52:31 0 d-----w- c:\users\dad\DoctorWeb
2010-09-09 22:27:44 0 d-----w- c:\programdata\Gosu(19)
2010-08-30 12:31:33 0 d-----w- c:\program files (x86)\Jasc Software Inc
2010-08-26 15:57:23 0 d-----w- c:\program files (x86)\MKVtoolnix
2010-08-25 08:52:30 0 d-----w- c:\programdata\Gosu

==================== Find3M ====================

2010-09-23 22:39:45 74425 ----a-w- c:\programdata\nvModes.dat
2010-07-26 16:55:26 11581440 ----a-w- c:\windows\syswow64\shell32.dll
2010-06-26 06:30:12 1147904 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:25:54 77312 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:25:54 132096 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 06:05:49 916480 ----a-w- c:\windows\syswow64\wininet.dll
2010-06-26 06:05:41 1210368 ----a-w- c:\windows\syswow64\urlmon.dll
2010-06-26 06:04:40 206848 ----a-w- c:\windows\syswow64\occache.dll
2010-06-26 06:03:22 611840 ----a-w- c:\windows\syswow64\mstime.dll
2010-06-26 06:03:04 5951488 ----a-w- c:\windows\syswow64\mshtml.dll
2010-06-26 06:03:02 599040 ----a-w- c:\windows\syswow64\msfeeds.dll
2010-06-26 06:03:02 55296 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-06-26 06:02:31 25600 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-06-26 06:02:15 71680 ----a-w- c:\windows\syswow64\iesetup.dll
2010-06-26 06:02:15 1986560 ----a-w- c:\windows\syswow64\iertutil.dll
2010-06-26 06:02:15 164352 ----a-w- c:\windows\syswow64\ieui.dll
2010-06-26 06:02:15 109056 ----a-w- c:\windows\syswow64\iesysprep.dll
2010-06-26 06:02:14 55808 ----a-w- c:\windows\syswow64\iernonce.dll
2010-06-26 06:02:14 184320 ----a-w- c:\windows\syswow64\iepeers.dll
2010-06-26 06:02:14 11077120 ----a-w- c:\windows\syswow64\ieframe.dll
2010-06-26 06:02:09 387584 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-06-26 04:47:47 162816 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-26 04:25:02 133632 ----a-w- c:\windows\syswow64\ieUnatt.exe
2010-06-26 04:24:51 173056 ----a-w- c:\windows\syswow64\ie4uinit.exe
2010-06-26 04:24:17 13312 ----a-w- c:\windows\syswow64\msfeedssync.exe
2010-06-22 20:11:14 51200 ----a-w- c:\windows\inf\infpub.dat
2010-06-22 20:11:13 86016 ----a-w- c:\windows\inf\infstor.dat
2010-06-22 20:11:13 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-07-23 03:15:46 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 03:21:59 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:59 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2006-06-24 06:47:48 30720 ----a-r- c:\windows\inf\UpdateUSB.exe
2010-01-11 00:08:31 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 22:12:12.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:18 AM

Posted 30 September 2010 - 04:45 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 majorwest

majorwest
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Home
  • Local time:02:18 AM

Posted 30 September 2010 - 06:18 AM

Good morning Elise! I'll begin working on this when I return home from work this evening. Thank you!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:18 AM

Posted 30 September 2010 - 07:03 AM

Thank you for letting me know! smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 majorwest

majorwest
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Home
  • Local time:02:18 AM

Posted 30 September 2010 - 09:20 PM

Hi. There hasn't been any change since I first posted. The few times I booted into normal mode proved this. I am pretty much operating in safe mode at present.

Though ODT ran without any problems, Unhooker gave me an error message when I ran it: "Error loading drive, NTSTATUS code: 0xC000035F" so was unable to post a log.

A note about the ODT log: the log reveals a doc file that is in my full name. I took the liberty of changing it to xxxxxx.doc (there are two instances in the log) because I do not want my full name being shown in a public forum. I hope this is acceptable and that you understand.

Also, on 9-27 I received a Windows Security Alert: "Windows Firewall has blocked this program from accepting incoming network connections. If you unblock this program, it will be unblocked on all private networks that you connect to."
Name: onbio
Publisher: Unknown
Path: C:\users\dad\appdata\roaming\equga\onbio.exe
Network location: Private network
Actions: Keep blocking/Unblock

I also noticed that onbio.exe was running in Task Manager.

ODT Log
OTL logfile created on: 9/30/2010 7:08:58 AM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Users\Dad\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18943)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

6.00 Gb Total Physical Memory | 5.00 Gb Available Physical Memory | 78.00% Memory free
12.00 Gb Paging File | 11.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 931.51 Gb Total Space | 26.05 Gb Free Space | 2.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 73.19 Gb Total Space | 24.50 Gb Free Space | 33.47% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 93.36 Gb Total Space | 73.01 Gb Free Space | 78.20% Space Free | Partition Type: NTFS
Drive M: | 3.49 Gb Total Space | 3.35 Gb Free Space | 95.78% Space Free | Partition Type: NTFS
Drive N: | 298.09 Gb Total Space | 45.53 Gb Free Space | 15.27% Space Free | Partition Type: NTFS
Drive O: | 931.51 Gb Total Space | 384.46 Gb Free Space | 41.27% Space Free | Partition Type: NTFS

Computer Name: DAD-PC
Current User Name: Dad
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/30 06:48:58 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Dad\Desktop\OTL.exe
PRC - [2009/09/07 20:55:25 | 000,139,264 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Java\jre6\bin\javaw.exe


========== Modules (SafeList) ==========

MOD - [2010/09/30 06:48:58 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Dad\Desktop\OTL.exe
MOD - [2008/01/20 21:50:01 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2008/01/20 21:48:37 | 000,153,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\imagehlp.dll
MOD - [2008/01/20 21:48:06 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
MOD - [2006/11/02 03:33:06 | 000,002,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\normaliz.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2008/05/23 07:58:53 | 001,040,552 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\lxducoms.exe -- (lxdu_device)
SRV:64bit: - [2008/01/20 21:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2010/07/28 08:48:30 | 003,856,752 | ---- | M] (MediaMall Technologies, Inc.) [Auto | Stopped] -- C:\Program Files (x86)\MediaMall\MediaMallServer.exe -- (MediaMall Server)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/18 14:27:14 | 001,020,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 14:27:14 | 000,138,576 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_64)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/01/12 18:24:18 | 000,217,088 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files (x86)\PS3 Media Server\win32\service\wrapper.exe -- (PS3 Media Server)
SRV - [2009/08/05 11:13:46 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/07/14 13:28:00 | 000,239,648 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/11/26 12:36:12 | 000,323,584 | -H-- | M] (DeviceVM) [Auto | Stopped] -- C:\ASUS.SYS\config\DVMExportService.exe -- (DvmMDES)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/08/15 03:23:20 | 000,086,016 | R--- | M] () [Auto | Stopped] -- C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe -- (AsSysCtrlService)
SRV - [2008/05/23 07:58:34 | 000,594,600 | ---- | M] ( ) [Auto | Stopped] -- C:\Windows\SysWow64\lxducoms.exe -- (lxdu_device)
SRV - [2007/10/25 17:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 13:31:54 | 000,098,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2007/05/31 17:11:54 | 000,443,784 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 17:11:46 | 000,225,672 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1000000.07D\SRTSPX64.SYS -- (SRTSPX)
DRV:64bit: - File not found [File_System | System | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1000000.07D\SRTSP64.SYS -- (SRTSP)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ipinip.sys -- (IpInIp)
DRV:64bit: - [2010/04/19 20:47:42 | 000,050,688 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2009/12/12 00:26:43 | 000,074,880 | ---- | M] () [File_System | Auto | Stopped] -- C:\Windows\SysNative\DRIVERS\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2009/11/16 04:13:26 | 000,271,360 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2009/10/14 11:02:20 | 000,027,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\povrtdev.sys -- (msvad_simple)
DRV:64bit: - [2009/09/14 20:36:04 | 000,082,816 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\pcouffin.sys -- (pcouffin)
DRV:64bit: - [2009/08/03 09:22:58 | 000,016,392 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\TFsExDisk.sys -- (TFsExDisk)
DRV:64bit: - [2009/05/22 18:08:37 | 000,036,352 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\VClone.sys -- (VClone)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/05/13 11:41:08 | 000,158,208 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\sscemdm.sys -- (sscemdm)
DRV:64bit: - [2009/05/13 11:41:08 | 000,018,944 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\sscemdfl.sys -- (sscemdfl)
DRV:64bit: - [2009/05/13 11:41:06 | 000,116,224 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\sscebus.sys -- (sscebus) SAMSUNG USB Composite Device V2 driver (WDM)
DRV:64bit: - [2009/03/02 18:20:18 | 000,035,840 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BVRPMPR5a64.SYS -- (BVRPMPR5a64)
DRV:64bit: - [2009/02/24 18:35:44 | 000,255,552 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\mcdbus.sys -- (mcdbus)
DRV:64bit: - [2008/06/29 10:12:32 | 000,040,464 | ---- | M] () [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\npf.sys -- (npf)
DRV:64bit: - [2008/04/22 10:53:36 | 000,012,744 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ENTECH64.sys -- (ENTECH64)
DRV:64bit: - [2008/01/20 21:47:28 | 000,046,080 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2008/01/20 21:46:55 | 000,317,952 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\e1e6032e.sys -- (e1express) Intel®
DRV:64bit: - [2008/01/20 21:46:52 | 000,019,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\usb8023x.sys -- (usb_rndisx)
DRV:64bit: - [2007/08/08 09:03:54 | 000,576,640 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\emBDA64.sys -- (USB28xxBGA)
DRV:64bit: - [2007/08/08 09:03:54 | 000,054,528 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\emOEM64.sys -- (USB28xxOEM)
DRV:64bit: - [2006/11/01 02:23:42 | 000,015,680 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\ASACPI.sys -- (MTsensor)
DRV:64bit: - [2006/09/18 16:36:24 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\Wbem\ntfs.mof -- (Ntfs)
DRV - [2010/03/08 17:33:21 | 000,038,944 | ---- | M] (B.H.A Corporation) [Kernel | System | Stopped] -- C:\Windows\SysWow64\drivers\CDRBSDRV.SYS -- (cdrbsdrv)
DRV - [2009/08/03 09:22:58 | 000,016,392 | ---- | M] (Teruten Inc) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\TFsExDisk.Sys -- (TFsExDisk)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3530666769-31344507-419582560-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-3530666769-31344507-419582560-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-3530666769-31344507-419582560-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = FE 36 15 0A 50 5B CB 01 [binary data]
IE - HKU\S-1-5-21-3530666769-31344507-419582560-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3530666769-31344507-419582560-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-3530666769-31344507-419582560-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643

========== FireFox ==========



[2010/09/25 00:40:01 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Mozilla\Extensions
[2010/09/25 00:40:01 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2009/10/16 06:57:15 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\gkj9a50o.default\extensions
[2009/10/16 06:57:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\gkj9a50o.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/10/16 06:57:15 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\gkj9a50o.default\extensions\staged-xpis

O1 HOSTS File: ([2006/09/18 16:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-3530666769-31344507-419582560-1000\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [lxduamon] C:\Program Files (x86)\Lexmark 5600-6600 Series\lxduamon.exe ()
O4:64bit: - HKLM..\Run: [lxdumon.exe] C:\Program Files (x86)\Lexmark 5600-6600 Series\lxdumon.exe ()
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Windows Mobile Device Center] C:\Windows\WindowsMobile\wmdc.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Blubster] C:\Program Files (x86)\Blubster\Blubster.exe File not found
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NPSStartup] File not found
O4 - HKLM..\Run: [TurboV] C:\Program Files\ASUS\TurboV\TurboV.exe ()
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-3530666769-31344507-419582560-1000..\Run: [{3E042E28-5F9F-B04C-2CA4-5B8379DFAD8C}] C:\Users\Dad\AppData\Roaming\Equga\onbio.exe ()
O4 - HKU\S-1-5-21-3530666769-31344507-419582560-1000..\Run: [AutoStartNPSAgent] C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe File not found
O4 - HKU\S-1-5-21-3530666769-31344507-419582560-1000..\Run: [PlayOn] C:\Program Files (x86)\MediaMall\PlayOn.exe (MediaMall Technologies, Inc.)
O4 - HKU\S-1-5-21-3530666769-31344507-419582560-1000..\Run: [uTorrent] C:\Program Files (x86)\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKU\S-1-5-21-3530666769-31344507-419582560-1000..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10i_ActiveX.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuxuni.exe ()
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\udmi.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\.DEFAULT\..Trusted Domains: amazon.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: hulu.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: netflix.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: youtube.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: amazon.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: hulu.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: netflix.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: youtube.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3530666769-31344507-419582560-1000\..Trusted Domains: one-time-offer.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3530666769-31344507-419582560-1000\..Trusted Domains: pizzahut.com ([quikorder] https in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} http://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab (ZPA_DMNO Object)
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab (MSN Games – Hearts)
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab (MSN Games – Texas Holdem Poker)
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab (ZPA_SHVL Object)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/...tiveXPlugin.cab (ScorchPlugin Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...k.cab102118.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab (ChessControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img28.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img28.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/09/10 15:20:10 | 000,000,000 | ---D | M] - C:\Autoruns -- [ NTFS ]
O32 - AutoRun File - [2008/02/25 17:59:34 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/07/20 00:04:20 | 000,000,095 | ---- | M] () - L:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{0de330e7-944f-11df-a631-0026187765e0}\Shell\AutoRun\command - "" = O:\setup.exe -- File not found
O33 - MountPoints2\{3db79b13-ab39-11df-b844-0026187765e0}\Shell - "" = AutoRun
O33 - MountPoints2\{3db79b13-ab39-11df-b844-0026187765e0}\Shell\AutoRun\command - "" = Q:\WD SmartWare.exe -- File not found
O33 - MountPoints2\{68451d87-7d33-11df-8c3d-0026187765e0}\Shell - "" = AutoRun
O33 - MountPoints2\{68451d87-7d33-11df-8c3d-0026187765e0}\Shell\AutoRun\command - "" = O:\NPSAI.exe -- File not found
O33 - MountPoints2\{e999517c-9bbe-11de-adf3-00248caf3c83}\Shell\AutoRun\command - "" = wd_windows_tools\setup.exe
O33 - MountPoints2\{e9995185-9bbe-11de-adf3-00248caf3c83}\Shell\AutoRun\command - "" = WDSetup.exe
O33 - MountPoints2\Q\Shell\AutoRun\command - "" = WDSetup.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-3530666769-31344507-419582560-1000\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 90 Days ==========

[2010/09/30 06:48:57 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\Dad\Desktop\OTL.exe
[2010/09/25 00:40:09 | 000,000,000 | ---D | C] -- C:\Users\Dad\Documents\LimeWire
[2010/09/25 00:36:29 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Softwrap
[2010/09/25 00:36:29 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Fonts
[2010/09/25 00:36:29 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Config
[2010/09/24 11:07:57 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
[2010/09/23 17:47:40 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/09/23 17:47:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/09/22 06:15:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Gosu(41)
[2010/09/21 09:07:44 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\Bitrix Security
[2010/09/14 07:27:11 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/09/13 23:39:59 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/09/13 14:01:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/09/13 14:01:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2010/09/12 03:44:21 | 000,000,000 | ---D | C] -- C:\Users\Dad\Documents\FrostWire
[2010/09/11 21:15:54 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2010/09/11 20:10:45 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\KillProcess
[2010/09/11 20:10:24 | 000,000,000 | ---D | C] -- C:\Users\Dad\Documents\KillProcess Kill Lists
[2010/09/11 20:10:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\KillProcess
[2010/09/11 06:57:17 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\SUPERAntiSpyware.com
[2010/09/11 06:57:17 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/09/11 06:57:12 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/09/10 15:11:36 | 000,000,000 | ---D | C] -- C:\Autoruns
[2010/09/10 08:20:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2010/09/10 08:15:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Panda Security
[2010/09/10 05:53:51 | 000,000,000 | ---D | C] -- C:\Users\Dad\Desktop\INFECTION
[2010/09/09 19:52:31 | 000,000,000 | ---D | C] -- C:\Users\Dad\DoctorWeb
[2010/09/09 17:27:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Gosu(19)
[2010/08/30 07:31:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Jasc Software Inc
[2010/08/26 10:57:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MKVtoolnix
[2010/08/25 03:52:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Gosu
[2010/08/24 23:17:13 | 000,139,062 | ---- | C] (Moritz Bunkus) -- C:\Users\Dad\Desktop\mkvtoolnix-unicode-4.0.0-setup.exe
[2010/08/23 08:18:12 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Local\Western Digital
[2010/08/22 20:41:15 | 000,000,000 | ---D | C] -- C:\Users\Dad\Desktop\thumbdrive
[2010/08/15 22:05:22 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\ThumbGen
[2010/08/14 19:04:25 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Local\IsolatedStorage
[2010/08/14 15:43:50 | 000,000,000 | ---D | C] -- C:\Users\Dad\Desktop\WDTV
[2010/08/08 20:39:18 | 000,000,000 | ---D | C] -- C:\Program Files\Lexmark Printable Web
[2010/08/08 20:39:05 | 000,364,544 | ---- | C] ( ) -- C:\Windows\SysWow64\lxduinpa.dll
[2010/08/08 20:39:05 | 000,339,968 | ---- | C] ( ) -- C:\Windows\SysWow64\lxduiesc.dll
[2010/08/08 20:39:05 | 000,126,976 | ---- | C] (Lexmark International Inc.) -- C:\Windows\SysWow64\lxdulnks.dll
[2010/08/08 20:39:04 | 000,651,264 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdupmui.dll
[2010/08/08 20:39:03 | 001,069,056 | ---- | C] ( ) -- C:\Windows\SysWow64\lxduserv.dll
[2010/08/08 20:39:03 | 000,851,968 | ---- | C] ( ) -- C:\Windows\SysWow64\lxduusb1.dll
[2010/08/08 20:39:03 | 000,577,536 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdulmpm.dll
[2010/08/08 20:39:02 | 000,765,952 | ---- | C] ( ) -- C:\Windows\SysWow64\lxducomc.dll
[2010/08/08 20:39:02 | 000,679,936 | ---- | C] ( ) -- C:\Windows\SysWow64\lxduhbn3.dll
[2010/08/08 20:39:02 | 000,594,600 | ---- | C] ( ) -- C:\Windows\SysWow64\lxducoms.exe
[2010/08/08 20:39:02 | 000,376,832 | ---- | C] ( ) -- C:\Windows\SysWow64\lxducomm.dll
[2010/08/08 20:39:02 | 000,328,360 | ---- | C] ( ) -- C:\Windows\SysWow64\lxduih.exe
[2010/08/08 20:39:01 | 000,369,320 | ---- | C] ( ) -- C:\Windows\SysWow64\lxducfg.exe
[2010/08/08 20:38:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Lexmark 5600-6600 Series
[2010/08/03 03:20:40 | 000,000,000 | -HSD | C] -- C:\found.000
[2010/07/29 21:50:23 | 000,000,000 | ---D | C] -- C:\Program Files\Lexmark 5600-6600 Series
[2010/07/29 14:43:21 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Dad\Desktop\mbam-setup.exe
[2010/07/22 08:32:18 | 000,000,000 | ---D | C] -- C:\ST_Temp
[2010/07/20 14:54:42 | 000,000,000 | ---D | C] -- C:\Users\Dad\{4d4060cb-d4fe-42b3-8227-8a7fd99f015d}
[2010/07/20 14:50:55 | 000,000,000 | ---D | C] -- C:\Users\Dad\{86e69ad5-ed5b-4f54-96e9-5c7952adc928}
[2010/07/20 14:47:42 | 000,000,000 | ---D | C] -- C:\Users\Dad\{1a9c7067-648a-4de0-ba3c-2fce6b928645}
[2010/07/20 14:44:40 | 000,000,000 | ---D | C] -- C:\Users\Dad\{10538eed-23f0-4df3-b6a8-c453b18fbed3}
[2010/07/11 16:44:49 | 000,000,000 | ---D | C] -- C:\Users\Dad\Desktop\Flagstar
[2010/07/05 11:35:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\GoldWave
[2009/09/13 21:40:15 | 000,082,816 | ---- | C] (VSO Software) -- C:\Users\Dad\AppData\Roaming\pcouffin.sys
[5 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[13 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[13 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/09/30 07:09:19 | 005,505,024 | -HS- | M] () -- C:\Users\Dad\ntuser.dat
[2010/09/30 06:49:18 | 000,133,632 | ---- | M] () -- C:\Users\Dad\Desktop\RKUnhookerLE.EXE
[2010/09/30 06:48:58 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Dad\Desktop\OTL.exe
[2010/09/29 23:21:01 | 000,000,732 | ---- | M] () -- C:\Users\Dad\AppData\Local\d3d9caps64.dat
[2010/09/29 10:29:09 | 000,703,388 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/09/29 10:29:09 | 000,603,516 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/09/29 10:29:09 | 000,103,586 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/09/28 21:32:33 | 000,000,680 | ---- | M] () -- C:\Users\Dad\AppData\Local\d3d9caps.dat
[2010/09/28 05:43:17 | 000,000,470 | ---- | M] () -- C:\Users\Dad\Desktop\MSN Health & Fitness - Cancer Video.url
[2010/09/25 00:36:53 | 000,002,453 | ---- | M] () -- C:\Users\Public\Documents\Global.sw2
[2010/09/25 00:36:29 | 000,000,000 | -H-- | M] () -- C:\Windows\SwSys2.bmp
[2010/09/25 00:36:29 | 000,000,000 | -H-- | M] () -- C:\Windows\SwSys1.bmp
[2010/09/24 13:01:12 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/24 12:58:04 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/24 12:58:04 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/24 12:58:02 | 000,074,425 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/09/24 12:58:02 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/24 12:55:54 | 000,524,288 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{d04c8696-c738-11df-8a9c-0026187765e0}.TMContainer00000000000000000001.regtrans-ms
[2010/09/24 12:55:54 | 000,065,536 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{d04c8696-c738-11df-8a9c-0026187765e0}.TM.blf
[2010/09/24 05:44:16 | 000,000,299 | ---- | M] () -- C:\Users\Dad\Desktop\Making Home Affordable - Home Affordable Modifications.url
[2010/09/23 17:47:42 | 000,000,813 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/23 17:39:45 | 000,074,425 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/09/23 17:22:23 | 000,000,282 | ---- | M] () -- C:\Windows\tasks\Check Updates for Windows Live Toolbar.job
[2010/09/23 12:37:46 | 000,000,414 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{5C97C559-019D-4E6A-8D17-A9E6E6CB61F8}.job
[2010/09/23 12:36:09 | 000,524,288 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{d04c8696-c738-11df-8a9c-0026187765e0}.TMContainer00000000000000000002.regtrans-ms
[2010/09/23 12:03:09 | 000,524,288 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{10760285-be20-11df-bb48-0026187765e0}.TMContainer00000000000000000001.regtrans-ms
[2010/09/23 12:03:09 | 000,065,536 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{10760285-be20-11df-bb48-0026187765e0}.TM.blf
[2010/09/23 06:41:01 | 000,000,334 | ---- | M] () -- C:\Users\Dad\Desktop\d3d9caps.dat - Jotti's malware scan.url
[2010/09/23 05:31:22 | 000,021,880 | ---- | M] () -- C:\Users\Dad\Desktop\usage 316-300-0989.csv
[2010/09/21 19:03:36 | 000,000,240 | ---- | M] () -- C:\Users\Dad\Desktop\Wild Horses Kick Butt - Bing Videos.url
[2010/09/20 22:35:14 | 000,000,249 | ---- | M] () -- C:\Users\Dad\Desktop\NEW 7 Mini Netbook Laptop Notebook WIFI Windows Red.url
[2010/09/20 08:02:18 | 000,664,576 | ---- | M] () -- C:\hotfix.bak
[2010/09/19 13:16:14 | 000,005,723 | ---- | M] () -- C:\ProgramData\.wtav
[2010/09/12 20:59:29 | 000,000,552 | ---- | M] () -- C:\Users\Dad\AppData\Local\d3d8caps.dat
[2010/09/11 23:38:43 | 000,524,288 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{10760285-be20-11df-bb48-0026187765e0}.TMContainer00000000000000000002.regtrans-ms
[2010/09/11 23:20:37 | 000,524,288 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{9785f76b-bda0-11df-8063-0026187765e0}.TMContainer00000000000000000001.regtrans-ms
[2010/09/11 23:20:37 | 000,065,536 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{9785f76b-bda0-11df-8063-0026187765e0}.TM.blf
[2010/09/11 20:32:33 | 000,524,288 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{9785f76b-bda0-11df-8063-0026187765e0}.TMContainer00000000000000000002.regtrans-ms
[2010/09/11 20:25:51 | 000,524,288 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{f7d6d10a-e76c-11de-8f59-8000600fe800}.TMContainer00000000000000000001.regtrans-ms
[2010/09/11 20:25:51 | 000,065,536 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{f7d6d10a-e76c-11de-8f59-8000600fe800}.TM.blf
[2010/09/11 18:22:14 | 000,133,632 | ---- | M] () -- C:\Users\Dad\Documents\xxxxxx.doc
[2010/09/10 16:13:29 | 003,163,052 | ---- | M] () -- C:\Users\Dad\Desktop\AutoRuns.arn
[2010/09/06 16:19:54 | 000,103,557 | ---- | M] () -- C:\Users\Dad\Desktop\Alyssa order.pdf
[2010/09/06 16:19:54 | 000,006,148 | ---- | M] () -- C:\Users\Dad\AppData\Roaming\PrimoPDFSet.xml
[2010/09/04 23:07:00 | 000,000,224 | ---- | M] () -- C:\Users\Dad\Desktop\GENIE Limit Switch Screw Drive 20113R - 24454R.url
[2010/09/04 07:46:17 | 000,000,600 | ---- | M] () -- C:\Users\Dad\AppData\Local\PUTTY.RND
[2010/09/03 11:17:35 | 000,000,143 | ---- | M] () -- C:\Users\Dad\Desktop\Thermaltake BlacX ST0005U Hard Drive Dock.url
[2010/08/25 19:01:50 | 000,000,184 | ---- | M] () -- C:\Users\Dad\Desktop\Printable Paper.url
[2010/08/24 23:17:14 | 000,139,062 | ---- | M] (Moritz Bunkus) -- C:\Users\Dad\Desktop\mkvtoolnix-unicode-4.0.0-setup.exe
[2010/08/24 08:48:52 | 000,000,178 | ---- | M] () -- C:\Users\Dad\Desktop\Daily Steals! Deal of the Day Site.url
[2010/08/24 07:11:05 | 000,000,239 | ---- | M] () -- C:\Users\Dad\Desktop\Vornado VH2 Vortex Heater in Space Heaters at JR.com.url
[2010/08/21 05:53:10 | 000,000,202 | ---- | M] () -- C:\Users\Dad\Desktop\Perpetual Kid- Unique Gifts to Entertain Your Inner Child.url
[2010/08/18 23:27:57 | 000,000,012 | -H-- | M] () -- C:\Windows\SysWow64\%sdvmexp.idx
[2010/08/18 21:15:11 | 000,003,786 | ---- | M] () -- C:\Users\Dad\Desktop\alyssanurseapp.rtf
[2010/08/18 08:31:06 | 000,000,156 | ---- | M] () -- C:\Users\Dad\Desktop\GlassesUnlimited Eyeglasses Frames Collection.url
[2010/08/17 12:29:31 | 000,000,305 | ---- | M] () -- C:\Users\Dad\Desktop\LightScribe DVD-R Media LightScribe Blank DVD+R - DL Discs SuperMediaStore.com.url
[2010/08/17 12:24:44 | 000,000,242 | ---- | M] () -- C:\Users\Dad\Desktop\Newegg.com - lenovo IdeaPad S10-3t(065137U) Tablet PC Intel Atom N450(1.66GHz) 10.1 Wide SVGA 1GB Memory DDR2 667 250GB HDD 5400rpm Intel GMA 3150.url
[2010/08/17 09:49:48 | 000,164,864 | ---- | M] () -- C:\Users\Dad\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/16 06:03:27 | 000,000,122 | ---- | M] () -- C:\Users\Dad\Desktop\FedBens calculators for Federal retirement benefits - fast, easy to use, and accurate!.url
[2010/08/14 13:47:16 | 000,000,231 | ---- | M] () -- C:\Users\Dad\Desktop\Mt Carmel.url
[2010/08/12 05:12:31 | 000,403,952 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/08/09 16:41:14 | 000,108,889 | ---- | M] () -- C:\Users\Public\Documents\meds.pdf
[2010/08/09 07:17:15 | 000,000,198 | ---- | M] () -- C:\Users\Dad\Desktop\Samsung Captivate Forum.url
[2010/08/08 20:40:43 | 000,079,843 | ---- | M] () -- C:\Windows\SysNative\LexFiles.ulf
[2010/08/08 20:40:33 | 000,000,899 | ---- | M] () -- C:\Users\Public\Desktop\Lexmark Productivity Studio - 5600-6600 Series.LNK
[2010/08/08 17:08:45 | 000,000,317 | ---- | M] () -- C:\Users\Dad\Desktop\Painting a Brick Fireplace - Painting.url
[2010/08/08 16:15:30 | 000,000,375 | ---- | M] () -- C:\Users\Dad\Desktop\Discovery Channel Store - Clearance.url
[2010/08/08 15:56:04 | 000,000,235 | ---- | M] () -- C:\Users\Dad\Desktop\Looping Backgrounds Table.url
[2010/08/08 15:45:17 | 000,000,135 | ---- | M] () -- C:\Users\Dad\Desktop\Login & Registration - eService BlueCross BlueShield Federal Employee Program.url
[2010/08/07 05:33:31 | 000,000,211 | ---- | M] () -- C:\Users\Dad\Desktop\Individual - Treasury Securities & Programs.url
[2010/08/04 14:09:04 | 000,000,232 | ---- | M] () -- C:\Users\Dad\Desktop\We Buy Houses Fast.url
[2010/08/04 14:08:07 | 000,000,328 | ---- | M] () -- C:\Users\Dad\Desktop\We Buy Houses, Cash Home Buyers, Fast Home Offers We Buy Homes.url
[2010/08/03 05:50:15 | 000,000,265 | ---- | M] () -- C:\Users\Dad\Desktop\Cards for bad credit, big balances or rewards - Liz Pulliam Weston - MSN Money.url
[2010/07/29 14:43:31 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Dad\Desktop\mbam-setup.exe
[2010/07/23 10:10:43 | 000,000,179 | ---- | M] () -- C:\Windows\WinInit.Ini
[2010/07/22 06:08:54 | 000,000,171 | ---- | M] () -- C:\Users\Dad\Desktop\PriceGrabber.com - Comparison Shopping Beyond Compare.url
[2010/07/22 05:51:26 | 000,000,168 | ---- | M] () -- C:\Users\Dad\Desktop\Pronto.com - Compare Prices, Shop Online & Save.url
[2010/07/22 05:43:55 | 000,000,180 | ---- | M] () -- C:\Users\Dad\Desktop\Online Coupon Codes, Discount Coupons, Proflowers Coupon, Coupon & Online Shopping Deals by Dealio.url
[2010/07/16 05:58:58 | 000,074,339 | ---- | M] () -- C:\Users\Dad\Desktop\drug alternative.pdf
[2010/07/14 08:33:51 | 000,000,269 | ---- | M] () -- C:\Users\Dad\Desktop\Official Payments Corp..url
[2010/07/08 17:11:48 | 000,001,877 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 8.lnk
[2010/07/05 11:35:31 | 000,000,583 | ---- | M] () -- C:\Users\Dad\Desktop\GoldWave.lnk
[5 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[13 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[13 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/30 06:49:18 | 000,133,632 | ---- | C] () -- C:\Users\Dad\Desktop\RKUnhookerLE.EXE
[2010/09/28 05:43:17 | 000,000,470 | ---- | C] () -- C:\Users\Dad\Desktop\MSN Health & Fitness - Cancer Video.url
[2010/09/25 00:36:29 | 000,002,453 | ---- | C] () -- C:\Users\Public\Documents\Global.sw2
[2010/09/25 00:36:29 | 000,000,000 | -H-- | C] () -- C:\Windows\SwSys2.bmp
[2010/09/25 00:36:29 | 000,000,000 | -H-- | C] () -- C:\Windows\SwSys1.bmp
[2010/09/24 05:44:16 | 000,000,299 | ---- | C] () -- C:\Users\Dad\Desktop\Making Home Affordable - Home Affordable Modifications.url
[2010/09/23 17:47:42 | 000,000,813 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/23 12:36:09 | 000,524,288 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{d04c8696-c738-11df-8a9c-0026187765e0}.TMContainer00000000000000000002.regtrans-ms
[2010/09/23 12:36:08 | 000,524,288 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{d04c8696-c738-11df-8a9c-0026187765e0}.TMContainer00000000000000000001.regtrans-ms
[2010/09/23 12:36:08 | 000,065,536 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{d04c8696-c738-11df-8a9c-0026187765e0}.TM.blf
[2010/09/23 06:41:01 | 000,000,334 | ---- | C] () -- C:\Users\Dad\Desktop\d3d9caps.dat - Jotti's malware scan.url
[2010/09/23 05:31:22 | 000,021,880 | ---- | C] () -- C:\Users\Dad\Desktop\usage 316-300-0989.csv
[2010/09/20 08:02:19 | 000,664,576 | ---- | C] () -- C:\hotfix.bak
[2010/09/19 13:15:31 | 000,005,723 | ---- | C] () -- C:\ProgramData\.wtav
[2010/09/12 20:59:29 | 000,000,552 | ---- | C] () -- C:\Users\Dad\AppData\Local\d3d8caps.dat
[2010/09/11 23:57:41 | 000,000,680 | ---- | C] () -- C:\Users\Dad\AppData\Local\d3d9caps.dat
[2010/09/11 23:38:43 | 000,524,288 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{10760285-be20-11df-bb48-0026187765e0}.TMContainer00000000000000000002.regtrans-ms
[2010/09/11 23:38:43 | 000,524,288 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{10760285-be20-11df-bb48-0026187765e0}.TMContainer00000000000000000001.regtrans-ms
[2010/09/11 23:38:43 | 000,065,536 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{10760285-be20-11df-bb48-0026187765e0}.TM.blf
[2010/09/11 20:32:33 | 000,524,288 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{9785f76b-bda0-11df-8063-0026187765e0}.TMContainer00000000000000000002.regtrans-ms
[2010/09/11 20:32:33 | 000,524,288 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{9785f76b-bda0-11df-8063-0026187765e0}.TMContainer00000000000000000001.regtrans-ms
[2010/09/11 20:32:33 | 000,065,536 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{9785f76b-bda0-11df-8063-0026187765e0}.TM.blf
[2010/09/11 18:22:14 | 000,133,632 | ---- | C] () -- C:\Users\Dad\Documents\xxxxxx.doc
[2010/09/10 16:13:29 | 003,163,052 | ---- | C] () -- C:\Users\Dad\Desktop\AutoRuns.arn
[2010/09/06 16:19:51 | 000,103,557 | ---- | C] () -- C:\Users\Dad\Desktop\Alyssa order.pdf
[2010/09/04 23:07:00 | 000,000,224 | ---- | C] () -- C:\Users\Dad\Desktop\GENIE Limit Switch Screw Drive 20113R - 24454R.url
[2010/09/03 20:45:12 | 000,000,600 | ---- | C] () -- C:\Users\Dad\AppData\Local\PUTTY.RND
[2010/09/03 11:17:35 | 000,000,143 | ---- | C] () -- C:\Users\Dad\Desktop\Thermaltake BlacX ST0005U Hard Drive Dock.url
[2010/08/25 19:01:50 | 000,000,184 | ---- | C] () -- C:\Users\Dad\Desktop\Printable Paper.url
[2010/08/24 08:48:52 | 000,000,178 | ---- | C] () -- C:\Users\Dad\Desktop\Daily Steals! Deal of the Day Site.url
[2010/08/24 07:11:05 | 000,000,239 | ---- | C] () -- C:\Users\Dad\Desktop\Vornado VH2 Vortex Heater in Space Heaters at JR.com.url
[2010/08/21 09:36:33 | 000,000,249 | ---- | C] () -- C:\Users\Dad\Desktop\NEW 7 Mini Netbook Laptop Notebook WIFI Windows Red.url
[2010/08/21 05:53:10 | 000,000,202 | ---- | C] () -- C:\Users\Dad\Desktop\Perpetual Kid- Unique Gifts to Entertain Your Inner Child.url
[2010/08/18 23:27:57 | 000,000,012 | -H-- | C] () -- C:\Windows\SysWow64\%sdvmexp.idx
[2010/08/18 21:15:11 | 000,003,786 | ---- | C] () -- C:\Users\Dad\Desktop\alyssanurseapp.rtf
[2010/08/18 08:31:06 | 000,000,156 | ---- | C] () -- C:\Users\Dad\Desktop\GlassesUnlimited Eyeglasses Frames Collection.url
[2010/08/17 12:29:31 | 000,000,305 | ---- | C] () -- C:\Users\Dad\Desktop\LightScribe DVD-R Media LightScribe Blank DVD+R - DL Discs SuperMediaStore.com.url
[2010/08/17 12:24:44 | 000,000,242 | ---- | C] () -- C:\Users\Dad\Desktop\Newegg.com - lenovo IdeaPad S10-3t(065137U) Tablet PC Intel Atom N450(1.66GHz) 10.1 Wide SVGA 1GB Memory DDR2 667 250GB HDD 5400rpm Intel GMA 3150.url
[2010/08/16 06:03:27 | 000,000,122 | ---- | C] () -- C:\Users\Dad\Desktop\FedBens calculators for Federal retirement benefits - fast, easy to use, and accurate!.url
[2010/08/14 13:47:16 | 000,000,231 | ---- | C] () -- C:\Users\Dad\Desktop\Mt Carmel.url
[2010/08/11 22:17:20 | 001,420,176 | ---- | C] () -- C:\Windows\SysNative\drivers\tcpip.sys
[2010/08/11 21:59:54 | 000,462,848 | ---- | C] () -- C:\Windows\SysNative\drivers\srv.sys
[2010/08/11 21:59:54 | 000,174,592 | ---- | C] () -- C:\Windows\SysNative\drivers\srv2.sys
[2010/08/11 21:46:51 | 002,749,952 | ---- | C] () -- C:\Windows\SysNative\win32k.sys
[2010/08/11 21:46:42 | 000,050,688 | ---- | C] () -- C:\Windows\SysNative\rtutils.dll
[2010/08/11 21:46:37 | 004,690,832 | ---- | C] () -- C:\Windows\SysNative\ntoskrnl.exe
[2010/08/11 21:45:57 | 012,473,344 | ---- | C] () -- C:\Windows\SysNative\ieframe.dll
[2010/08/11 21:45:57 | 009,250,816 | ---- | C] () -- C:\Windows\SysNative\mshtml.dll
[2010/08/11 21:45:57 | 002,335,744 | ---- | C] () -- C:\Windows\SysNative\iertutil.dll
[2010/08/11 21:45:56 | 001,487,360 | ---- | C] () -- C:\Windows\SysNative\urlmon.dll
[2010/08/11 21:45:56 | 001,147,904 | ---- | C] () -- C:\Windows\SysNative\wininet.dll
[2010/08/11 21:45:56 | 000,706,048 | ---- | C] () -- C:\Windows\SysNative\msfeeds.dll
[2010/08/11 21:45:56 | 000,459,776 | ---- | C] () -- C:\Windows\SysNative\iedkcs32.dll
[2010/08/11 21:45:55 | 001,638,912 | ---- | C] () -- C:\Windows\SysNative\mshtml.tlb
[2010/08/11 21:45:55 | 001,538,560 | ---- | C] () -- C:\Windows\SysNative\inetcpl.cpl
[2010/08/11 21:45:55 | 001,062,912 | ---- | C] () -- C:\Windows\SysNative\mstime.dll
[2010/08/11 21:45:55 | 000,252,416 | ---- | C] () -- C:\Windows\SysNative\iepeers.dll
[2010/08/11 21:45:55 | 000,243,712 | ---- | C] () -- C:\Windows\SysNative\occache.dll
[2010/08/11 21:45:55 | 000,219,136 | ---- | C] () -- C:\Windows\SysNative\ieui.dll
[2010/08/11 21:45:55 | 000,162,816 | ---- | C] () -- C:\Windows\SysNative\ieUnatt.exe
[2010/08/11 21:45:55 | 000,132,096 | ---- | C] () -- C:\Windows\SysNative\iesysprep.dll
[2010/08/11 21:45:55 | 000,077,312 | ---- | C] () -- C:\Windows\SysNative\iesetup.dll
[2010/08/11 21:45:55 | 000,072,192 | ---- | C] () -- C:\Windows\SysNative\iernonce.dll
[2010/08/11 21:45:55 | 000,071,680 | ---- | C] () -- C:\Windows\SysNative\msfeedsbs.dll
[2010/08/11 21:45:55 | 000,070,656 | ---- | C] () -- C:\Windows\SysNative\ie4uinit.exe
[2010/08/11 21:45:55 | 000,031,744 | ---- | C] () -- C:\Windows\SysNative\jsproxy.dll
[2010/08/11 21:45:55 | 000,012,288 | ---- | C] () -- C:\Windows\SysNative\msfeedssync.exe
[2010/08/11 21:45:45 | 001,875,456 | ---- | C] () -- C:\Windows\SysNative\msxml3.dll
[2010/08/11 21:45:44 | 000,343,040 | ---- | C] () -- C:\Windows\SysNative\schannel.dll
[2010/08/09 16:41:10 | 000,108,889 | ---- | C] () -- C:\Users\Public\Documents\meds.pdf
[2010/08/09 16:39:27 | 000,000,661 | ---- | C] () -- C:\ProgramData\tmpC3F8.log
[2010/08/09 07:17:15 | 000,000,198 | ---- | C] () -- C:\Users\Dad\Desktop\Samsung Captivate Forum.url
[2010/08/08 20:40:33 | 000,000,899 | ---- | C] () -- C:\Users\Public\Desktop\Lexmark Productivity Studio - 5600-6600 Series.LNK
[2010/08/08 20:39:16 | 000,000,044 | ---- | C] () -- C:\Windows\SysNative\lxdurwrd.ini
[2010/08/08 20:39:06 | 000,389,120 | ---- | C] () -- C:\Windows\SysWow64\LXDUinst.dll
[2010/08/08 20:39:05 | 000,335,872 | ---- | C] () -- C:\Windows\SysWow64\lxducomx.dll
[2010/08/08 20:39:01 | 000,001,867 | ---- | C] () -- C:\Windows\SysWow64\lxdu.loc
[2010/08/08 20:38:59 | 000,594,432 | ---- | C] () -- C:\Windows\SysNative\LXDUinst.dll
[2010/08/08 20:38:58 | 000,680,960 | ---- | C] () -- C:\Windows\SysNative\LXDUhcp.dll
[2010/08/08 15:45:17 | 000,000,135 | ---- | C] () -- C:\Users\Dad\Desktop\Login & Registration - eService BlueCross BlueShield Federal Employee Program.url
[2010/08/07 05:33:31 | 000,000,211 | ---- | C] () -- C:\Users\Dad\Desktop\Individual - Treasury Securities & Programs.url
[2010/08/04 14:09:04 | 000,000,232 | ---- | C] () -- C:\Users\Dad\Desktop\We Buy Houses Fast.url
[2010/08/04 14:08:07 | 000,000,328 | ---- | C] () -- C:\Users\Dad\Desktop\We Buy Houses, Cash Home Buyers, Fast Home Offers We Buy Homes.url
[2010/08/03 18:49:35 | 000,000,240 | ---- | C] () -- C:\Users\Dad\Desktop\Wild Horses Kick Butt - Bing Videos.url
[2010/08/03 05:50:15 | 000,000,265 | ---- | C] () -- C:\Users\Dad\Desktop\Cards for bad credit, big balances or rewards - Liz Pulliam Weston - MSN Money.url
[2010/08/02 15:56:02 | 012,898,304 | ---- | C] () -- C:\Windows\SysNative\shell32.dll
[2010/07/29 21:50:29 | 000,079,843 | ---- | C] () -- C:\Windows\SysNative\LexFiles.ulf
[2010/07/23 10:10:23 | 000,000,179 | ---- | C] () -- C:\Windows\WinInit.Ini
[2010/07/22 06:08:54 | 000,000,171 | ---- | C] () -- C:\Users\Dad\Desktop\PriceGrabber.com - Comparison Shopping Beyond Compare.url
[2010/07/22 05:51:26 | 000,000,168 | ---- | C] () -- C:\Users\Dad\Desktop\Pronto.com - Compare Prices, Shop Online & Save.url
[2010/07/22 05:43:55 | 000,000,180 | ---- | C] () -- C:\Users\Dad\Desktop\Online Coupon Codes, Discount Coupons, Proflowers Coupon, Coupon & Online Shopping Deals by Dealio.url
[2010/07/18 10:57:06 | 000,000,235 | ---- | C] () -- C:\Users\Dad\Desktop\Looping Backgrounds Table.url
[2010/07/16 05:58:56 | 000,074,339 | ---- | C] () -- C:\Users\Dad\Desktop\drug alternative.pdf
[2010/07/11 16:40:02 | 000,000,269 | ---- | C] () -- C:\Users\Dad\Desktop\Official Payments Corp..url
[2010/07/05 23:50:28 | 000,000,317 | ---- | C] () -- C:\Users\Dad\Desktop\Painting a Brick Fireplace - Painting.url
[2010/07/05 11:35:31 | 000,000,583 | ---- | C] () -- C:\Users\Dad\Desktop\GoldWave.lnk
[2010/06/21 09:19:01 | 000,002,528 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\$_hpcst$.hpc
[2010/03/14 12:16:38 | 000,003,212 | -HS- | C] () -- C:\Users\Dad\AppData\Local\TsCoj8C
[2010/03/14 12:16:38 | 000,003,212 | -HS- | C] () -- C:\ProgramData\TsCoj8C
[2010/03/12 23:04:26 | 000,126,464 | ---- | C] () -- C:\Windows\SysWow64\lame_enc.dll
[2010/03/07 19:45:36 | 000,000,664 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\vso_ts_preview.xml
[2010/02/27 06:53:52 | 000,000,732 | ---- | C] () -- C:\Users\Dad\AppData\Local\d3d9caps64.dat
[2010/01/28 03:03:10 | 000,067,584 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2009/11/29 19:54:12 | 000,000,357 | ---- | C] () -- C:\ProgramData\tmp6E10.log
[2009/11/29 19:44:25 | 000,000,357 | ---- | C] () -- C:\ProgramData\tmp7917.log
[2009/11/29 19:43:23 | 000,000,357 | ---- | C] () -- C:\ProgramData\tmp897C.log
[2009/11/17 02:09:38 | 000,000,040 | -HS- | C] () -- C:\ProgramData\.zreglib
[2009/11/15 18:15:54 | 000,000,000 | ---- | C] () -- C:\Windows\OPPRIN~1.INI
[2009/11/08 18:03:48 | 000,074,425 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/11/08 17:51:23 | 000,074,425 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/11/08 16:45:03 | 000,000,877 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\coreavc.ini
[2009/10/13 12:55:41 | 000,001,671 | ---- | C] () -- C:\ProgramData\lxduDiagnostics.log
[2009/10/11 13:58:23 | 000,000,646 | ---- | C] () -- C:\ProgramData\tmp12D8.log
[2009/09/13 21:52:42 | 000,000,034 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\pcouffin.log
[2009/09/13 21:40:15 | 000,099,384 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\inst.exe
[2009/09/13 21:40:15 | 000,007,859 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\pcouffin.cat
[2009/09/13 21:40:15 | 000,001,167 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\pcouffin.inf
[2009/09/08 17:02:54 | 000,000,550 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\AutoGK.ini
[2009/08/20 05:56:30 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/08/17 02:54:09 | 000,063,316 | ---- | C] () -- C:\ProgramData\lxduJSW.log
[2009/08/12 06:15:11 | 000,006,148 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\PrimoPDFSet.xml
[2009/08/07 21:47:46 | 000,027,528 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\UserTile.png
[2009/08/07 21:13:18 | 001,036,288 | ---- | C] () -- C:\Windows\SysWow64\lxdudrs.dll
[2009/08/07 21:13:18 | 000,081,920 | ---- | C] () -- C:\Windows\SysWow64\lxducaps.dll
[2009/08/07 21:13:18 | 000,069,632 | ---- | C] () -- C:\Windows\SysWow64\lxducnv4.dll
[2009/08/07 21:08:11 | 000,000,000 | ---- | C] () -- C:\ProgramData\UpdaterLog.txt
[2009/07/22 23:22:56 | 000,424,610 | ---- | C] () -- C:\Users\Dad\AppData\Local\dd_vcredistMSI6ACD.txt
[2009/07/22 23:22:56 | 000,011,422 | ---- | C] () -- C:\Users\Dad\AppData\Local\dd_vcredistUI6ACD.txt
[2009/07/22 22:24:53 | 000,164,864 | ---- | C] () -- C:\Users\Dad\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/14 17:15:00 | 000,178,432 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2009/05/29 16:52:26 | 000,180,224 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2009/05/29 16:47:06 | 000,761,856 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2009/04/26 23:13:36 | 000,000,326 | ---- | C] () -- C:\Windows\primopdf.ini
[2009/04/17 13:15:23 | 000,024,576 | R--- | C] () -- C:\Windows\SysWow64\AsIO.dll
[2009/04/17 13:15:23 | 000,014,392 | R--- | C] () -- C:\Windows\SysWow64\drivers\AsIO.sys
[2009/04/17 13:15:16 | 000,011,832 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsInsHelp64.sys
[2009/04/17 13:15:16 | 000,010,216 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsInsHelp32.sys
[2009/04/17 12:53:38 | 000,040,099 | ---- | C] () -- C:\Windows\Ascd_log.ini
[2009/04/17 12:53:33 | 000,001,746 | ---- | C] () -- C:\Windows\Language_trs.ini
[2009/04/17 12:44:46 | 000,028,276 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2008/11/07 20:08:20 | 000,362,029 | ---- | C] () -- C:\Windows\SysWow64\sqlite3.dll
[2008/10/07 11:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008/10/07 11:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2008/06/01 02:13:10 | 000,053,299 | ---- | C] () -- C:\Windows\SysWow64\pthreadVC.dll
[2008/01/20 21:50:05 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2008/01/20 21:49:49 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2007/12/28 02:22:02 | 000,010,296 | ---- | C] () -- C:\Windows\SysWow64\drivers\ASUSHWIO.SYS
[2007/10/25 17:26:10 | 000,005,632 | ---- | C] () -- C:\Windows\SysWow64\drivers\StarOpen.sys
[2005/08/09 17:13:31 | 000,831,488 | ---- | C] () -- C:\Windows\SysWow64\libeay32.dll
[2005/08/09 17:13:31 | 000,159,744 | ---- | C] () -- C:\Windows\SysWow64\ssleay32.dll
[2005/08/09 17:12:28 | 003,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll

========== LOP Check ==========

[2010/09/23 15:24:07 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\.BitTornado
[2010/09/23 15:24:07 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\5600-6600 Series
[2010/09/23 15:24:07 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Advanced Font Viewer
[2010/09/23 15:24:07 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Audacity
[2010/09/21 17:47:01 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Bitrix Security
[2009/12/22 20:05:57 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Equga
[2010/07/09 23:45:04 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\foobar2000
[2010/09/23 15:24:07 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Free&Easy Font Viewer
[2009/09/08 23:35:06 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\HandBrake
[2010/09/11 20:10:45 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\KillProcess
[2010/03/08 18:30:38 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\LEAPS
[2010/08/08 20:41:39 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Lexmark Productivity Studio
[2010/03/29 23:15:20 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Marine Aquarium 3
[2010/03/08 13:11:51 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\mkvtoolnix
[2009/09/14 14:09:12 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\MoveFab
[2010/06/20 09:23:46 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Oberon Media
[2009/10/19 21:48:11 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Opera
[2009/08/07 21:47:45 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\PeerNetworking
[2010/03/08 18:27:58 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Pegasys Inc
[2010/09/23 15:24:09 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\RipIt4Me
[2010/06/14 19:08:09 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Samsung
[2010/09/23 15:24:09 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\TeraCopy
[2010/09/27 09:15:08 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Teykry
[2010/08/15 22:05:22 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\ThumbGen
[2010/09/23 15:24:09 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Thunderbird
[2009/08/06 09:25:22 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Ulead Systems
[2010/09/23 15:24:09 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\uTorrent
[2010/06/20 14:08:25 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Vso
[2009/11/06 13:28:38 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Watchtower
[2010/09/23 17:22:23 | 000,000,282 | ---- | M] () -- C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job
[2010/08/18 21:25:29 | 000,032,596 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/09/23 12:37:46 | 000,000,414 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{5C97C559-019D-4E6A-8D17-A9E6E6CB61F8}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:4BF2F6B5
@Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:1D32EC29
< End of report >

Extras

OTL Extras logfile created on: 9/30/2010 7:08:58 AM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Users\Dad\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18943)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

6.00 Gb Total Physical Memory | 5.00 Gb Available Physical Memory | 78.00% Memory free
12.00 Gb Paging File | 11.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 931.51 Gb Total Space | 26.05 Gb Free Space | 2.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 73.19 Gb Total Space | 24.50 Gb Free Space | 33.47% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 93.36 Gb Total Space | 73.01 Gb Free Space | 78.20% Space Free | Partition Type: NTFS
Drive M: | 3.49 Gb Total Space | 3.35 Gb Free Space | 95.78% Space Free | Partition Type: NTFS
Drive N: | 298.09 Gb Total Space | 45.53 Gb Free Space | 15.27% Space Free | Partition Type: NTFS
Drive O: | 931.51 Gb Total Space | 384.46 Gb Free Space | 41.27% Space Free | Partition Type: NTFS

Computer Name: DAD-PC
Current User Name: Dad
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3530666769-31344507-419582560-1000\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" File not found
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" ()
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l ()
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = 9F 9E 16 8C DC 5B C8 01 [binary data]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{006BE906-16AB-4003-B763-DC063A70BAD0}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{01AFD094-3EEC-414B-AF8C-E6BB2310B301}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{02F7DB8F-9D93-4AD3-B29F-4BFE67B0D1E0}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{07DE86EE-A1CE-4FDD-8ECD-9DC6366AF713}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{086D4EAB-9C56-458A-A9C9-4C7BBC032CB8}" = lport=2869 | protocol=6 | dir=in | app=system |
"{0A639959-E99C-4E2B-A96D-58838E955B17}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{0D167A9F-E27E-4245-8C48-6F9BC7EEFE02}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{0F016CF3-009A-4612-B596-BED56953FA4B}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 |
"{125C6B32-85B9-4F7E-96EC-FD009CFFA133}" = lport=139 | protocol=6 | dir=in | app=system |
"{1647C9E4-EA2A-49F7-BE43-FCCF8A72B8DC}" = lport=445 | protocol=6 | dir=in | app=system |
"{18B7280C-BEA5-4903-B138-978721AE9AFE}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{198064E7-9171-45B9-9118-BE204618345A}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{1F1999B9-B387-46AA-97BE-222042378DDF}" = rport=2869 | protocol=6 | dir=out | app=system |
"{20052DCF-2094-4B84-BCE1-1C77AE503273}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{21C94590-47F3-4FEE-8AF8-FBDA59AB19ED}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{247D5F7C-D9AB-4866-8096-2611473E7752}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{248D9E74-0E99-4DD2-9304-DC11C824B891}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=c:\windows\system32\svchost.exe |
"{27BCBA26-5C45-4C16-A56C-241962E19740}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 |
"{27FC817E-C73A-42B3-B41E-579862873C0C}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{28EE93AB-E25D-48C5-8CFE-685F4E69F4F9}" = lport=138 | protocol=17 | dir=in | app=system |
"{2FB80DA8-304D-447B-B85C-D9BC69A31628}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=c:\windows\system32\svchost.exe |
"{332C17FA-6810-461C-A78E-BB03C86C41A3}" = lport=67 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{3CC66792-5D72-4B8C-A6CE-76ADA3315C59}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{449E7B43-EC13-45BA-BE27-F5FD7B736BA6}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{480C6F6B-09D2-4C9D-8877-4672F7273114}" = lport=2869 | protocol=6 | dir=in | app=system |
"{4EC9D536-8E68-470A-A134-0754F83CF72D}" = lport=53 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{4FAB15A1-68B7-4608-A924-555BB46B587F}" = lport=554 | protocol=6 | dir=in | app=c:\windows\ehome\ehshell.exe |
"{57748C0B-0A71-4E0F-83A1-6556B3A1A3DF}" = rport=10243 | protocol=6 | dir=out | app=system |
"{5793FB82-D01C-4306-B2CF-37BFC18E683A}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{57EAD6A8-B767-49B7-BDA2-626F103A6892}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{59953B26-2693-4DAD-9094-723A497CB2C0}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{5B6C423B-1B49-41DE-892E-B416B734B958}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{64F29056-87AF-4AFE-BA01-F38321059446}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{733FBC6F-651A-4F8C-9E8D-EB9735C4E37D}" = rport=138 | protocol=17 | dir=out | app=system |
"{778E426C-F3B1-49AF-8AF9-E8EB02D35B87}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{7DB23F1A-EEC2-4D01-9268-B5AAFCA16F76}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{820339DC-063D-45A1-AB73-6C4779F33BF4}" = rport=139 | protocol=6 | dir=out | app=system |
"{86A59748-BFD2-4554-B1B2-274809B4DD11}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{8A66E7BC-57BD-4EE7-ACB7-FEB904901A44}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{8B946493-13DF-43EC-A4F5-7722BFDB03AA}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{8F693ABA-20E7-4C79-BD1A-6DFA8F4B7917}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{9C03CD8F-AC9D-402E-8977-EEC67FA67023}" = lport=10244 | protocol=6 | dir=in | app=system |
"{9CCD58F6-2AAF-4A31-838E-25A3D815FEDE}" = rport=10244 | protocol=6 | dir=out | app=system |
"{A0262AA0-D508-4215-B04A-CCCEA048528C}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{A670DA3A-B68E-4DE7-A4E1-74D537D7857D}" = rport=137 | protocol=17 | dir=out | app=system |
"{A71C1FAF-5CF8-4038-A68A-105376876408}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{A7CEB57F-BE99-4FF6-A14B-5FE29F170B88}" = lport=2869 | protocol=6 | dir=in | app=system |
"{AAB9640A-4C17-4017-944C-76216B0742DB}" = rport=445 | protocol=6 | dir=out | app=system |
"{AF6468AB-0E00-41D5-A864-396B407C2A25}" = lport=10243 | protocol=6 | dir=in | app=system |
"{AFAD5321-575E-4B67-8F40-E5D1E74552E2}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=c:\windows\system32\svchost.exe |
"{B050D344-7240-4FD0-A844-24BADB7D1A2D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{B1F9467B-F974-415D-8797-5EC382A7BCA2}" = lport=68 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{C0A6739C-F547-464C-91F4-37DE56569671}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{C44518F3-C60D-4263-8F69-6FF77E460344}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=c:\windows\system32\svchost.exe |
"{C95CB2F2-E1AB-4604-9D64-DAFAE8AE9869}" = lport=547 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{CA68DABB-F59D-485A-B7F7-2BE0B1D23FF4}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{CFF6961B-2A1C-44AC-8C6A-46A0F2E1B023}" = lport=3390 | protocol=6 | dir=in | app=system |
"{D1313E61-B6B9-4457-B6EB-4F613F30C4C6}" = lport=137 | protocol=17 | dir=in | app=system |
"{DD27C362-826E-411C-8A2E-BC0F780D2CD6}" = lport=7777 | protocol=17 | dir=in | app=c:\windows\ehome\ehshell.exe |
"{DE7B7EFD-367C-4B98-B3EC-13DB7EE6BCD0}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{ED60B75B-9B91-4C69-A264-A36D23A3955E}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{EFD5AA51-7463-4B18-8B11-4F8535FC793A}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0262F2EF-2C27-41F1-BFA4-2211F8C6F54C}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{0346DC07-933F-48BA-A27A-8A53A68E816E}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{06A7C951-54D1-496D-B289-B8FA16722A99}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{09A29BFB-E5DC-4F05-B42F-AA939C268004}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{16FC4CC3-7663-4A5E-B0BA-2EA4A3CA02DE}" = dir=out | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{1A3699FF-E1EF-4061-92D5-D447450524AD}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{1F016005-A79C-4A58-A423-96AC691E047F}" = protocol=6 | dir=in | app=c:\windows\syswow64\lxducoms.exe |
"{1F3777BC-E4BD-41D5-8B84-ED027D9D0B38}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{232100A9-99FA-4438-9A60-8182319B43F4}" = protocol=17 | dir=in | app=c:\program files (x86)\ps3 media server\pms.exe |
"{2BE7BBC8-1007-4D90-B0FE-9B3F84748D37}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{2FAB72D1-A341-4CD3-860D-28A1DDFF1E3F}" = protocol=17 | dir=in | app=c:\windows\system32\lxducoms.exe |
"{31538023-7278-48DD-AFA3-5C583BA1FDF1}" = protocol=6 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
"{37548369-6F95-458B-99C6-843EF4DA9D8D}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{37CF7514-5269-4BAB-A4A7-91040DB2114F}" = protocol=17 | dir=in | app=c:\program files (x86)\mediamall\mediamallserver.exe |
"{3A7C6DB5-8E7C-432B-A4FD-90353AC79CE5}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{3B1151FE-F006-47B8-A134-07EE72C0B576}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{4A5E857D-08CC-49D0-8B3D-BD6AF9BB62C0}" = protocol=17 | dir=in | app=c:\program files (x86)\samsung\samsung new pc studio\npsvsvr.exe |
"{4CA9A190-48DA-4E59-8961-43424BBC6416}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{4F64DC70-E9D5-41E5-B6BB-A03A835B8F48}" = protocol=6 | dir=out | app=c:\windows\ehome\ehshell.exe |
"{50041606-9B33-4ED3-BA73-3F67756ABD2C}" = protocol=17 | dir=in | app=c:\program files (x86)\lexmark 5600-6600 series\frun.exe |
"{504D5780-3A67-49FA-A428-BF69FF65A625}" = protocol=17 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
"{51ACB314-AE56-4DB7-8E15-F0F4420B67B3}" = protocol=17 | dir=in | app=c:\program files (x86)\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{51FE9A4D-398F-43A0-A58D-96AEC593807E}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{57CF08E9-60E6-4C52-8372-E70EFC0161E7}" = protocol=6 | dir=out | svc=mcx2svc | app=c:\windows\system32\svchost.exe |
"{58202A2F-9613-4BAB-9B6F-900175FC1405}" = protocol=17 | dir=out | app=c:\windows\ehome\ehshell.exe |
"{6188808B-4ACD-4929-80B0-192BF0A011B6}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{6440436A-474F-4C7B-9A22-3E428FD8FA38}" = protocol=17 | dir=in | app=c:\program files (x86)\samsung\samsung new pc studio\npsasvr.exe |
"{6A64BE20-99C1-4D3C-B031-601140F7ADEE}" = protocol=17 | dir=in | app=c:\program files (x86)\lexmark 5600-6600 series\lxdufax.exe |
"{7331F36C-71E8-42A0-B53C-82DDD2B4F378}" = protocol=6 | dir=in | app=c:\program files (x86)\lexmark 5600-6600 series\frun.exe |
"{75E0F56A-C0F9-4806-9F9F-245979E79F5D}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{7BA0A83B-D9C8-4DA2-B9C3-676B972BF5FF}" = protocol=17 | dir=in | app=c:\program files (x86)\lexmark 3600-4600 series\lxdxamon.exe |
"{7D5B15AB-D14C-4883-BEC0-FF899009AAA8}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{7E6783B7-B54D-4058-AECF-2E09DFE95D8D}" = protocol=6 | dir=in | app=c:\program files (x86)\blubster\blubster.exe |
"{821BFB8D-61C0-4F15-988D-CB814E449236}" = protocol=58 | dir=in | name=@hnetcfg.dll,-148 |
"{8230A4B4-2BF2-4474-BCEF-FBE6786D4864}" = protocol=6 | dir=in | app=c:\program files (x86)\ps3 media server\pms.exe |
"{84B17DD3-17B2-4E09-BC41-80371E83820A}" = protocol=6 | dir=in | app=c:\program files (x86)\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{880DA009-91A1-418D-8106-22302AA27FB2}" = protocol=6 | dir=in | app=c:\program files (x86)\lexmark 3600-4600 series\lxdxamon.exe |
"{8868019D-79AF-47CA-BC5B-4172FEF03981}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{88EF93E7-5BFD-4448-9248-E9E65DE5E724}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{910C274F-5363-48D1-B741-585F500EA0BF}" = protocol=17 | dir=in | app=c:\windows\syswow64\lxducoms.exe |
"{96F9E95A-140A-491F-B933-CDE38094C02D}" = protocol=6 | dir=in | app=c:\program files (x86)\lexmark 3600-4600 series\frun.exe |
"{974923B0-0212-497C-BA5F-04A992E65B98}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
"{9C7FEEDB-D9BE-4999-B869-8E6FCB91D0C7}" = protocol=6 | dir=in | app=c:\program files (x86)\lexmark 5600-6600 series\lxdufax.exe |
"{A27858CA-994B-4C7D-8AE8-73A0E3326C06}" = protocol=6 | dir=in | app=c:\program files (x86)\samsung\samsung new pc studio\npsasvr.exe |
"{AB0EB185-F1D2-4613-8B2D-20BA89B7A367}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{AD945884-B4B0-426C-9681-CED1B900A730}" = protocol=6 | dir=in | app=c:\program files (x86)\samsung\samsung new pc studio\npsvsvr.exe |
"{B190F292-C988-4A6A-B8CA-797F2E0DECD2}" = protocol=17 | dir=in | app=c:\program files (x86)\mediamall\mediamallserver.exe |
"{B45AC069-87C5-4BC8-91C0-56BD5ACEE360}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{B88BC2E8-2BE3-4FFE-B938-FA76C77A7D76}" = protocol=6 | dir=in | app=c:\program files (x86)\ps3 media server\pms.exe |
"{B8BEE6DE-6365-457F-8AFF-AEDA91CBAEED}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{BB423D58-61C6-418A-9843-15ED73B1A3FF}" = dir=in | app=c:\program files (x86)\windows live\messenger\livecall.exe |
"{C02F5D5D-3690-40F2-AC4E-8C6721555734}" = protocol=17 | dir=in | app=c:\program files (x86)\itunes\itunes.exe |
"{C13109F0-6231-4037-B14C-6F9EDF006CD7}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{C41707C3-3401-4CCE-B46A-8B4E8ADF44B7}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{C58B077A-A0BF-46E1-B905-2961346032C5}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{C72EBDD4-F6F8-46D9-A5B4-CC55CD2B3D8B}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{CAFBF3BE-2A5F-4F1A-888D-300D0278D23E}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{CB595CB4-7226-4794-A178-C12A21CFDAFE}" = protocol=6 | dir=out | app=system |
"{CCABB040-97DB-468C-A2D4-D41B1D145A50}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{D165D7B2-DFFF-485B-B16B-0686A94688E2}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{D37B3784-937E-41BA-9A6F-21C553051537}" = protocol=6 | dir=in | app=c:\program files (x86)\lexmark 5600-6600 series\lxduamon.exe |
"{DD473392-7A80-4F2A-BA72-52E116F4F44F}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{DD8A0A79-B74A-4F52-99C0-A044B27914A9}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{E0CAE393-01EA-4C3A-BF04-8534E6045397}" = protocol=17 | dir=in | app=c:\program files (x86)\ps3 media server\pms.exe |
"{E29EBBFD-2027-4EED-8B54-39E36D4C8E78}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{EAE48685-5F8A-46B1-A53D-99B79848143E}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{EC3563D6-0991-4BEE-B59C-7909E50835D4}" = protocol=6 | dir=in | app=c:\program files (x86)\itunes\itunes.exe |
"{ED7BDD63-BC5D-4854-869E-C1FBBB8507A7}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{EE6DA900-32C8-478D-AFA2-06B6C83F1408}" = protocol=17 | dir=in | app=c:\program files (x86)\lexmark 5600-6600 series\lxduamon.exe |
"{EEE96714-867A-4186-B5AF-8B6D7FBE95F8}" = protocol=17 | dir=in | app=c:\program files (x86)\lexmark 3600-4600 series\frun.exe |
"{F14BD856-8CBC-4326-9BC5-37AE7A10CF24}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{F4E93E6B-0454-4275-BBF7-26BAF4CEF372}" = protocol=6 | dir=in | app=c:\windows\system32\lxducoms.exe |
"{F77348C1-CB7B-4B26-93B2-2DFD1CB65A2C}" = protocol=6 | dir=in | app=c:\program files (x86)\mediamall\mediamallserver.exe |
"{F78C1C04-1BBA-4D1F-974E-7AF31D470F77}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{F88A0981-E2F1-40AE-B520-9D3C699257D9}" = protocol=17 | dir=in | app=c:\program files (x86)\blubster\blubster.exe |
"{FBC1CE25-6E3C-489E-B589-0D75EFF04651}" = protocol=6 | dir=in | app=c:\program files (x86)\mediamall\mediamallserver.exe |
"{FC4461FF-9FC8-48E9-BCC5-C71302335EF4}" = protocol=6 | dir=out | app=c:\windows\ehome\mcx2prov.exe |
"{FCC334AA-C122-442F-AAEC-CBC819B4A708}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"TCP Query User{0F03BDAC-0F0B-4A34-95D3-550B0060D8C7}C:\users\dad\appdata\roaming\meoss\kuyt.exe" = protocol=6 | dir=in | app=c:\users\dad\appdata\roaming\meoss\kuyt.exe |
"TCP Query User{2C35F215-7A58-43E4-8503-32D34038EAE5}E:\program files\bittornado\btdownloadgui.exe" = protocol=6 | dir=in | app=e:\program files\bittornado\btdownloadgui.exe |
"TCP Query User{3FCF88B6-58FE-43F3-B04D-D3F07FA4419D}M:\ratiomaster-1.7.5\ratiomaster-vs.exe" = protocol=6 | dir=in | app=m:\ratiomaster-1.7.5\ratiomaster-vs.exe |
"TCP Query User{4AA6AB8A-D943-470A-953D-E59056F70D19}C:\program files (x86)\opera\opera.exe" = protocol=6 | dir=in | app=c:\program files (x86)\opera\opera.exe |
"TCP Query User{6B7078F9-355B-4CAE-B691-7791D334C3FE}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
"TCP Query User{6BB98EE9-A484-44A3-889D-48E5FB4D8E3E}C:\program files (x86)\opera\opera.exe" = protocol=6 | dir=in | app=c:\program files (x86)\opera\opera.exe |
"TCP Query User{8A4982DC-529C-4CFD-B75C-10B553195396}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe |
"TCP Query User{9352B1A8-8D97-4E7A-BDF4-D872A3CE4E8E}C:\program files (x86)\bittornado\btdownloadgui.exe" = protocol=6 | dir=in | app=c:\program files (x86)\bittornado\btdownloadgui.exe |
"TCP Query User{9524FAEB-6FF0-41FD-862A-0A8708C0CF17}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe |
"TCP Query User{99B97A06-6EFF-4563-8380-633F24AE9FA0}C:\users\dad\appdata\roaming\equga\onbio.exe" = protocol=6 | dir=in | app=c:\users\dad\appdata\roaming\equga\onbio.exe |
"TCP Query User{D91152DE-C08D-4CBD-A45E-F4DA4F8A023E}C:\program files (x86)\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre6\bin\java.exe |
"UDP Query User{0E3EA02C-FAC0-47AE-9593-5F2116663603}C:\program files (x86)\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre6\bin\java.exe |
"UDP Query User{243412AB-7F92-484F-ADDC-8B72D686B625}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
"UDP Query User{2712A88E-8953-4072-864F-461C938E8C6E}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe |
"UDP Query User{3A11C685-F714-4A4F-8025-3F3F07875945}E:\program files\bittornado\btdownloadgui.exe" = protocol=17 | dir=in | app=e:\program files\bittornado\btdownloadgui.exe |
"UDP Query User{5272C00E-B70A-4C7D-8E8E-CE42D96AFEA4}C:\program files (x86)\opera\opera.exe" = protocol=17 | dir=in | app=c:\program files (x86)\opera\opera.exe |
"UDP Query User{73FC2572-4F11-4317-902B-E5F48482324D}M:\ratiomaster-1.7.5\ratiomaster-vs.exe" = protocol=17 | dir=in | app=m:\ratiomaster-1.7.5\ratiomaster-vs.exe |
"UDP Query User{80C81836-F0E7-428F-8558-5D07695E26B3}C:\users\dad\appdata\roaming\equga\onbio.exe" = protocol=17 | dir=in | app=c:\users\dad\appdata\roaming\equga\onbio.exe |
"UDP Query User{D4685BD9-50B4-4748-BBFD-D6537838A14D}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe |
"UDP Query User{E4BEA138-D708-4D04-8BE6-E985FB889266}C:\program files (x86)\opera\opera.exe" = protocol=17 | dir=in | app=c:\program files (x86)\opera\opera.exe |
"UDP Query User{EE599099-3110-4F0D-AC21-90344A9ADA2C}C:\program files (x86)\bittornado\btdownloadgui.exe" = protocol=17 | dir=in | app=c:\program files (x86)\bittornado\btdownloadgui.exe |
"UDP Query User{FFCE7F68-E230-474D-90DE-C16195297072}C:\users\dad\appdata\roaming\meoss\kuyt.exe" = protocol=17 | dir=in | app=c:\users\dad\appdata\roaming\meoss\kuyt.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{328CC232-CFDC-468B-A214-2E21300E4CB5}" = Apple Mobile Device Support
"{53529DAD-F7C9-476E-87CC-1547C4E3E821}" = iTunes
"{626672CD-BFCF-49A9-AEFE-AB0FED3BFC5B}" = Windows Mobile Device Center
"{B91110FB-33B4-468B-90C2-4D5E8AE3FAE1}" = Bonjour
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Lexmark 5600-6600 Series" = Lexmark 5600-6600 Series
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"NVIDIA Drivers" = NVIDIA Drivers
"SAMSUNG Mobile Modem" = SAMSUNG Mobile Modem Driver Set
"SAMSUNG Mobile Modem V2" = SAMSUNG Mobile Modem V2 Software
"SereneScreen Marine Aquarium 3_is1" = SereneScreen Marine Aquarium 3
"Unlocker" = Unlocker 1.9.0-x64

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0C8A4198-F912-4EB3-A4CA-24F677A5001F}" = PlayOn
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{257E440F-781F-459B-9A68-A0872B80C1D6}" = Windows Live Photo Gallery
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java™ 6 Update 10
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{56B83336-FBC1-4C46-8613-90A9E3B440D6}" = EPU-6 Engine
"{6072EF5D-2EBB-4FBA-8BE5-1C2BA21E8CFA}" = Watchtower Library 2009 - español
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-114803710}" = Star Defender 4
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{9176251A-4CC1-4DDB-B343-B487195EB397}" = Windows Live Writer
"{945126B3-E790-45FE-A5B4-D108DB681B61}" = Sibelius Scorch (ActiveX Only)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{99AD9D6D-A456-49EE-8360-F22EE7AA1272}" = Express Gate
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A31951C5-DCD8-4DFE-A525-CFC701F54792}" = TurboV
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.3
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AF68235B-7FA7-4B91-AD10-C22867154174}" = NVIDIA CUDA Toolkit
"{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}" = Windows Live Sign-in Assistant
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B578C85A-A84C-4230-A177-C5B2AF565B8C}" = Microsoft Games for Windows - LIVE Redistributable
"{B83FC356-B7C0-441F-8A4D-D71E088E7974}" = NVIDIA PhysX
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}" = Lexmark Printable Web
"{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar
"{DE5BFF9C-84D1-4B09-9C20-54633044CB85}" = Watchtower Library 2008 - English
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}" = Pinnacle TVCenter Pro
"{F7338FA3-DAB5-49B2-900D-0AFB5760C166}" = PC Probe II
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"CoreAVC Professional Edition" = CoreAVC Professional Edition (remove only)
"DVDFab 6_is1" = DVDFab 6.2.1.8 (31/12/2009)
"ffdshow_is1" = ffdshow [rev 2693] [2009-02-16]
"foobar2000" = foobar2000 v1.0.3
"GoldWave v5.55" = GoldWave v5.55
"InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
"uTorrent" = µTorrent
"VLC media player" = VideoLAN VLC media player 0.8.6i
"Windows Live Toolbar" = Windows Live Toolbar
"winpcap-nmap" = winpcap-nmap 4.02
"WinRAR archiver" = WinRAR archiver
"XviD MPEG4 Video Codec" = XviD MPEG4 Video Codec (remove only)
"XviD_is1" = XviD 1.1 final uninstall
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3530666769-31344507-419582560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:18 AM

Posted 01 October 2010 - 03:34 AM

Hi there, please let me know how things are running after the following fix.

OTL FIX
------------
We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :otl
    IE - HKU\S-1-5-21-3530666769-31344507-419582560-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643
    O4 - HKU\S-1-5-21-3530666769-31344507-419582560-1000..\Run: [{3E042E28-5F9F-B04C-2CA4-5B8379DFAD8C}] C:\Users\Dad\AppData\Roaming\Equga\onbio.exe ()
    O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuxuni.exe ()
    O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\udmi.exe ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1

    :commands
    [emptytemp]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.



regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 majorwest

majorwest
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Home
  • Local time:02:18 AM

Posted 01 October 2010 - 08:09 AM

Here's what happened after running the above fix: booted back to normal mode and the black screen behavior returned. Note: can move cursor around, and if I press ctrl-alt-del can bring up task manager which shows just basic processes running but nothing unusual that I can see. Rebooted several times but no change, so returned to safe mode.

Elise, I don't see where a new ODT log was created. After running the fix, it prompted for reboot...but didn't open a log that I can remember. If it did, I may have missed it because ODT was waiting for reply to reboot the system. But the ODT log I have on the desktop is still the first one from yesterday.



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:18 AM

Posted 01 October 2010 - 09:55 AM

Please run the following custom scan from safe mode. I suspect we might be dealing with an infection that patches explorer.exe

OTL
-----
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    /md5start
    explorer.exe
    wininit.exe
    hlp.dat
    /md5stop
  5. Push
  6. A report will open. Copy and Paste that report in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 majorwest

majorwest
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Home
  • Local time:02:18 AM

Posted 01 October 2010 - 10:21 AM

Just to confirm that last instruction - push "run scan" instead of "run fix", is that correct?

#10 majorwest

majorwest
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Home
  • Local time:02:18 AM

Posted 01 October 2010 - 10:32 AM

I double-clicked OTL and it quickly ran, then ended without the chance to paste your instructions. It created a new report:

All processes killed
========== OTL ==========
HKU\S-1-5-21-3530666769-31344507-419582560-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_USERS\S-1-5-21-3530666769-31344507-419582560-1000\Software\Microsoft\Windows\CurrentVersion\Run\\{3E042E28-5F9F-B04C-2CA4-5B8379DFAD8C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3E042E28-5F9F-B04C-2CA4-5B8379DFAD8C}\ not found.
C:\Users\Dad\AppData\Roaming\Equga\onbio.exe moved successfully.
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuxuni.exe moved successfully.
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\udmi.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Dad
->Temp folder emptied: 176783098 bytes
->Temporary Internet Files folder emptied: 99557411 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 2971334 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 34993 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

User: Default User

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 464384 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 42320 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 311748 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 267.00 mb


OTL by OldTimer - Version 3.2.14.1 log created on 10012010_072350

Files\Folders moved on Reboot...
File\Folder C:\Users\Dad\AppData\Local\Temp\fla9AD4.tmp not found!
File\Folder C:\Users\Dad\AppData\Local\Temp\~DF24C6.tmp not found!
File\Folder C:\Users\Dad\AppData\Local\Temp\~DF24D0.tmp not found!
File\Folder C:\Users\Dad\AppData\Local\Temp\~DF24E1.tmp not found!
File\Folder C:\Users\Dad\AppData\Local\Temp\~DF24EB.tmp not found!
File\Folder C:\Users\Dad\AppData\Local\Temp\~DF4B30.tmp not found!
File\Folder C:\Users\Dad\AppData\Local\Temp\~DF4B3A.tmp not found!
File\Folder C:\Users\Dad\AppData\Local\Temp\~DF4B4B.tmp not found!
File\Folder C:\Users\Dad\AppData\Local\Temp\~DF4B55.tmp not found!
File\Folder C:\Users\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low(147)\Content.IE5\GSF8YBQX\ccessories;subcat=printers;brand=lexmark;product=lexmark_z1420_printer;ptype=search;make=lexmark;channel=7051783787;sz=960x60,960x250;tile=1;ord=121765681599158[1] not found!
File\Folder C:\Users\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low(147)\Content.IE5\GSF8YBQX\sories;subcat=printers;brand=lexmark;product=lexmark_z1420_printer;ptype=search;make=lexmark;channel=7051783787+3575826125;sz=300x250;tile=2;ord=210077919163777[1] not found!
C:\Users\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SD99AX48\gallerywidget[1].swf moved successfully.
C:\Users\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PPURJTU6\dmvdccontact[1].htm moved successfully.
C:\Users\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PPURJTU6\search[1].htm moved successfully.
C:\Users\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6UMYJJ76\iframe[2].htm moved successfully.
C:\Users\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6UMYJJ76\index[1].htm moved successfully.
C:\Users\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6UMYJJ76\t1[1].htm moved successfully.
C:\Users\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6UMYJJ76\WorkingForTheWeekend[1].flv moved successfully.
C:\Users\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\67V8Z5A0\iframe[3].htm moved successfully.
C:\Users\Dad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\67V8Z5A0\search[1].htm moved successfully.
File move failed. C:\Windows\SysNative\SET9F20.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\SET9F91.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\SETA031.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\SETA11F.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\SETA1FE.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W486VW7S\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OQXCN0B2\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F6RHMNRN\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8KXR6SZH\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1RXYWBIL\default[1] scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1RXYWBIL\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1RXYWBIL\l10n[1] scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1RXYWBIL\logo[1] scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1RXYWBIL\red-l[1] scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1RXYWBIL\status-warn[1] scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1RXYWBIL\status-yell[1] scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1RXYWBIL\stat[1] scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini scheduled to be moved on reboot.

Registry entries deleted on Reboot...


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:18 AM

Posted 01 October 2010 - 11:23 AM

QUOTE
- push "run scan" instead of "run fix", is that correct?
Yes, it is Run Scan.

The log you posted is from our last fix, please follow the instructions from my last post and post the new OTL log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 majorwest

majorwest
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Home
  • Local time:02:18 AM

Posted 01 October 2010 - 11:35 AM

Ok, sorry about that. Here is the log:

OTL logfile created on: 10/1/2010 11:24:54 AM - Run 2
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Users\Dad\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18943)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

6.00 Gb Total Physical Memory | 5.00 Gb Available Physical Memory | 83.00% Memory free
12.00 Gb Paging File | 11.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 931.51 Gb Total Space | 26.94 Gb Free Space | 2.89% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 73.19 Gb Total Space | 24.50 Gb Free Space | 33.47% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 93.36 Gb Total Space | 73.01 Gb Free Space | 78.20% Space Free | Partition Type: NTFS
Drive M: | 3.49 Gb Total Space | 3.35 Gb Free Space | 95.78% Space Free | Partition Type: NTFS
Drive N: | 298.09 Gb Total Space | 45.53 Gb Free Space | 15.27% Space Free | Partition Type: NTFS
Drive O: | 931.51 Gb Total Space | 384.46 Gb Free Space | 41.27% Space Free | Partition Type: NTFS

Computer Name: DAD-PC
Current User Name: Dad
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/10/01 10:18:35 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Dad\Desktop\OTL.exe


========== Modules (SafeList) ==========

MOD - [2010/10/01 10:18:35 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Dad\Desktop\OTL.exe
MOD - [2008/01/20 21:50:01 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2008/01/20 21:48:06 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2008/05/23 07:58:53 | 001,040,552 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\lxducoms.exe -- (lxdu_device)
SRV:64bit: - [2008/01/20 21:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2010/07/28 08:48:30 | 003,856,752 | ---- | M] (MediaMall Technologies, Inc.) [Auto | Stopped] -- C:\Program Files (x86)\MediaMall\MediaMallServer.exe -- (MediaMall Server)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/18 14:27:14 | 001,020,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 14:27:14 | 000,138,576 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_64)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/01/12 18:24:18 | 000,217,088 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files (x86)\PS3 Media Server\win32\service\wrapper.exe -- (PS3 Media Server)
SRV - [2009/08/05 11:13:46 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/07/14 13:28:00 | 000,239,648 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/11/26 12:36:12 | 000,323,584 | -H-- | M] (DeviceVM) [Auto | Stopped] -- C:\ASUS.SYS\config\DVMExportService.exe -- (DvmMDES)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/08/15 03:23:20 | 000,086,016 | R--- | M] () [Auto | Stopped] -- C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe -- (AsSysCtrlService)
SRV - [2008/05/23 07:58:34 | 000,594,600 | ---- | M] ( ) [Auto | Stopped] -- C:\Windows\SysWow64\lxducoms.exe -- (lxdu_device)
SRV - [2007/10/25 17:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 13:31:54 | 000,098,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2007/05/31 17:11:54 | 000,443,784 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 17:11:46 | 000,225,672 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1000000.07D\SRTSPX64.SYS -- (SRTSPX)
DRV:64bit: - File not found [File_System | System | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1000000.07D\SRTSP64.SYS -- (SRTSP)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ipinip.sys -- (IpInIp)
DRV:64bit: - [2010/04/19 20:47:42 | 000,050,688 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2009/12/12 00:26:43 | 000,074,880 | ---- | M] () [File_System | Auto | Stopped] -- C:\Windows\SysNative\DRIVERS\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2009/11/16 04:13:26 | 000,271,360 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2009/10/14 11:02:20 | 000,027,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\povrtdev.sys -- (msvad_simple)
DRV:64bit: - [2009/09/14 20:36:04 | 000,082,816 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\pcouffin.sys -- (pcouffin)
DRV:64bit: - [2009/08/03 09:22:58 | 000,016,392 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\TFsExDisk.sys -- (TFsExDisk)
DRV:64bit: - [2009/05/22 18:08:37 | 000,036,352 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\VClone.sys -- (VClone)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/05/13 11:41:08 | 000,158,208 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\sscemdm.sys -- (sscemdm)
DRV:64bit: - [2009/05/13 11:41:08 | 000,018,944 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\sscemdfl.sys -- (sscemdfl)
DRV:64bit: - [2009/05/13 11:41:06 | 000,116,224 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\sscebus.sys -- (sscebus) SAMSUNG USB Composite Device V2 driver (WDM)
DRV:64bit: - [2009/03/02 18:20:18 | 000,035,840 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BVRPMPR5a64.SYS -- (BVRPMPR5a64)
DRV:64bit: - [2009/02/24 18:35:44 | 000,255,552 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\mcdbus.sys -- (mcdbus)
DRV:64bit: - [2008/06/29 10:12:32 | 000,040,464 | ---- | M] () [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\npf.sys -- (npf)
DRV:64bit: - [2008/04/22 10:53:36 | 000,012,744 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ENTECH64.sys -- (ENTECH64)
DRV:64bit: - [2008/01/20 21:47:28 | 000,046,080 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2008/01/20 21:46:55 | 000,317,952 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\e1e6032e.sys -- (e1express) Intel®
DRV:64bit: - [2008/01/20 21:46:52 | 000,019,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\usb8023x.sys -- (usb_rndisx)
DRV:64bit: - [2007/08/08 09:03:54 | 000,576,640 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\emBDA64.sys -- (USB28xxBGA)
DRV:64bit: - [2007/08/08 09:03:54 | 000,054,528 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\emOEM64.sys -- (USB28xxOEM)
DRV:64bit: - [2006/11/01 02:23:42 | 000,015,680 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\ASACPI.sys -- (MTsensor)
DRV:64bit: - [2006/09/18 16:36:24 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\Wbem\ntfs.mof -- (Ntfs)
DRV - [2010/09/30 19:48:25 | 000,034,560 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysWow64\drivers\Normandy.sys -- (Normandy)
DRV - [2010/03/08 17:33:21 | 000,038,944 | ---- | M] (B.H.A Corporation) [Kernel | System | Stopped] -- C:\Windows\SysWow64\drivers\CDRBSDRV.SYS -- (cdrbsdrv)
DRV - [2009/08/03 09:22:58 | 000,016,392 | ---- | M] (Teruten Inc) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\TFsExDisk.Sys -- (TFsExDisk)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BF 64 6D 36 EC 60 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========



[2010/09/25 00:40:01 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Mozilla\Extensions
[2010/09/25 00:40:01 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2009/10/16 06:57:15 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\gkj9a50o.default\extensions
[2009/10/16 06:57:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\gkj9a50o.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/10/16 06:57:15 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\gkj9a50o.default\extensions\staged-xpis

O1 HOSTS File: ([2006/09/18 16:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [lxduamon] C:\Program Files (x86)\Lexmark 5600-6600 Series\lxduamon.exe ()
O4:64bit: - HKLM..\Run: [lxdumon.exe] C:\Program Files (x86)\Lexmark 5600-6600 Series\lxdumon.exe ()
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Windows Mobile Device Center] C:\Windows\WindowsMobile\wmdc.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Blubster] C:\Program Files (x86)\Blubster\Blubster.exe File not found
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NPSStartup] File not found
O4 - HKLM..\Run: [TurboV] C:\Program Files\ASUS\TurboV\TurboV.exe ()
O4 - HKCU..\Run: [AutoStartNPSAgent] C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe File not found
O4 - HKCU..\Run: [PlayOn] C:\Program Files (x86)\MediaMall\PlayOn.exe (MediaMall Technologies, Inc.)
O4 - HKCU..\Run: [uTorrent] C:\Program Files (x86)\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10i_ActiveX.exe (Adobe Systems, Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: one-time-offer.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: pizzahut.com ([quikorder] https in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} http://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab (ZPA_DMNO Object)
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab (MSN Games – Hearts)
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab (MSN Games – Texas Holdem Poker)
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab (ZPA_SHVL Object)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/...tiveXPlugin.cab (ScorchPlugin Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...k.cab102118.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab (ChessControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img28.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img28.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/09/10 15:20:10 | 000,000,000 | ---D | M] - C:\Autoruns -- [ NTFS ]
O32 - AutoRun File - [2008/02/25 17:59:34 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/07/20 00:04:20 | 000,000,095 | ---- | M] () - L:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{0de330e7-944f-11df-a631-0026187765e0}\Shell\AutoRun\command - "" = O:\setup.exe -- File not found
O33 - MountPoints2\{3db79b13-ab39-11df-b844-0026187765e0}\Shell - "" = AutoRun
O33 - MountPoints2\{3db79b13-ab39-11df-b844-0026187765e0}\Shell\AutoRun\command - "" = Q:\WD SmartWare.exe -- File not found
O33 - MountPoints2\{68451d87-7d33-11df-8c3d-0026187765e0}\Shell - "" = AutoRun
O33 - MountPoints2\{68451d87-7d33-11df-8c3d-0026187765e0}\Shell\AutoRun\command - "" = O:\NPSAI.exe -- File not found
O33 - MountPoints2\{e999517c-9bbe-11de-adf3-00248caf3c83}\Shell\AutoRun\command - "" = wd_windows_tools\setup.exe
O33 - MountPoints2\{e9995185-9bbe-11de-adf3-00248caf3c83}\Shell\AutoRun\command - "" = WDSetup.exe
O33 - MountPoints2\Q\Shell\AutoRun\command - "" = WDSetup.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/10/01 07:39:41 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/10/01 07:23:50 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/09/30 06:48:57 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\Dad\Desktop\OTL.exe
[2010/09/25 00:36:29 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Softwrap
[2010/09/25 00:36:29 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Fonts
[2010/09/25 00:36:29 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Config
[2010/09/24 11:07:57 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
[2010/09/23 17:47:40 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/09/23 17:47:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/09/22 06:15:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Gosu(41)
[2010/09/21 09:07:44 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\Bitrix Security
[2010/09/14 07:27:11 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/09/13 23:39:59 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/09/13 14:01:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/09/13 14:01:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2010/09/11 21:15:54 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2010/09/11 20:10:45 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\KillProcess
[2010/09/11 20:10:24 | 000,000,000 | ---D | C] -- C:\Users\Dad\Documents\KillProcess Kill Lists
[2010/09/11 20:10:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\KillProcess
[2010/09/11 06:57:17 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\SUPERAntiSpyware.com
[2010/09/11 06:57:17 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/09/11 06:57:12 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/09/10 15:11:36 | 000,000,000 | ---D | C] -- C:\Autoruns
[2010/09/10 08:20:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2010/09/10 08:15:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Panda Security
[2010/09/10 05:53:51 | 000,000,000 | ---D | C] -- C:\Users\Dad\Desktop\INFECTION
[2010/09/09 19:52:31 | 000,000,000 | ---D | C] -- C:\Users\Dad\DoctorWeb
[2010/09/09 17:27:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Gosu(19)
[2010/08/08 20:39:05 | 000,364,544 | ---- | C] ( ) -- C:\Windows\SysWow64\lxduinpa.dll
[2010/08/08 20:39:05 | 000,339,968 | ---- | C] ( ) -- C:\Windows\SysWow64\lxduiesc.dll
[2010/08/08 20:39:04 | 000,651,264 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdupmui.dll
[2010/08/08 20:39:03 | 001,069,056 | ---- | C] ( ) -- C:\Windows\SysWow64\lxduserv.dll
[2010/08/08 20:39:03 | 000,851,968 | ---- | C] ( ) -- C:\Windows\SysWow64\lxduusb1.dll
[2010/08/08 20:39:03 | 000,577,536 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdulmpm.dll
[2010/08/08 20:39:02 | 000,765,952 | ---- | C] ( ) -- C:\Windows\SysWow64\lxducomc.dll
[2010/08/08 20:39:02 | 000,679,936 | ---- | C] ( ) -- C:\Windows\SysWow64\lxduhbn3.dll
[2010/08/08 20:39:02 | 000,376,832 | ---- | C] ( ) -- C:\Windows\SysWow64\lxducomm.dll
[2009/09/13 21:40:15 | 000,082,816 | ---- | C] (VSO Software) -- C:\Users\Dad\AppData\Roaming\pcouffin.sys
[5 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[13 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[13 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/10/01 11:24:30 | 005,505,024 | -HS- | M] () -- C:\Users\Dad\ntuser.dat
[2010/10/01 10:18:35 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Dad\Desktop\OTL.exe
[2010/10/01 07:50:25 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/10/01 07:47:57 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/10/01 07:47:57 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/10/01 07:47:35 | 000,074,425 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/10/01 07:47:30 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/10/01 07:44:24 | 000,524,288 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{d04c8696-c738-11df-8a9c-0026187765e0}.TMContainer00000000000000000001.regtrans-ms
[2010/10/01 07:44:24 | 000,065,536 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{d04c8696-c738-11df-8a9c-0026187765e0}.TM.blf
[2010/10/01 07:30:12 | 000,000,414 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{5C97C559-019D-4E6A-8D17-A9E6E6CB61F8}.job
[2010/10/01 07:28:29 | 000,403,952 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/10/01 05:48:50 | 000,000,680 | ---- | M] () -- C:\Users\Dad\AppData\Local\d3d9caps.dat
[2010/09/30 19:48:25 | 000,034,560 | ---- | M] () -- C:\Windows\SysWow64\drivers\Normandy.sys
[2010/09/30 19:48:19 | 000,133,632 | ---- | M] () -- C:\Users\Dad\Desktop\RKUnhookerLE.EXE
[2010/09/29 23:21:01 | 000,000,732 | ---- | M] () -- C:\Users\Dad\AppData\Local\d3d9caps64.dat
[2010/09/29 10:29:09 | 000,703,388 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/09/29 10:29:09 | 000,603,516 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/09/29 10:29:09 | 000,103,586 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/09/28 05:43:17 | 000,000,470 | ---- | M] () -- C:\Users\Dad\Desktop\MSN Health & Fitness - Cancer Video.url
[2010/09/25 00:36:53 | 000,002,453 | ---- | M] () -- C:\Users\Public\Documents\Global.sw2
[2010/09/25 00:36:29 | 000,000,000 | -H-- | M] () -- C:\Windows\SwSys2.bmp
[2010/09/25 00:36:29 | 000,000,000 | -H-- | M] () -- C:\Windows\SwSys1.bmp
[2010/09/23 17:47:42 | 000,000,813 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/23 17:39:45 | 000,074,425 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/09/23 17:22:23 | 000,000,282 | ---- | M] () -- C:\Windows\tasks\Check Updates for Windows Live Toolbar.job
[2010/09/23 12:36:09 | 000,524,288 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{d04c8696-c738-11df-8a9c-0026187765e0}.TMContainer00000000000000000002.regtrans-ms
[2010/09/23 12:03:09 | 000,524,288 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{10760285-be20-11df-bb48-0026187765e0}.TMContainer00000000000000000001.regtrans-ms
[2010/09/23 12:03:09 | 000,065,536 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{10760285-be20-11df-bb48-0026187765e0}.TM.blf
[2010/09/23 06:41:01 | 000,000,334 | ---- | M] () -- C:\Users\Dad\Desktop\d3d9caps.dat - Jotti's malware scan.url
[2010/09/23 05:31:22 | 000,021,880 | ---- | M] () -- C:\Users\Dad\Desktop\usage 316-300-0989.csv
[2010/09/21 19:03:36 | 000,000,240 | ---- | M] () -- C:\Users\Dad\Desktop\Wild Horses Kick Butt - Bing Videos.url
[2010/09/20 22:35:14 | 000,000,249 | ---- | M] () -- C:\Users\Dad\Desktop\NEW 7 Mini Netbook Laptop Notebook WIFI Windows Red.url
[2010/09/20 08:02:18 | 000,664,576 | ---- | M] () -- C:\hotfix.bak
[2010/09/19 13:16:14 | 000,005,723 | ---- | M] () -- C:\ProgramData\.wtav
[2010/09/12 20:59:29 | 000,000,552 | ---- | M] () -- C:\Users\Dad\AppData\Local\d3d8caps.dat
[2010/09/11 23:38:43 | 000,524,288 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{10760285-be20-11df-bb48-0026187765e0}.TMContainer00000000000000000002.regtrans-ms
[2010/09/11 23:20:37 | 000,524,288 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{9785f76b-bda0-11df-8063-0026187765e0}.TMContainer00000000000000000001.regtrans-ms
[2010/09/11 23:20:37 | 000,065,536 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{9785f76b-bda0-11df-8063-0026187765e0}.TM.blf
[2010/09/11 20:32:33 | 000,524,288 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{9785f76b-bda0-11df-8063-0026187765e0}.TMContainer00000000000000000002.regtrans-ms
[2010/09/11 20:25:51 | 000,524,288 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{f7d6d10a-e76c-11de-8f59-8000600fe800}.TMContainer00000000000000000001.regtrans-ms
[2010/09/11 20:25:51 | 000,065,536 | -HS- | M] () -- C:\Users\Dad\ntuser.dat{f7d6d10a-e76c-11de-8f59-8000600fe800}.TM.blf
[2010/09/11 18:22:14 | 000,133,632 | ---- | M] () -- C:\Users\Dad\Documents\Insurance.doc
[2010/09/10 16:13:29 | 003,163,052 | ---- | M] () -- C:\Users\Dad\Desktop\AutoRuns.arn
[2010/09/06 16:19:54 | 000,103,557 | ---- | M] () -- C:\Users\Dad\Desktop\Alyssa order.pdf
[2010/09/06 16:19:54 | 000,006,148 | ---- | M] () -- C:\Users\Dad\AppData\Roaming\PrimoPDFSet.xml
[2010/09/04 23:07:00 | 000,000,224 | ---- | M] () -- C:\Users\Dad\Desktop\GENIE Limit Switch Screw Drive 20113R - 24454R.url
[2010/09/04 07:46:17 | 000,000,600 | ---- | M] () -- C:\Users\Dad\AppData\Local\PUTTY.RND
[2010/09/03 11:17:35 | 000,000,143 | ---- | M] () -- C:\Users\Dad\Desktop\Thermaltake BlacX ST0005U Hard Drive Dock.url
[5 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[13 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[13 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/30 19:47:22 | 000,034,560 | ---- | C] () -- C:\Windows\SysWow64\drivers\Normandy.sys
[2010/09/30 06:49:18 | 000,133,632 | ---- | C] () -- C:\Users\Dad\Desktop\RKUnhookerLE.EXE
[2010/09/28 05:43:17 | 000,000,470 | ---- | C] () -- C:\Users\Dad\Desktop\MSN Health & Fitness - Cancer Video.url
[2010/09/25 00:36:29 | 000,002,453 | ---- | C] () -- C:\Users\Public\Documents\Global.sw2
[2010/09/25 00:36:29 | 000,000,000 | -H-- | C] () -- C:\Windows\SwSys2.bmp
[2010/09/25 00:36:29 | 000,000,000 | -H-- | C] () -- C:\Windows\SwSys1.bmp
[2010/09/23 17:47:42 | 000,000,813 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/23 12:36:09 | 000,524,288 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{d04c8696-c738-11df-8a9c-0026187765e0}.TMContainer00000000000000000002.regtrans-ms
[2010/09/23 12:36:08 | 000,524,288 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{d04c8696-c738-11df-8a9c-0026187765e0}.TMContainer00000000000000000001.regtrans-ms
[2010/09/23 12:36:08 | 000,065,536 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{d04c8696-c738-11df-8a9c-0026187765e0}.TM.blf
[2010/09/23 06:41:01 | 000,000,334 | ---- | C] () -- C:\Users\Dad\Desktop\d3d9caps.dat - Jotti's malware scan.url
[2010/09/23 05:31:22 | 000,021,880 | ---- | C] () -- C:\Users\Dad\Desktop\usage 316-300-0989.csv
[2010/09/20 08:02:19 | 000,664,576 | ---- | C] () -- C:\hotfix.bak
[2010/09/19 13:15:31 | 000,005,723 | ---- | C] () -- C:\ProgramData\.wtav
[2010/09/12 20:59:29 | 000,000,552 | ---- | C] () -- C:\Users\Dad\AppData\Local\d3d8caps.dat
[2010/09/11 23:57:41 | 000,000,680 | ---- | C] () -- C:\Users\Dad\AppData\Local\d3d9caps.dat
[2010/09/11 23:38:43 | 000,524,288 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{10760285-be20-11df-bb48-0026187765e0}.TMContainer00000000000000000002.regtrans-ms
[2010/09/11 23:38:43 | 000,524,288 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{10760285-be20-11df-bb48-0026187765e0}.TMContainer00000000000000000001.regtrans-ms
[2010/09/11 23:38:43 | 000,065,536 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{10760285-be20-11df-bb48-0026187765e0}.TM.blf
[2010/09/11 20:32:33 | 000,524,288 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{9785f76b-bda0-11df-8063-0026187765e0}.TMContainer00000000000000000002.regtrans-ms
[2010/09/11 20:32:33 | 000,524,288 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{9785f76b-bda0-11df-8063-0026187765e0}.TMContainer00000000000000000001.regtrans-ms
[2010/09/11 20:32:33 | 000,065,536 | -HS- | C] () -- C:\Users\Dad\ntuser.dat{9785f76b-bda0-11df-8063-0026187765e0}.TM.blf
[2010/09/11 18:22:14 | 000,133,632 | ---- | C] () -- C:\Users\Dad\Documents\Insurance.doc
[2010/09/10 16:13:29 | 003,163,052 | ---- | C] () -- C:\Users\Dad\Desktop\AutoRuns.arn
[2010/09/06 16:19:51 | 000,103,557 | ---- | C] () -- C:\Users\Dad\Desktop\Alyssa order.pdf
[2010/09/04 23:07:00 | 000,000,224 | ---- | C] () -- C:\Users\Dad\Desktop\GENIE Limit Switch Screw Drive 20113R - 24454R.url
[2010/09/03 20:45:12 | 000,000,600 | ---- | C] () -- C:\Users\Dad\AppData\Local\PUTTY.RND
[2010/09/03 11:17:35 | 000,000,143 | ---- | C] () -- C:\Users\Dad\Desktop\Thermaltake BlacX ST0005U Hard Drive Dock.url
[2010/08/09 16:39:27 | 000,000,661 | ---- | C] () -- C:\ProgramData\tmpC3F8.log
[2010/08/08 20:39:06 | 000,389,120 | ---- | C] () -- C:\Windows\SysWow64\LXDUinst.dll
[2010/08/08 20:39:05 | 000,335,872 | ---- | C] () -- C:\Windows\SysWow64\lxducomx.dll
[2010/07/23 10:10:23 | 000,000,179 | ---- | C] () -- C:\Windows\WinInit.Ini
[2010/06/21 09:19:01 | 000,002,528 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\$_hpcst$.hpc
[2010/03/14 12:16:38 | 000,003,212 | -HS- | C] () -- C:\Users\Dad\AppData\Local\TsCoj8C
[2010/03/14 12:16:38 | 000,003,212 | -HS- | C] () -- C:\ProgramData\TsCoj8C
[2010/03/12 23:04:26 | 000,126,464 | ---- | C] () -- C:\Windows\SysWow64\lame_enc.dll
[2010/03/07 19:45:36 | 000,000,664 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\vso_ts_preview.xml
[2010/02/27 06:53:52 | 000,000,732 | ---- | C] () -- C:\Users\Dad\AppData\Local\d3d9caps64.dat
[2010/01/28 03:03:10 | 000,067,584 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2009/11/29 19:54:12 | 000,000,357 | ---- | C] () -- C:\ProgramData\tmp6E10.log
[2009/11/29 19:44:25 | 000,000,357 | ---- | C] () -- C:\ProgramData\tmp7917.log
[2009/11/29 19:43:23 | 000,000,357 | ---- | C] () -- C:\ProgramData\tmp897C.log
[2009/11/17 02:09:38 | 000,000,040 | -HS- | C] () -- C:\ProgramData\.zreglib
[2009/11/15 18:15:54 | 000,000,000 | ---- | C] () -- C:\Windows\OPPRIN~1.INI
[2009/11/08 18:03:48 | 000,074,425 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/11/08 17:51:23 | 000,074,425 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/11/08 16:45:03 | 000,000,877 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\coreavc.ini
[2009/10/13 12:55:41 | 000,001,671 | ---- | C] () -- C:\ProgramData\lxduDiagnostics.log
[2009/10/11 13:58:23 | 000,000,646 | ---- | C] () -- C:\ProgramData\tmp12D8.log
[2009/09/13 21:52:42 | 000,000,034 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\pcouffin.log
[2009/09/13 21:40:15 | 000,099,384 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\inst.exe
[2009/09/13 21:40:15 | 000,007,859 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\pcouffin.cat
[2009/09/13 21:40:15 | 000,001,167 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\pcouffin.inf
[2009/09/08 17:02:54 | 000,000,550 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\AutoGK.ini
[2009/08/20 05:56:30 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/08/17 02:54:09 | 000,063,316 | ---- | C] () -- C:\ProgramData\lxduJSW.log
[2009/08/12 06:15:11 | 000,006,148 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\PrimoPDFSet.xml
[2009/08/07 21:47:46 | 000,027,528 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\UserTile.png
[2009/08/07 21:13:18 | 001,036,288 | ---- | C] () -- C:\Windows\SysWow64\lxdudrs.dll
[2009/08/07 21:13:18 | 000,081,920 | ---- | C] () -- C:\Windows\SysWow64\lxducaps.dll
[2009/08/07 21:13:18 | 000,069,632 | ---- | C] () -- C:\Windows\SysWow64\lxducnv4.dll
[2009/08/07 21:08:11 | 000,000,000 | ---- | C] () -- C:\ProgramData\UpdaterLog.txt
[2009/07/22 23:22:56 | 000,424,610 | ---- | C] () -- C:\Users\Dad\AppData\Local\dd_vcredistMSI6ACD.txt
[2009/07/22 23:22:56 | 000,011,422 | ---- | C] () -- C:\Users\Dad\AppData\Local\dd_vcredistUI6ACD.txt
[2009/07/22 22:24:53 | 000,164,864 | ---- | C] () -- C:\Users\Dad\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/14 17:15:00 | 000,178,432 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2009/05/29 16:52:26 | 000,180,224 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2009/05/29 16:47:06 | 000,761,856 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2009/04/26 23:13:36 | 000,000,326 | ---- | C] () -- C:\Windows\primopdf.ini
[2009/04/17 13:15:23 | 000,024,576 | R--- | C] () -- C:\Windows\SysWow64\AsIO.dll
[2009/04/17 13:15:23 | 000,014,392 | R--- | C] () -- C:\Windows\SysWow64\drivers\AsIO.sys
[2009/04/17 13:15:16 | 000,011,832 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsInsHelp64.sys
[2009/04/17 13:15:16 | 000,010,216 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsInsHelp32.sys
[2009/04/17 12:53:38 | 000,040,099 | ---- | C] () -- C:\Windows\Ascd_log.ini
[2009/04/17 12:53:33 | 000,001,746 | ---- | C] () -- C:\Windows\Language_trs.ini
[2009/04/17 12:44:46 | 000,028,276 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2008/11/07 20:08:20 | 000,362,029 | ---- | C] () -- C:\Windows\SysWow64\sqlite3.dll
[2008/10/07 11:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008/10/07 11:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008/10/07 11:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2008/06/01 02:13:10 | 000,053,299 | ---- | C] () -- C:\Windows\SysWow64\pthreadVC.dll
[2008/01/20 21:50:05 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2008/01/20 21:49:49 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2007/12/28 02:22:02 | 000,010,296 | ---- | C] () -- C:\Windows\SysWow64\drivers\ASUSHWIO.SYS
[2007/10/25 17:26:10 | 000,005,632 | ---- | C] () -- C:\Windows\SysWow64\drivers\StarOpen.sys
[2005/08/09 17:13:31 | 000,831,488 | ---- | C] () -- C:\Windows\SysWow64\libeay32.dll
[2005/08/09 17:13:31 | 000,159,744 | ---- | C] () -- C:\Windows\SysWow64\ssleay32.dll
[2005/08/09 17:12:28 | 003,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll

========== Custom Scans ==========



< MD5 for: EXPLORER.EXE >
[2008/10/29 01:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_b5f700fe698beb14\explorer.exe
[2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\SysWOW64\explorer.exe
[2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\SysWOW64\explorer.exe
[2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_b7eb106e66a7ac19\explorer.exe
[2008/10/29 01:15:50 | 003,087,360 | ---- | M] (Microsoft Corporation) MD5=50514057C28A74BAC2BD04B7B990D615 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_aba256ac352b2919\explorer.exe
[2008/10/29 22:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_b8583e9d7fda0512\explorer.exe
[2009/04/11 02:10:17 | 003,079,168 | ---- | M] (Microsoft Corporation) MD5=6B08E54A451B3F95E4109DBA7E594270 -- C:\Windows\SoftwareDistribution\Download\61da130e21aad3387c2fa3ca1d469de3\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_afbebba22f3bab41\explorer.exe
[2008/10/27 21:30:12 | 003,086,848 | ---- | M] (Microsoft Corporation) MD5=72B9990E45C25AA3C75C4FB50A9D6CE0 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_ac5266dd4e2b0a41\explorer.exe
[2008/10/29 01:49:22 | 003,080,704 | ---- | M] (Microsoft Corporation) MD5=BBD8E74F23D7605CB0CDB57A1B25D826 -- C:\Windows\explorer.exe
[2008/10/29 01:49:22 | 003,080,704 | ---- | M] (Microsoft Corporation) MD5=BBD8E74F23D7605CB0CDB57A1B25D826 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_ad96661c3246ea1e\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\SoftwareDistribution\Download\61da130e21aad3387c2fa3ca1d469de3\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_ba1365f4639c6d3c\explorer.exe
[2008/10/30 00:30:07 | 003,081,216 | ---- | M] (Microsoft Corporation) MD5=E404A65EF890140410E9F3D405841C95 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_ae03944b4b794317\explorer.exe
[2008/10/27 21:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_b6a7112f828bcc3c\explorer.exe
[2008/01/20 21:48:44 | 003,080,704 | ---- | M] (Microsoft Corporation) MD5=F6D765FB6B457542D954682F50C26E4F -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_add342963219dff5\explorer.exe
[2008/01/20 21:49:23 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_b827ece8667aa1f0\explorer.exe

< MD5 for: WININIT.EXE >
[2008/01/20 21:48:04 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\SysWOW64\wininit.exe
[2008/01/20 21:48:04 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\SysWOW64\wininit.exe
[2008/01/20 21:48:04 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
[2008/01/20 21:50:23 | 000,123,904 | ---- | M] (Microsoft Corporation) MD5=117EA87DF785CA1B9D821F6F213DCE07 -- C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_8d115452bcae17d8\wininit.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:4BF2F6B5
@Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:1D32EC29
< End of report >


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:18 AM

Posted 01 October 2010 - 11:50 AM

Hi, I see no problems here.

Click Start > Programs > Accessories, right click on Command Prompt and select "run as administrator"

Type chkdsk /r and press enter. Type Y and press enter to schedule the disk scan for next reboot.

Restart your computer and let the disk check run unhindered. Note - this may take a while.


When done see how things are running in normal mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 majorwest

majorwest
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Home
  • Local time:02:18 AM

Posted 01 October 2010 - 05:19 PM

You were right, that took quite a while. Do you know if that creates a report and where it is located? When the machine rebooted it said "The volumes are clean. Windows has finished checking the disks." However, I'm still getting the black screen. I decided to leave it that way and after about 30 - 40 minutes windows finally appeared. But the desktop remains sluggish and mostly unresponsive as it did 3 weeks ago when this all started. Anything I try to run either times out or gives me an error message "The service did not respond to the start or control request in a timely fashion." I can open folders just fine. I can navigate my hard drive via windows explorer and look into all the folders no problem.

I hope you still have some tricks up your sleeve. But I am really becoming distressed at this point. sad.gif

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:18 AM

Posted 02 October 2010 - 03:46 AM

Hi, maybe it may help to free up some disk space, windows need 25 % of free space to function normally
QUOTE
Drive C: | 931.51 Gb Total Space | 26.94 Gb Free Space | 2.89% Space Free | Partition Type: NTFS


You can also try to disconnect/disable your printer and see if that makes a difference.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users