Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BOTS | mwtype Gbot


  • This topic is locked This topic is locked
10 replies to this topic

#1 Therefore

Therefore

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 16 June 2011 - 08:28 PM

I received an email today from my Oregon State University net security folks:

--------------------------------------------------------------
We have received the following report indicating that your computer may possibly be infected with a computer virus. If you are unsure about the next step in making your computer safe to use please contact the computer help desk (osuhelpdesk@oregonstate.edu or 547 737-3474 ).

------------------------------------------------------------------------------------------------
IP Address | Time last seen | Type | Add. info
------------------------------------------------------------------------------------------------
128.193.8.91 | 2011-Jun-15 16:06:14 | BOTS | mwtype Gbot
------------------------------------------------------------------------------------------------
{'domain': 'public.oregonstate.edu', 'user_id': '', 'owning_unit': '', 'zone': 'zone.public', 'ip': '10.192.139.9', 'host': 'public-c75941c7a131d62651fddc4d976d7b9b-Wireless', 'mac': '00:02:6F:5A:3A:9D', 'other': 'kemperke', 'lastseen': 1308236006L, 'time': 1308153973.0, 'department': '', 'port': '58352'}

{'domain': 'public.oregonstate.edu', 'user_id': '', 'owning_unit': '', 'zone': 'zone.public', 'ip': '10.192.139.9', 'host': 'public-c75941c7a131d62651fddc4d976d7b9b-Wireless', 'mac': '00:02:6F:5A:3A:9D', 'other': 'kemperke', 'lastseen': 1308236006L, 'time': 1308153973.0, 'department': '', 'port': '49776'}
--
Kevin Ngo
Network Security
Oregon State University
-------------------------------------------------------------------------------------------------

I have wifi with a password. I had an infection earlier that was caught both by Malwarebytes & MSE on the 14th (one day before the reported date of the 15th in the email):

MSE reported:

Worm:Win32/Rebhib.A Severe 6/14/2011 8:27 A.M. Removed

file: server.exe

Malwarebytes reported:

Trojan.agent 6/14/2011 y:\temp\hosts.exe
Malware.trace 6/14/2011 y:\temp\xxxyyyzzz.dat

both were quarantined.

Since the email indicates the bot from the 15th, I'm posting my DDS.txt & attach.txt here for analysis and advice.

Thanks for all your help!

--------------------------------------

.
DDS (Ver_2011-06-12.02) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Run by Therefore at 12:49:22 on 2011-06-16
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6135.1989 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Accessories\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Accessories\EVGA Precision\EVGAPrecision.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\internet tools\DU Meter\DUMeterSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Accessories\ZoneTick\timesync.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Accessories\ZoneTick\zonetick.exe
C:\Program Files (x86)\Accessories\Strokeit .97\strokeit.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\PROGRA~2\INTERN~2\DUMETE~1\DUMeter.exe
C:\Program Files\System tools\Eraser\Eraser.exe
C:\Program Files (x86)\Video tools\The Maxifier\The Maxifier.exe
C:\Program Files\Accessories\TrueCrypt\TrueCrypt.exe
C:\Program Files\Accessories\Sandboxie\SbieCtrl.exe
C:\Program Files (x86)\Windows Live\Mesh\WLSync.exe
C:\Program Files\Internet tools\Mozy\mozystat.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Reference tools\Babylon\Babylon.exe
C:\Program Files (x86)\Cyberlink\Shared files\brs.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Virtual Account Numbers\CitiVAN.exe
C:\Program Files (x86)\Accessories\HyperSnap 6\HprSnap6.exe
C:\Program Files (x86)\internet tools\SABnzbd\SABnzbd.exe
C:\Program Files (x86)\Accessories\HyperSnap 6\TsHelper64.exe
C:\My programs\utac\UTAC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\SysWOW64\OBroker.exe
C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\DllHost.exe
C:\Windows\explorer.exe
C:\Program Files\Internet tools\Mozy\mozybackup.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\Internet tools\Mozy\mozybackup.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Program Files (x86)\internet tools\Thunderbird\thunderbird.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\notepad.exe
C:\Program Files (x86)\Everything\Everything.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files (x86)\internet tools\Messenger\YahooMessenger.exe
C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe
C:\Program Files (x86)\Music tools\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Accessories\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Accessories\Sandboxie\SandboxieDcomLaunch.exe
C:\Windows\explorer.exe
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files (x86)\internet tools\uTorrent\uTorrent.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\ehome\mcGlidHost.exe
C:\Program Files (x86)\internet tools\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\internet tools\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\notepad.exe
C:\PROGRA~2\VIDEOT~1\THEKMP~1\KMPlayer.exe
C:\Program Files (x86)\OpenVPN\bin\openvpn.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\System tools\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
Y:\Firefox downloads\Defogger.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
BHO: Virtual Account Numbers Helper: {17424104-1444-4810-85d7-b4da413c5a9a} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office12\GR469A~1.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - C:\Program Files (x86)\internet tools\LastPass\LPBar.dll
BHO: Babylon IE plugin: {9cfaccb6-2f3f-4177-94ea-0d2b72d384c1} - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\internet tools\Java\bin\jp2ssv.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\internet tools\LastPass\LPBar.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
TB: Virtual Account Numbers: {7a21a046-b886-4a62-9d69-ef2059b0a27b} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANToolbar.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [ZoneTick] C:\Program Files (x86)\Accessories\ZoneTick\zonetick.exe
uRun: [StrokeIt] C:\Program Files (x86)\Accessories\Strokeit .97\strokeit.exe
uRun: [DU Meter] C:\Program Files (x86)\internet tools\DU Meter\DUMeter.exe
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Eraser] C:\Program Files\System tools\Eraser\Eraser.exe -hide
uRun: [The Maxifier] "C:\Program Files (x86)\Video tools\The Maxifier\The Maxifier.exe"
uRun: [Google Update] "C:\Users\Therefore\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [TrueCrypt] "C:\Program Files\Accessories\TrueCrypt\TrueCrypt.exe" /q preferences /a logon /a favorites
uRun: [SandboxieControl] "C:\Program Files\Accessories\Sandboxie\SbieCtrl.exe"
uRun: [WLSync] "C:\Program Files (x86)\Windows Live\Mesh\WLSync.exe" /background
mRun: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
mRun: [Babylon Client] C:\Program Files (x86)\Reference tools\Babylon\Babylon.exe -AutoStart
mRun: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared files\brs.exe
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Accessories\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
mRun: [Citi Virtual Account Numbers] C:\PROGRA~2\VIRTUA~1\CitiVAN.exe /lang=en_RG /dontopenmycards
mRun: [DriveSitter Pro] "C:\Program Files (x86)\System tools\DriveSitter\DriveSitter.exe" /autostart
StartupFolder: C:\Users\THEREF~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\HYPERS~1.LNK - C:\Program Files (x86)\Accessories\HyperSnap 6\HprSnap6.exe
StartupFolder: C:\Users\THEREF~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SABnzbd.lnk - C:\Program Files (x86)\internet tools\SABnzbd\SABnzbd.exe
StartupFolder: C:\Users\THEREF~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\TASKMA~1.LNK - C:\Windows\System32\taskmgr.exe
StartupFolder: C:\Users\THEREF~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\UTACEX~1.LNK - C:\My programs\utac\UTAC.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MOZYHO~1.LNK - C:\Program Files (x86)\Internet tools\Mozy\mozystat.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Translate this web page with Babylon - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll/Action.htm
IE: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll/ActionTU.htm
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\internet tools\LastPass\LPBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{1589A09A-03FD-470E-9F76-A01D6206BC7E} : DhcpNameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{B62D3C56-B8B2-4A1E-84EC-6BF7FFB85B07} : DhcpNameServer = 192.168.1.1 75.75.76.76 75.75.75.75
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~3\Office12\GRA32A~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office12\GR469A~1.DLL
BHO-X64: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
BHO-X64: Virtual Account Numbers Helper: {17424104-1444-4810-85D7-B4DA413C5A9A} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANHelper.dll
BHO-X64: Virtual Account Numbers Helper - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office12\GR469A~1.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: LastPass Browser Helper Object: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\internet tools\LastPass\LPBar.dll
BHO-X64: LastPass Browser Helper Object - No File
BHO-X64: Babylon IE plugin: {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll
BHO-X64: Babylon IE plugin - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\internet tools\Java\bin\jp2ssv.dll
TB-X64: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\internet tools\LastPass\LPBar.dll
TB-X64: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
TB-X64: Virtual Account Numbers: {7A21A046-B886-4A62-9D69-EF2059B0A27B} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANToolbar.dll
TB-X64: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
mRun-x64: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
mRun-x64: [Babylon Client] C:\Program Files (x86)\Reference tools\Babylon\Babylon.exe -AutoStart
mRun-x64: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared files\brs.exe
mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\Accessories\VirtualCloneDrive\VCDDaemon.exe" /s
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
mRun-x64: [Citi Virtual Account Numbers] C:\PROGRA~2\VIRTUA~1\CitiVAN.exe /lang=en_RG /dontopenmycards
mRun-x64: [DriveSitter Pro] "C:\Program Files (x86)\System tools\DriveSitter\DriveSitter.exe" /autostart
IE-X64: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll/ActionTU.htm
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~3\Office12\GR469A~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Therefore\AppData\Roaming\Mozilla\Firefox\Profiles\3z39v4aa.default\
FF - component: C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}\components\Contribute.dll
FF - plugin: C:\Program Files (x86)\internet tools\Java\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\internet tools\Java\bin\new_plugin\npjp2.dll
FF - plugin: C:\Program Files (x86)\internet tools\Mozilla Firefox\plugins\npContribute.dll
FF - plugin: C:\Program Files (x86)\internet tools\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: C:\Program Files (x86)\Music tools\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Users\Therefore\AppData\Local\Google\Update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: C:\Users\Therefore\AppData\Local\HuluDesktop\instances\0.9.14.1\nphdplg.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\internet tools\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\internet tools\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\internet tools\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - C:\Program Files (x86)\internet tools\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
.
============= SERVICES / DRIVERS ===============
.
R0 mv61xx;mv61xx;C:\Windows\system32\DRIVERS\mv61xx.sys --> C:\Windows\system32\DRIVERS\mv61xx.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);C:\Windows\system32\DRIVERS\tdrpm273.sys --> C:\Windows\system32\DRIVERS\tdrpm273.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/01/31 15:38:57];C:\Program Files (x86)\Video tools\PowerDVD\PowerDVD10\NavFilter\000.fcl [2010-8-26 146928]
R2 afcdpsrv;Acronis Nonstop Backup service;C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2011-1-1 3975088]
R2 DUMeterSvc;DU Meter Service;C:\Program Files (x86)\internet tools\DU Meter\DUMeterSvc.exe [2011-1-2 1411616]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-5-13 2218600]
R2 SSPORT;SSPORT;\??\C:\Windows\system32\Drivers\SSPORT.sys --> C:\Windows\system32\Drivers\SSPORT.sys [?]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-4-7 378472]
R2 ZTime;ZoneTick Time;C:\Program Files (x86)\Accessories\ZoneTick\timesync.exe [2008-5-4 63488]
R3 afcdp;afcdp;C:\Windows\system32\DRIVERS\afcdp.sys --> C:\Windows\system32\DRIVERS\afcdp.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]
R3 RTCore64;RTCore64;C:\Program Files (x86)\Accessories\EVGA Precision\RTCore64.sys [2011-5-3 14440]
R3 SbieDrv;SbieDrv;C:\Program Files\Accessories\Sandboxie\SbieDrv.sys [2011-3-24 148072]
R3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam.sys --> C:\Windows\system32\DRIVERS\wdcsam.sys [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 DriveSitterService;DriveSitterService;C:\Program Files (x86)\Common Files\DriveSitter\DSSrv.exe --> C:\Program Files (x86)\Common Files\DriveSitter\DSSrv.exe [?]
S3 DUMeterDrv;Hagel Technologies DU Meter traffic accounting driver;C:\Program Files (x86)\internet tools\DU Meter\DUMetr64.sys [2011-1-2 20904]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WinRing0_1_2_0;WinRing0_1_2_0;C:\Program Files (x86)\System tools\Real Temp\WinRing0x64.sys [2011-1-18 14544]
S4 MSSQL$MYMOVIES;SQL Server (MYMOVIES);C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-06-16 19:13:19 388096 ----a-r- C:\Users\Therefore\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-16 15:38:01 8718160 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{747BF188-BE28-4885-97A4-7B2562E395F2}\mpengine.dll
2011-06-15 02:27:00 -------- d-----w- C:\Users\Therefore\AppData\Local\{9C741EDA-B6CD-4BE3-BC28-BC99A1A3C4D4}
2011-06-14 15:23:44 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-14 14:26:38 -------- d-----w- C:\Users\Therefore\AppData\Local\{1931026D-B60D-4EAB-8255-C99A19668245}
2011-06-04 14:19:19 -------- d-----w- C:\Users\Therefore\AppData\Local\{2DBC1C08-0125-4518-9419-1EA69DAAD386}
2011-06-03 02:51:28 -------- d-----w- C:\Program Files (x86)\Pando Networks
2011-06-03 02:17:56 -------- d-----w- C:\Users\Therefore\AppData\Local\{5A86DEFD-C5FC-4D02-9E96-54A3F28E6829}
2011-06-02 02:17:22 -------- d-----w- C:\Users\Therefore\AppData\Local\{E98CCB46-25B1-422E-A7A6-25197A72D7F7}
2011-06-02 02:06:09 -------- d-----w- C:\Windows\en
2011-06-02 02:04:55 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2011-06-02 02:03:43 3860992 ----a-w- C:\Windows\System32\UIRibbon.dll
2011-06-02 02:03:43 2983424 ----a-w- C:\Windows\SysWow64\UIRibbon.dll
2011-06-02 02:03:43 1164800 ----a-w- C:\Windows\SysWow64\UIRibbonRes.dll
2011-06-02 02:03:43 1164800 ----a-w- C:\Windows\System32\UIRibbonRes.dll
2011-06-02 02:03:26 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\4275f9111cc20c912\DSETUP.dll
2011-06-02 02:03:26 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\4275f9111cc20c912\DXSETUP.exe
2011-06-02 02:03:26 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\4275f9111cc20c912\dsetup32.dll
2011-06-02 02:03:20 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\3e19ba891cc20c911\DXSETUP.exe
2011-06-02 02:03:19 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\3e19ba891cc20c911\DSETUP.dll
2011-06-02 02:03:19 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\3e19ba891cc20c911\dsetup32.dll
2011-06-01 05:03:57 -------- d-----w- C:\Users\Therefore\AppData\Local\{D43059C9-B7AA-4FB4-820C-EC3B643E51C6}
2011-05-31 17:03:32 -------- d-----w- C:\Users\Therefore\AppData\Local\{4FE06B96-576C-4A56-A7BF-E401351465FC}
2011-05-25 04:32:24 -------- d-----w- C:\Program Files (x86)\Common Files\DriveSitter
2011-05-24 17:08:55 -------- d-----w- C:\Users\Therefore\AppData\Local\{60797710-C752-4D1D-8DBB-2E38BFB0C4CB}
2011-05-24 03:59:14 145920 ----a-w- C:\Windows\SysWow64\OBroker.exe
2011-05-24 03:59:14 -------- d-----w- C:\Program Files (x86)\Virtual Account Numbers
2011-05-24 00:33:41 -------- d-----w- C:\Users\Therefore\lists
2011-05-23 22:57:18 -------- d-----w- C:\Users\Therefore\AppData\Roaming\install
2011-05-23 20:20:06 -------- d-----w- C:\Users\Therefore\AppData\Local\FeedDemon
2011-05-22 19:23:14 -------- d-----w- C:\Users\Therefore\AppData\Local\The Witcher 2
2011-05-22 05:06:50 -------- d-----w- C:\Users\Therefore\AppData\Local\{C99439DF-1DE5-4912-ADBD-46171F6CF6EE}
2011-05-21 17:06:14 -------- d-----w- C:\Users\Therefore\AppData\Local\{BECA3763-1163-47CA-A120-8FF02D81A2C7}
2011-05-20 10:10:58 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3F06065B-DC8F-4075-A640-4118FD515049}\gapaengine.dll
2011-05-19 05:04:06 -------- d-----w- C:\Users\Therefore\AppData\Local\{C2D6760E-623A-462B-B3DB-3A20686C949C}
2011-05-18 17:03:43 -------- d-----w- C:\Users\Therefore\AppData\Local\{ABC10291-11F3-4BCB-83E7-06A828BBA91B}
2011-05-18 04:03:38 444416 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{A248F5BF-42DE-494C-8830-1FF35CBE1B5E}-paul.dll
2011-05-18 04:03:27 444416 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{CEFAE4E0-A9BA-486D-99C1-3CF333A975F0}-paul.dll
2011-05-18 04:03:04 444416 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{B8371C98-6F97-4BD5-B409-4CB9B6ADB1FC}-paul.dll
2011-05-18 03:16:30 -------- d-----w- C:\Users\Therefore\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
.
==================== Find3M ====================
.
2011-05-11 21:47:38 71680 ----a-w- C:\Windows\System32\frapsv64.dll
2011-05-11 21:47:36 65536 ----a-w- C:\Windows\SysWow64\frapsvid.dll
2011-04-08 06:19:38 117864 ----a-w- C:\Windows\System32\nvmctray.dll
2011-04-08 06:19:36 797288 ----a-w- C:\Windows\System32\easyUpdatusAPIU64.dll
2011-04-08 06:19:36 1012328 ----a-w- C:\Windows\System32\nvvsvc.exe
2011-04-08 06:19:26 6338152 ----a-w- C:\Windows\System32\nvcpl.dll
2011-04-08 06:19:08 3041384 ----a-w- C:\Windows\System32\nvsvc64.dll
2011-04-02 23:02:30 86528 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2011-04-02 23:01:53 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2011-03-28 19:48:14 466456 ----a-w- C:\Windows\System32\wrap_oal.dll
2011-03-28 19:48:14 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2011-03-28 19:48:14 122904 ----a-w- C:\Windows\System32\OpenAL32.dll
2011-03-28 19:48:14 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
.
============= FINISH: 12:49:53.99 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 26 June 2011 - 07:45 AM

Hello and welcome to Bleeping Computer

My name is etavares and I will be working with you to fix your computer.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting. If you will be unable to respond (e.g. vacation, travel, etc.), please let me know ahead of time.
  • Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • If you have already posted a log, please do so again as instructed below, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.


Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log. Thanks and again sorry for the delay.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Therefore

Therefore
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 26 June 2011 - 12:50 PM

Thanks for the help!

I didn't create a GMER log because in the preparation guide it says. "Create a GMER Log (32-bit versions of Windows only)". Should I go ahead and create one even though I'm using Windows 7 Home Premium 64-bit?

I have my original Windows 7 DVD.

Here is my OTL log:

OTL logfile created on: 6/26/2011 10:33:18 AM - Run 1
OTL by OldTimer - Version 3.2.24.1 Folder = Y:\Firefox downloads
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.99 Gb Total Physical Memory | 2.22 Gb Available Physical Memory | 37.03% Memory free
11.98 Gb Paging File | 7.41 Gb Available in Paging File | 61.85% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 558.92 Gb Total Space | 215.56 Gb Free Space | 38.57% Space Free | Partition Type: NTFS
Drive D: | 1863.01 Gb Total Space | 308.22 Gb Free Space | 16.54% Space Free | Partition Type: NTFS
Drive E: | 1863.01 Gb Total Space | 100.90 Gb Free Space | 5.42% Space Free | Partition Type: NTFS
Drive J: | 931.51 Gb Total Space | 72.17 Gb Free Space | 7.75% Space Free | Partition Type: NTFS
Drive K: | 931.51 Gb Total Space | 259.41 Gb Free Space | 27.85% Space Free | Partition Type: NTFS
Drive L: | 1863.01 Gb Total Space | 1057.04 Gb Free Space | 56.74% Space Free | Partition Type: NTFS
Drive M: | 931.51 Gb Total Space | 423.85 Gb Free Space | 45.50% Space Free | Partition Type: NTFS
Drive N: | 1863.01 Gb Total Space | 376.81 Gb Free Space | 20.23% Space Free | Partition Type: NTFS
Drive O: | 4.36 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive S: | 244.05 Mb Total Space | 193.36 Mb Free Space | 79.23% Space Free | Partition Type: FAT
Drive T: | 7.45 Gb Total Space | 7.32 Gb Free Space | 98.17% Space Free | Partition Type: FAT32
Drive Y: | 100.00 Gb Total Space | 97.96 Gb Free Space | 97.96% Space Free | Partition Type: NTFS
Drive Z: | 2.00 Gb Total Space | 0.78 Gb Free Space | 38.77% Space Free | Partition Type: NTFS

Computer Name: COREI7 | User Name: Therefore | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/26 10:32:09 | 000,579,072 | ---- | M] (OldTimer Tools) -- Y:\Firefox downloads\OTL.exe
PRC - [2011/06/06 12:55:30 | 001,480,600 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe
PRC - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/05/03 13:37:02 | 000,355,432 | ---- | M] () -- C:\Program Files (x86)\Accessories\EVGA Precision\EVGAPrecision.exe
PRC - [2011/04/07 22:14:00 | 002,218,600 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
PRC - [2011/04/07 21:54:52 | 000,378,472 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2011/03/28 22:51:12 | 000,399,736 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files (x86)\internet tools\uTorrent\uTorrent.exe
PRC - [2011/03/03 11:16:33 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\internet tools\Mozilla Firefox\firefox.exe
PRC - [2011/01/02 23:46:52 | 001,496,528 | ---- | M] (TrueCrypt Foundation) -- C:\Program Files\Accessories\TrueCrypt\TrueCrypt.exe
PRC - [2011/01/01 22:19:56 | 003,975,088 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
PRC - [2010/12/07 12:51:22 | 004,584,856 | ---- | M] (Hyperionics Technology LLC) -- C:\Program Files (x86)\Accessories\HyperSnap 6\HprSnap6.exe
PRC - [2010/11/15 13:55:52 | 000,337,408 | ---- | M] () -- C:\Program Files (x86)\internet tools\SABnzbd\SABnzbd.exe
PRC - [2010/11/08 14:04:28 | 000,104,712 | ---- | M] () -- C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe
PRC - [2010/11/08 14:04:26 | 000,592,384 | ---- | M] () -- C:\Program Files (x86)\OpenVPN\bin\openvpn.exe
PRC - [2010/11/03 01:05:54 | 006,910,976 | ---- | M] (Pandora.TV) -- C:\Program Files (x86)\Video tools\The KMPlayer\KMPlayer.exe
PRC - [2010/09/08 03:21:06 | 000,390,736 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2010/09/08 03:19:12 | 005,479,424 | ---- | M] (Acronis) -- C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2010/08/31 22:18:24 | 002,941,984 | ---- | M] (Hagel Technologies Ltd.) -- C:\Program Files (x86)\internet tools\DU Meter\DUMeter.exe
PRC - [2010/08/31 21:26:04 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PRC - [2010/08/31 10:27:38 | 001,411,616 | ---- | M] (Hagel Technologies Ltd.) -- C:\Program Files (x86)\internet tools\DU Meter\DUMeterSvc.exe
PRC - [2010/08/26 03:18:34 | 000,075,048 | ---- | M] (cyberlink) -- C:\Program Files (x86)\Cyberlink\Shared files\brs.exe
PRC - [2010/06/01 10:17:48 | 005,252,408 | ---- | M] (Yahoo! Inc.) -- C:\Program Files (x86)\internet tools\Messenger\YahooMessenger.exe
PRC - [2010/03/24 08:44:12 | 000,245,760 | ---- | M] () -- C:\My programs\utac\UTAC.exe
PRC - [2010/03/01 01:23:35 | 008,319,560 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\internet tools\Thunderbird\thunderbird.exe
PRC - [2010/01/03 10:27:58 | 000,026,248 | ---- | M] () -- C:\Program Files (x86)\Accessories\Strokeit .97\strokeit.exe
PRC - [2009/11/22 18:54:18 | 003,673,488 | ---- | M] (Babylon Ltd.) -- C:\Program Files (x86)\Reference tools\Babylon\Babylon.exe
PRC - [2009/10/25 23:20:33 | 000,212,992 | ---- | M] () -- C:\Program Files (x86)\Video tools\The Maxifier\The Maxifier.exe
PRC - [2009/07/10 16:53:52 | 000,372,736 | ---- | M] (Orbiscom Ltd. All rights reserved.) -- C:\Program Files (x86)\Virtual Account Numbers\CitiVAN.exe
PRC - [2009/07/10 16:50:36 | 000,145,920 | ---- | M] (Orbiscom Ltd.) -- C:\Windows\SysWOW64\OBroker.exe
PRC - [2009/06/17 04:44:11 | 000,085,160 | ---- | M] (Elaborate Bytes AG) -- C:\Program Files (x86)\Accessories\VirtualCloneDrive\VCDDaemon.exe
PRC - [2009/06/04 20:03:32 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2009/06/04 20:03:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2009/03/12 18:18:48 | 000,602,624 | ---- | M] () -- C:\Program Files (x86)\Everything\Everything.exe


========== Modules (SafeList) ==========

MOD - [2011/06/26 10:32:09 | 000,579,072 | ---- | M] (OldTimer Tools) -- Y:\Firefox downloads\OTL.exe
MOD - [2010/08/20 22:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/03/24 04:24:58 | 000,095,976 | ---- | M] (SANDBOXIE L.T.D) [Auto | Running] -- C:\Program Files\Accessories\Sandboxie\SbieSvc.exe -- (SbieSvc)
SRV:64bit: - [2010/11/11 15:36:38 | 000,282,616 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2010/11/11 15:36:38 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2010/09/22 18:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2009/07/13 18:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/06/05 17:42:04 | 000,111,616 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\SysNative\AEADISRV.EXE -- (AEADIFilters)
SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/04/07 22:14:00 | 002,218,600 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011/04/07 21:54:52 | 000,378,472 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2011/01/09 22:26:23 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/01/01 22:19:56 | 003,975,088 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2010/11/08 14:04:26 | 000,036,352 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe -- (OpenVPNService)
SRV - [2010/09/08 03:23:48 | 001,078,968 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2010/08/31 10:27:38 | 001,411,616 | ---- | M] (Hagel Technologies Ltd.) [Auto | Running] -- C:\Program Files (x86)\internet tools\DU Meter\DUMeterSvc.exe -- (DUMeterSvc)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009/06/10 14:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/06/04 20:03:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2008/05/04 23:58:08 | 000,063,488 | ---- | M] (WR Consulting) [Auto | Running] -- C:\Program Files (x86)\Accessories\ZoneTick\timesync.exe -- (ZTime)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/03/24 04:24:54 | 000,148,072 | ---- | M] (SANDBOXIE L.T.D) [Kernel | On_Demand | Running] -- C:\Program Files\Accessories\Sandboxie\SbieDrv.sys -- (SbieDrv)
DRV:64bit: - [2011/02/08 13:23:56 | 000,066,552 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\mozy.sys -- (mozyFilter)
DRV:64bit: - [2011/01/02 23:46:54 | 000,230,352 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\truecrypt.sys -- (truecrypt)
DRV:64bit: - [2011/01/01 22:19:58 | 000,279,136 | ---- | M] (Acronis) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\afcdp.sys -- (afcdp)
DRV:64bit: - [2011/01/01 22:19:55 | 001,263,200 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\tdrpm273.sys -- (tdrpman273) Acronis Try&Decide and Restore Points filter (build 273)
DRV:64bit: - [2011/01/01 22:19:54 | 000,970,336 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\timntr.sys -- (timounter)
DRV:64bit: - [2011/01/01 22:19:51 | 000,277,088 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\snapman.sys -- (snapman)
DRV:64bit: - [2010/11/08 14:04:26 | 000,030,720 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tap0901.sys -- (tap0901)
DRV:64bit: - [2010/10/24 22:25:38 | 000,072,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2010/07/21 17:59:28 | 000,045,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64)
DRV:64bit: - [2009/12/17 15:25:17 | 000,034,472 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV:64bit: - [2009/09/28 10:22:00 | 000,395,264 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\yk62x64.sys -- (yukonw7)
DRV:64bit: - [2009/08/13 23:10:18 | 000,073,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)
DRV:64bit: - [2009/08/09 14:25:45 | 000,036,352 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VClone.sys -- (VClone)
DRV:64bit: - [2009/07/13 18:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 18:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 18:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 17:01:09 | 000,679,936 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xnacc.sys -- (xnacc)
DRV:64bit: - [2009/07/09 03:00:00 | 000,055,280 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2009/06/10 13:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/06/05 17:42:04 | 000,475,136 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV:64bit: - [2009/06/04 19:54:36 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2009/05/18 14:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/05/11 15:49:10 | 000,178,728 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mv61xx.sys -- (mv61xx)
DRV:64bit: - [2009/03/02 15:12:18 | 000,011,576 | ---- | M] (Samsung Electronics) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\SSPORT.SYS -- (SSPORT)
DRV:64bit: - [2009/03/02 15:12:14 | 000,053,816 | ---- | M] (Samsung Electronics Co., Ltd.) [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\DGIVECP.SYS -- (DgiVecp)
DRV:64bit: - [2008/04/16 09:39:00 | 000,014,464 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\wdcsam.sys -- (WDC_SAM)
DRV:64bit: - [2005/03/29 02:30:38 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV - [2011/05/03 13:36:58 | 000,014,440 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Accessories\EVGA Precision\RTCore64.sys -- (RTCore64)
DRV - [2010/08/31 10:27:44 | 000,020,904 | ---- | M] (Hagel Technologies Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\internet tools\DU Meter\DUMetr64.sys -- (DUMeterDrv)
DRV - [2010/08/26 13:18:24 | 000,146,928 | ---- | M] (CyberLink Corp.) [2011/01/31 15:38:57] [Kernel | Auto | Running] -- C:\Program Files (x86)\Video tools\PowerDVD\PowerDVD10\NavFilter\000.fcl -- ({1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC})
DRV - [2008/07/26 23:30:36 | 000,014,544 | ---- | M] (OpenLibSys.org) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\System tools\Real Temp\WinRing0x64.sys -- (WinRing0_1_2_0)
DRV - [2007/02/07 11:27:46 | 000,014,104 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | Boot | Running] -- C:\Windows\SysWOW64\speedfan.sys -- (speedfan)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://hk.msn.com/?rd=1
IE - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 62 C1 C0 3F EA 1F CC 01 [binary data]
IE - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9}:6.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}: C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9} [2011/03/30 23:14:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\citius@orbiscom: C:\Program Files (x86)\Virtual Account Numbers [2011/05/23 20:59:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files (x86)\internet tools\Mozilla Firefox\components [2011/03/17 20:05:15 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files (x86)\internet tools\Mozilla Firefox\plugins [2011/06/17 23:44:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Sunbird 1.0b1\extensions\\Components: C:\Program Files (x86)\Accessories\Sunbird\components [2011/04/29 19:39:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Sunbird 1.0b1\extensions\\Plugins: C:\Program Files (x86)\Accessories\Sunbird\plugins
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files (x86)\internet tools\Thunderbird\components [2011/05/06 19:36:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files (x86)\internet tools\Thunderbird\plugins

[2011/06/17 20:37:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Therefore\AppData\Roaming\Mozilla\Extensions
[2011/05/05 23:42:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Therefore\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/04/29 19:39:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Therefore\AppData\Roaming\Mozilla\Extensions\{718e30fb-e89b-41dd-9da7-e25a45638b28}
[2011/06/17 20:37:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Therefore\AppData\Roaming\Mozilla\Extensions\postbox@postbox-inc.com
[2011/04/08 01:02:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Therefore\AppData\Roaming\Mozilla\Firefox\Profiles\3z39v4aa.default\extensions
[2011/05/03 14:09:52 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Therefore\AppData\Roaming\Mozilla\Sunbird\Profiles\dfuo9oiu.default\extensions
[2011/03/30 23:14:52 | 000,000,000 | ---D | M] (Adobe Contribute Toolbar) -- C:\PROGRAM FILES (X86)\ADOBE\ADOBE CONTRIBUTE CS5\PLUGINS\FIREFOXPLUGIN\{01A8CA0A-4C96-465B-A49B-65C46FAD54F9}
[2011/01/09 15:34:55 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES (X86)\INTERNET TOOLS\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/01/09 22:39:09 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES (X86)\INTERNET TOOLS\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/02/23 23:05:48 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES (X86)\INTERNET TOOLS\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

O1 HOSTS File: ([2011/03/30 19:02:13 | 000,000,611 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O1 - Hosts: 127.0.0.1 hl2rcv.adobe.com
O2:64bit: - BHO: (LastPass Browser Helper Object) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\internet tools\LastPass\LPBar64.dll (LastPass)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll (Adobe Systems, Inc.)
O2 - BHO: (Virtual Account Numbers Helper) - {17424104-1444-4810-85D7-B4DA413C5A9A} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANHelper.dll (Orbiscom Ltd. All rights reserved.)
O2 - BHO: (LastPass Browser Helper Object) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\internet tools\LastPass\LPBar.dll (LastPass)
O2 - BHO: (Babylon IE plugin) - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll (Babylon Ltd.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\internet tools\Java\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3:64bit: - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\internet tools\LastPass\LPBar64.dll (LastPass)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll (Adobe Systems, Inc.)
O3 - HKLM\..\Toolbar: (Virtual Account Numbers) - {7A21A046-B886-4A62-9D69-EF2059B0A27B} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANToolbar.dll (Orbiscom Ltd. All rights reserved.)
O3 - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\internet tools\LastPass\LPBar.dll (LastPass)
O3 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
O4:64bit: - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4:64bit: - HKLM..\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [SoundMAX] C:\Program Files (x86)\Analog Devices\SoundMAX\soundmax.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [Babylon Client] C:\Program Files (x86)\Reference tools\Babylon\Babylon.exe (Babylon Ltd.)
O4 - HKLM..\Run: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared files\brs.exe (cyberlink)
O4 - HKLM..\Run: [Citi Virtual Account Numbers] C:\Program Files (x86)\Virtual Account Numbers\CitiVAN.exe (Orbiscom Ltd. All rights reserved.)
O4 - HKLM..\Run: [DriveSitter Pro] File not found
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [VirtualCloneDrive] C:\Program Files (x86)\Accessories\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000..\Run: [DU Meter] C:\Program Files (x86)\internet tools\DU Meter\DUMeter.exe (Hagel Technologies Ltd.)
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000..\Run: [Eraser] C:\Program Files\System tools\Eraser\Eraser.exe (The Eraser Project)
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000..\Run: [SandboxieControl] C:\Program Files\Accessories\Sandboxie\SbieCtrl.exe (SANDBOXIE L.T.D)
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000..\Run: [StrokeIt] C:\Program Files (x86)\Accessories\Strokeit .97\strokeit.exe ()
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000..\Run: [The Maxifier] C:\Program Files (x86)\Video tools\The Maxifier\The Maxifier.exe ()
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000..\Run: [TrueCrypt] C:\Program Files\Accessories\TrueCrypt\TrueCrypt.exe (TrueCrypt Foundation)
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000..\Run: [ZoneTick] C:\Program Files (x86)\Accessories\ZoneTick\zonetick.exe (WR Consulting)
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1006..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] File not found
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1006..\RunOnce: [mctadmin] File not found
O4 - Startup: C:\Users\Therefore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyperSnap 6.lnk = C:\Program Files (x86)\Accessories\HyperSnap 6\HprSnap6.exe (Hyperionics Technology LLC)
O4 - Startup: C:\Users\Therefore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SABnzbd.lnk = C:\Program Files (x86)\internet tools\SABnzbd\SABnzbd.exe ()
O4 - Startup: C:\Users\Therefore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Task Manager.lnk = C:\Windows\SysWOW64\taskmgr.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Therefore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UTAC.exe - Shortcut.lnk = C:\My programs\utac\UTAC.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O8:64bit: - Extra context menu item: Translate this web page with Babylon - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll (Babylon Ltd.)
O8:64bit: - Extra context menu item: Translate with Babylon - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll (Babylon Ltd.)
O8 - Extra context menu item: Translate this web page with Babylon - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll (Babylon Ltd.)
O8 - Extra context menu item: Translate with Babylon - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll (Babylon Ltd.)
O9:64bit: - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\internet tools\LastPass\LPBar64.dll (LastPass)
O9 - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\internet tools\LastPass\LPBar.dll (LastPass)
O9 - Extra Button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll (Babylon Ltd.)
O9 - Extra 'Tools' menuitem : Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll (Babylon Ltd.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 208.67.220.220
O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/06 19:26:17 | 000,000,000 | RH-D | M] - E:\autorun -- [ NTFS ]
O32 - AutoRun File - [2002/10/16 05:56:50 | 000,000,036 | RH-- | M] () - E:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/07/09 18:33:44 | 000,000,000 | RH-D | M] - N:\autorun -- [ NTFS ]
O32 - AutoRun File - [2002/10/16 05:56:50 | 000,000,036 | RH-- | M] () - N:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{18cfc4eb-16f9-11e0-a662-00248c52e457}\Shell - "" = AutoRun
O33 - MountPoints2\{18cfc4eb-16f9-11e0-a662-00248c52e457}\Shell\AutoRun\command - "" = H:\AUTORUN.EXE
O33 - MountPoints2\{8e0ff7ab-512a-11e0-8c98-00248c52e457}\Shell - "" = AutoRun
O33 - MountPoints2\{8e0ff7ab-512a-11e0-8c98-00248c52e457}\Shell\AutoRun\command - "" = F:\autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


MsConfig:64bit - StartUpFolder: C:^Users^Therefore^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^iTunes.lnk - C:\Program Files (x86)\Music tools\iTunes\iTunes.exe - (Apple Inc.)
MsConfig:64bit - StartUpFolder: C:^Users^Therefore^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Mozilla Sunbird.lnk - C:\Program Files (x86)\Accessories\Sunbird\sunbird.exe - (Mozilla)
MsConfig:64bit - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig:64bit - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig:64bit - StartUpReg: AdobeAAMUpdater-1.0 - hkey= - key= - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
MsConfig:64bit - StartUpReg: AdobeCS5ServiceManager - hkey= - key= - C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
MsConfig:64bit - StartUpReg: eReminder TopBar - hkey= - key= - File not found
MsConfig:64bit - StartUpReg: Google Update - hkey= - key= - C:\Users\Therefore\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
MsConfig:64bit - StartUpReg: GrooveMonitor - hkey= - key= - C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
MsConfig:64bit - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files (x86)\Music tools\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig:64bit - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files (x86)\QuickTime\QTTask.exe (Apple Inc.)
MsConfig:64bit - StartUpReg: RemoteControl10 - hkey= - key= - C:\Program Files (x86)\Video tools\PowerDVD\PowerDVD10\PDVD10Serv.exe (CyberLink Corp.)
MsConfig:64bit - StartUpReg: SandboxieControl - hkey= - key= - C:\Program Files\Accessories\Sandboxie\SbieCtrl.exe (SANDBOXIE L.T.D)
MsConfig:64bit - StartUpReg: SwitchBoard - hkey= - key= - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
MsConfig:64bit - StartUpReg: uTorrent - hkey= - key= - C:\Program Files (x86)\internet tools\uTorrent\uTorrent.exe (BitTorrent, Inc.)
MsConfig:64bit - StartUpReg: Yahoo! Pager - hkey= - key= - C:\Program Files (x86)\internet tools\Messenger\YahooMessenger.exe (Yahoo! Inc.)
MsConfig:64bit - State: "startup" - Reg Error: Key error.
MsConfig:64bit - State: "services" - Reg Error: Key error.

Drivers32:64bit: aux - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: aux1 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midi - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midi1 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midimapper - midimap.dll (Microsoft Corporation)
Drivers32:64bit: mixer - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: mixer1 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: msacm.imaadpcm - imaadp32.acm (Microsoft Corporation)
Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32:64bit: msacm.msadpcm - msadp32.acm (Microsoft Corporation)
Drivers32:64bit: msacm.msg711 - msg711.acm (Microsoft Corporation)
Drivers32:64bit: msacm.msgsm610 - msgsm32.acm (Microsoft Corporation)
Drivers32:64bit: MSVideo8 - VfWWDM32.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.FFDS - ff_vfw.dll ()
Drivers32:64bit: VIDC.FPS1 - frapsv64.dll (Beepa P/L)
Drivers32:64bit: vidc.i420 - iyuv_32.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.IYUV - iyuv_32.dll (Microsoft Corporation)
Drivers32:64bit: vidc.mrle - msrle32.dll (Microsoft Corporation)
Drivers32:64bit: vidc.msvc - msvidc32.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.UYVY - msyuv.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.YUY2 - msyuv.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.YVU9 - tsbyuv.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.YVYU - msyuv.dll (Microsoft Corporation)
Drivers32:64bit: wave - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: wave1 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: wavemapper - msacm32.drv (Microsoft Corporation)
Drivers32: aux - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: aux1 - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midi1 - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\Windows\SysWow64\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer1 - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.ac3acm - C:\Windows\SysWow64\ac3acm.acm (fccHandler)
Drivers32: msacm.imaadpcm - C:\Windows\SysWow64\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\Windows\SysWow64\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.msadpcm - C:\Windows\SysWow64\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\Windows\SysWow64\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\Windows\SysWow64\msgsm32.acm (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)
Drivers32: VIDC.FFDS - C:\Windows\SysWow64\ff_vfw.dll ()
Drivers32: VIDC.FPS1 - C:\Windows\SysWow64\frapsvid.dll (Beepa P/L)
Drivers32: vidc.i420 - i420vfw.dll File not found
Drivers32: vidc.iyuv - C:\Windows\SysWow64\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.mrle - C:\Windows\SysWow64\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\Windows\SysWow64\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\Windows\SysWow64\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.VP60 - C:\Windows\SysWOW64\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\Windows\SysWOW64\vp6vfw.dll (On2.com)
Drivers32: VIDC.XVID - C:\Windows\SysWow64\xvidvfw.dll ()
Drivers32: vidc.yuy2 - C:\Windows\SysWow64\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YV12 - C:\Windows\SysWow64\yv12vfw.dll (www.helixcommunity.org)
Drivers32: vidc.yvu9 - C:\Windows\SysWow64\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\Windows\SysWow64\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: wave1 - C:\Windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\Windows\SysWow64\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/06/24 13:21:39 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{5CA32382-4CA3-40D5-85C3-B34FE8269DEA}
[2011/06/19 01:20:20 | 000,066,552 | ---- | C] (Mozy, Inc.) -- C:\Windows\SysNative\drivers\mozy.sys
[2011/06/19 01:20:20 | 000,000,000 | --SD | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MozyHome
[2011/06/19 01:20:19 | 000,000,000 | ---D | C] -- C:\Program Files\MozyHome
[2011/06/19 01:18:19 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{F6C8432C-25BC-4DCA-A5B3-58C655DF3B0C}
[2011/06/17 20:36:38 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Roaming\Postbox
[2011/06/17 20:36:38 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\Postbox
[2011/06/17 19:28:52 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{8304750C-0B20-48B2-B9CC-A95B8E5029E1}
[2011/06/16 12:13:19 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/06/14 19:27:00 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{9C741EDA-B6CD-4BE3-BC28-BC99A1A3C4D4}
[2011/06/14 08:23:44 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2011/06/14 07:26:38 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{1931026D-B60D-4EAB-8255-C99A19668245}
[2011/06/04 07:19:19 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{2DBC1C08-0125-4518-9419-1EA69DAAD386}
[2011/06/02 20:49:35 | 000,000,000 | ---D | C] -- C:\Users\Therefore\Documents\Movie maker projects
[2011/06/02 19:59:03 | 000,000,000 | ---D | C] -- C:\Users\Therefore\Documents\Pinnacle VideoSpin
[2011/06/02 19:55:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Pinnacle
[2011/06/02 19:51:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Pando Networks
[2011/06/02 19:17:56 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{5A86DEFD-C5FC-4D02-9E96-54A3F28E6829}
[2011/06/01 19:17:22 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{E98CCB46-25B1-422E-A7A6-25197A72D7F7}
[2011/06/01 19:06:09 | 000,000,000 | ---D | C] -- C:\Windows\en
[2011/06/01 19:04:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
[2011/06/01 15:43:17 | 000,000,000 | ---D | C] -- C:\Users\Therefore\Documents\Gothic3 backup saves
[2011/05/31 22:03:57 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{D43059C9-B7AA-4FB4-820C-EC3B643E51C6}
[2011/05/31 10:03:32 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{4FE06B96-576C-4A56-A7BF-E401351465FC}

========== Files - Modified Within 30 Days ==========

[2011/06/26 10:24:00 | 000,000,924 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2726670456-4082904526-3747161708-1000UA.job
[2011/06/26 10:23:47 | 000,011,320 | ---- | M] () -- C:\Windows\mozy.blk
[2011/06/26 10:23:47 | 000,000,198 | ---- | M] () -- C:\Windows\mozy.flt
[2011/06/26 01:24:00 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2726670456-4082904526-3747161708-1000Core.job
[2011/06/25 16:14:02 | 000,062,464 | ---- | M] () -- C:\Users\Therefore\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/25 15:03:47 | 000,002,532 | ---- | M] () -- C:\Windows\Sandboxie.ini
[2011/06/24 09:16:00 | 000,013,440 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/24 09:16:00 | 000,013,440 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/24 09:08:26 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/06/24 09:07:27 | 529,854,463 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/19 23:41:49 | 000,851,274 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/06/19 23:41:49 | 000,711,292 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/06/19 23:41:49 | 000,139,874 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/06/19 13:40:52 | 000,001,445 | ---- | M] () -- C:\Users\Therefore\Desktop\Mozy Decrypt.lnk
[2011/06/19 01:20:20 | 000,000,932 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MozyHome Status.lnk
[2011/06/16 12:13:19 | 000,003,021 | ---- | M] () -- C:\Users\Therefore\Desktop\HiJackThis.lnk
[2011/06/14 08:34:50 | 000,001,251 | ---- | M] () -- C:\Users\Therefore\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/12 19:34:24 | 000,001,284 | ---- | M] () -- C:\Users\Therefore\Desktop\Windows Live Movie Maker.lnk
[2011/06/10 14:21:25 | 000,046,483 | ---- | M] () -- C:\Users\Therefore\Desktop\witcher ctrls.jpg
[2011/06/10 09:29:19 | 000,001,149 | ---- | M] () -- C:\Users\Therefore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyperSnap 6.lnk
[2011/06/08 23:27:36 | 000,001,209 | ---- | M] () -- C:\Users\Therefore\Desktop\EVGA Precision.lnk
[2011/06/04 06:44:27 | 004,977,768 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/06/01 20:48:27 | 000,184,955 | ---- | M] () -- C:\Users\Therefore\Documents\Joseph Graduation 2011.wlmp

========== Files Created - No Company Name ==========

[2011/06/19 13:40:52 | 000,001,445 | ---- | C] () -- C:\Users\Therefore\Desktop\Mozy Decrypt.lnk
[2011/06/19 01:20:20 | 000,000,932 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MozyHome Status.lnk
[2011/06/17 23:44:46 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/16 12:13:19 | 000,003,021 | ---- | C] () -- C:\Users\Therefore\Desktop\HiJackThis.lnk
[2011/06/14 07:52:15 | 000,001,203 | ---- | C] () -- C:\Users\Therefore\Desktop\Maxifier.lnk
[2011/06/12 19:34:24 | 000,001,284 | ---- | C] () -- C:\Users\Therefore\Desktop\Windows Live Movie Maker.lnk
[2011/06/10 14:21:25 | 000,046,483 | ---- | C] () -- C:\Users\Therefore\Desktop\witcher ctrls.jpg
[2011/06/10 09:29:19 | 000,001,149 | ---- | C] () -- C:\Users\Therefore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyperSnap 6.lnk
[2011/06/04 12:50:03 | 000,001,188 | ---- | C] () -- C:\Users\Therefore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SABnzbd.lnk
[2011/06/01 20:48:27 | 000,184,955 | ---- | C] () -- C:\Users\Therefore\Documents\Joseph Graduation 2011.wlmp
[2011/06/01 19:05:44 | 000,001,284 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Movie Maker.lnk
[2011/06/01 19:05:04 | 000,001,353 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Photo Gallery.lnk
[2011/05/15 20:27:57 | 000,158,720 | ---- | C] () -- C:\Windows\SysWow64\WS_VideoConverterContextMenu.dll
[2011/02/17 21:40:55 | 000,484,352 | ---- | C] () -- C:\Windows\SysWow64\lame_enc.dll
[2011/02/04 16:52:03 | 000,007,599 | ---- | C] () -- C:\Users\Therefore\AppData\Local\Resmon.ResmonCfg
[2011/01/26 19:57:22 | 000,323,584 | ---- | C] () -- C:\Windows\SysWow64\FoxImager.dll
[2011/01/16 18:55:02 | 000,069,632 | R--- | C] () -- C:\Windows\SysWow64\xmltok.dll
[2011/01/16 18:55:02 | 000,036,864 | R--- | C] () -- C:\Windows\SysWow64\xmlparse.dll
[2011/01/04 01:35:22 | 000,165,376 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
[2011/01/04 01:35:21 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
[2011/01/04 01:35:19 | 000,810,496 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2011/01/04 01:35:19 | 000,183,808 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2011/01/04 01:35:19 | 000,080,896 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2011/01/03 16:29:50 | 000,002,532 | ---- | C] () -- C:\Windows\Sandboxie.ini
[2011/01/01 20:37:17 | 000,062,464 | ---- | C] () -- C:\Users\Therefore\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/01 18:14:19 | 000,864,020 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/07/13 22:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 19:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 19:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 17:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 14:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 14:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2005/04/07 19:16:43 | 000,063,125 | -H-- | C] () -- C:\Users\Therefore\AppData\Roaming\Thereforelog.dat

========== LOP Check ==========

[2011/01/01 20:30:53 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\ACD Systems
[2011/02/06 23:25:38 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Acronis
[2011/04/12 19:44:47 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Babylon
[2011/01/02 22:13:30 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Big Fish Games
[2011/05/16 17:02:56 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Bitcoin
[2011/04/17 16:42:44 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Broken Sword 2.5
[2011/01/02 22:25:53 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\DAEMON Tools Lite
[2011/02/18 21:13:29 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Digital Confidence
[2011/05/05 23:35:21 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Efficient Calendar Free
[2011/05/07 19:40:59 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\EssentialPIM
[2011/02/17 21:41:14 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\FreeAudioPack
[2011/01/03 21:15:23 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Games
[2011/01/31 16:56:20 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\ImgBurn
[2011/06/14 08:27:56 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\install
[2011/01/03 21:01:48 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\JAM Software
[2011/04/26 11:52:54 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Mimo
[2011/02/21 19:00:41 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\MovieManager
[2011/01/26 20:22:33 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\NCH Swift Sound
[2011/04/21 23:41:09 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Newsbin
[2011/05/05 22:40:13 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Open Source Applications Foundation
[2011/01/01 20:25:10 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Outertech
[2011/03/30 23:42:57 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\PACE Anti-Piracy
[2011/02/18 16:22:13 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Peter Souza IV
[2011/06/17 20:36:38 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Postbox
[2011/01/18 14:47:55 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\ProtectDisc
[2011/05/05 22:40:12 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Python-Eggs
[2011/02/09 22:52:14 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Silicondust
[2011/05/17 20:16:30 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
[2011/01/18 18:38:48 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\SystemRequirementsLab
[2011/06/24 09:09:10 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\TCB Networks
[2011/06/25 15:17:36 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\The First Templar
[2011/04/20 13:19:31 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\The Games Company
[2011/01/01 19:09:39 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Thunderbird
[2011/06/24 09:09:10 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\TrueCrypt
[2011/05/14 13:44:51 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\TwoWorldsCP
[2011/02/11 03:55:48 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Unzbin
[2011/06/26 10:30:17 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\uTorrent
[2011/05/05 20:39:17 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\Windows Live Writer
[2011/05/07 20:07:36 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\XemiComputers
[2011/03/05 20:55:58 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\YOUDONTKNOWJACK
[2011/01/02 12:44:09 | 000,000,000 | ---D | M] -- C:\Users\Therefore\AppData\Roaming\ZoneTick
[2009/07/13 22:08:49 | 000,021,720 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\system32\*.sys /90 >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %SYSTEMDRIVE%\*.* >
[2009/07/13 18:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2011/01/01 16:00:48 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2011/06/24 09:07:27 | 529,854,463 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/24 09:08:27 | 2138,128,383 | -HS- | M] () -- C:\pagefile.sys
[2011/04/02 20:14:11 | 000,068,062 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_02.04.2011_20.13.27_log.txt
[2011/03/17 23:20:20 | 000,067,668 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_17.03.2011_23.14.38_log.txt
[2011/03/17 23:30:44 | 000,067,668 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_17.03.2011_23.28.56_log.txt
[2011/03/17 23:34:51 | 000,067,028 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_17.03.2011_23.34.27_log.txt
[2011/03/29 12:25:39 | 000,067,028 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_29.03.2011_12.25.09_log.txt
[2011/01/01 19:39:00 | 000,000,146 | ---- | M] () -- C:\YServer.txt

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

========== Alternate Data Streams ==========

@Alternate Data Stream - 188 bytes -> C:\ProgramData\TEMP:8E5EA40F
@Alternate Data Stream - 1315 bytes -> C:\Users\Therefore\AppData\Local\Temp:M7jguqyXqo4DsLeDV88MdHS4ZO9c

< End of report >

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 26 June 2011 - 01:34 PM

Hello, Therefore.

Not running GMER is fine since you have a x64 system. It is important to note that GBOT is a backdoor trojan.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.
P2P Warning and Request
The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case uTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. I recommend that you uninstall this program. That is optional, however. If you decide to not uninstall, please refrain from using it until I let you know your computer is clean.


Step 1

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Step 2


Please update MBAM and run a Quick Scan. Please post the resulting log here.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 Therefore

Therefore
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 26 June 2011 - 01:48 PM

Thanks!

aswMBR.TXT:

aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-06-26 11:39:58
-----------------------------
11:39:58.859 OS Version: Windows x64 6.1.7600
11:39:58.859 Number of processors: 8 586 0x1A04
11:39:58.860 ComputerName: COREI7 UserName:
11:39:59.388 Initialize success
11:40:39.206 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
11:40:39.209 Disk 0 Vendor: Intel___ 1.0. Size: 572331MB BusType: 8
11:40:39.212 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-0
11:40:39.214 Disk 1 Vendor: WDC_WD10 05.0 Size: 953869MB BusType: 8
11:40:39.218 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IAAStorageDevice-1
11:40:39.221 Disk 2 Vendor: Hitachi_ JP4O Size: 953869MB BusType: 8
11:40:39.224 Disk 3 \Device\Harddisk3\DR3 -> \Device\Scsi\mv61xx1Port1Path0Target0Lun0
11:40:39.228 Disk 3 Vendor: Hitachi_ Size: 1907729MB BusType: 8
11:40:39.645 Disk 4 \Device\Harddisk4\DR4 -> \Device\Sbp2\WD&My Book&0&0090a936_e3b24810_Instance00
11:40:39.648 Disk 4 Vendor: WD______ 1025 Size: 1907729MB BusType: 4
11:40:39.658 Disk 0 MBR read successfully
11:40:39.661 Disk 0 MBR scan
11:40:39.664 Disk 0 Windows 7 default MBR code
11:40:39.667 Service scanning
11:40:40.364 Disk 0 trace - called modules:
11:40:40.372 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
11:40:40.379 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007273060]
11:40:40.386 3 CLASSPNP.SYS[fffff88001c5143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0xfffffa800636e050]
11:40:40.394 Scan finished successfully
11:41:23.712 Disk 0 MBR has been saved successfully to "C:\Temp\MBR.dat"
11:41:23.716 The log file has been saved successfully to "C:\Temp\aswMBR.txt"


MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6955

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

6/26/2011 11:47:24 AM
mbam-log-2011-06-26 (11-47-24).txt

Scan type: Quick scan
Objects scanned: 184909
Time elapsed: 1 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 26 June 2011 - 06:36 PM

Hello, Therefore.

The good news is that those are clean. We'll fix some orphaned reigstry entries, update Java and do one final antivirus scan to confirm. If this looks OK, it's likely it's already been caught and removed and then we'll clean up. You may see some errors related to ERUNT once you install it. Those are normal for Windows 7, just ignore it. They will disappear when you uninstall it when we're done.



Step 1

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 25..
  • Save it to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version(s) shown below:
    Java 6 Update 24
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586-s.exe to install the newest version.




Step 2

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.

The automatic part won't work with Vista or W7. Please backup manually using ERUNT with the following instructions:
  • Please locate the ERUNT icon on the desktop. If it is not there, click Start and type ERUNT into the search box.
  • Right click the ERUNT icon in the desktop or the Start menu, and select Run as Administrator
  • Click OK at the first message box.
  • Ensure the checkboxes for both "system registry" and "current user registry" are checked. Leave the default save location in there.
  • Click OK.
  • Click Yes to create the new folder.
  • You'll get a window saying "registry backup complete" once it's done. Click OK. If you get an error message, please STOP here and let me know. Do not proceed with any additional instructions until you check back with me.



Step 3

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom.
    :OTL
    O3 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
    O4 - HKLM..\Run: [DriveSitter Pro] File not found
    MsConfig:64bit - StartUpReg: eReminder TopBar - hkey= - key= - File not found
    @Alternate Data Stream - 188 bytes -> C:\ProgramData\TEMP:8E5EA40F
    @Alternate Data Stream - 1315 bytes -> C:\Users\Therefore\AppData\Local\Temp:M7jguqyXqo4DsLeDV88MdHS4ZO9c
    :Commands
    [EmptyTemp]
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.



Step 4

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 Therefore

Therefore
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 28 June 2011 - 03:37 PM

Thanks for all the help!

Custom OTL run:

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-2726670456-4082904526-3747161708-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{724D43A0-0D85-11D4-9908-00400523E39A} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{724D43A0-0D85-11D4-9908-00400523E39A}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\DriveSitter Pro deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\eReminder TopBar\ not found.
ADS C:\ProgramData\TEMP:8E5EA40F deleted successfully.
ADS C:\Users\Therefore\AppData\Local\Temp:M7jguqyXqo4DsLeDV88MdHS4ZO9c deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56502 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: Therefore
->Temp folder emptied: 54605783 bytes
->Temporary Internet Files folder emptied: 220740194 bytes
->Java cache emptied: 2920200 bytes
->FireFox cache emptied: 88468146 bytes
->Google Chrome cache emptied: 11417979 bytes
->Flash cache emptied: 1160857 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56502 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16496500 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 22210321856 bytes

Total Files Cleaned = 21,559.00 mb


OTL by OldTimer - Version 3.2.24.1 log created on 06272011_201451

Files\Folders moved on Reboot...
File\Folder C:\Users\Therefore\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B06BA223-E6B5-47FA-9080-2F6C65BF0958}.tmp not found!
File\Folder C:\Users\Therefore\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3B8D14E9-E4BD-4465-A28D-8412F5177E37}.tmp not found!
File\Folder C:\Users\Therefore\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{65964883-8EA8-48A2-979C-AAEB67600536}.tmp not found!
File\Folder C:\Users\Therefore\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6A118FB1-4B36-4C6E-9307-5AD5629163A8}.tmp not found!
File\Folder C:\Users\Therefore\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9645FF3E-11F9-4B63-8DA6-5EEE08E1104F}.tmp not found!
File\Folder C:\Users\Therefore\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A7C7D1FC-A615-4B40-8B8E-BC0A6363777C}.tmp not found!
File\Folder C:\Users\Therefore\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FCBBBBD0-1FA3-4077-AE69-981E9BA6FF5B}.tmp not found!

Registry entries deleted on Reboot...

==========================
New OTL.TXT

OTL logfile created on: 6/27/2011 9:02:39 PM - Run 2
OTL by OldTimer - Version 3.2.24.1 Folder = Y:\Firefox downloads
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.99 Gb Total Physical Memory | 3.22 Gb Available Physical Memory | 53.68% Memory free
11.98 Gb Paging File | 8.79 Gb Available in Paging File | 73.38% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 558.92 Gb Total Space | 222.50 Gb Free Space | 39.81% Space Free | Partition Type: NTFS
Drive D: | 1863.01 Gb Total Space | 258.32 Gb Free Space | 13.87% Space Free | Partition Type: NTFS
Drive E: | 1863.01 Gb Total Space | 100.90 Gb Free Space | 5.42% Space Free | Partition Type: NTFS
Drive H: | 964.00 Mb Total Space | 889.21 Mb Free Space | 92.24% Space Free | Partition Type: FAT32
Drive J: | 931.51 Gb Total Space | 72.17 Gb Free Space | 7.75% Space Free | Partition Type: NTFS
Drive K: | 931.51 Gb Total Space | 258.41 Gb Free Space | 27.74% Space Free | Partition Type: NTFS
Drive L: | 1863.01 Gb Total Space | 1057.04 Gb Free Space | 56.74% Space Free | Partition Type: NTFS
Drive M: | 931.51 Gb Total Space | 423.85 Gb Free Space | 45.50% Space Free | Partition Type: NTFS
Drive N: | 1863.01 Gb Total Space | 374.35 Gb Free Space | 20.09% Space Free | Partition Type: NTFS
Drive S: | 244.05 Mb Total Space | 193.36 Mb Free Space | 79.23% Space Free | Partition Type: FAT
Drive T: | 7.45 Gb Total Space | 7.32 Gb Free Space | 98.17% Space Free | Partition Type: FAT32
Drive Y: | 100.00 Gb Total Space | 97.90 Gb Free Space | 97.90% Space Free | Partition Type: NTFS
Drive Z: | 2.00 Gb Total Space | 0.79 Gb Free Space | 39.30% Space Free | Partition Type: NTFS

Computer Name: COREI7 | User Name: Therefore | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/26 10:32:09 | 000,579,072 | ---- | M] (OldTimer Tools) -- Y:\Firefox downloads\OTL.exe
PRC - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/05/03 13:37:02 | 000,355,432 | ---- | M] () -- C:\Program Files (x86)\Accessories\EVGA Precision\EVGAPrecision.exe
PRC - [2011/04/07 22:14:00 | 002,218,600 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
PRC - [2011/04/07 21:54:52 | 000,378,472 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2011/03/28 22:51:12 | 000,399,736 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files (x86)\internet tools\uTorrent\uTorrent.exe
PRC - [2011/03/03 11:16:33 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\internet tools\Mozilla Firefox\firefox.exe
PRC - [2011/01/02 23:46:52 | 001,496,528 | ---- | M] (TrueCrypt Foundation) -- C:\Program Files\Accessories\TrueCrypt\TrueCrypt.exe
PRC - [2011/01/01 22:19:56 | 003,975,088 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
PRC - [2010/12/07 12:51:22 | 004,584,856 | ---- | M] (Hyperionics Technology LLC) -- C:\Program Files (x86)\Accessories\HyperSnap 6\HprSnap6.exe
PRC - [2010/11/15 13:55:52 | 000,337,408 | ---- | M] () -- C:\Program Files (x86)\internet tools\SABnzbd\SABnzbd.exe
PRC - [2010/11/08 14:04:28 | 000,104,712 | ---- | M] () -- C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe
PRC - [2010/11/08 14:04:26 | 000,592,384 | ---- | M] () -- C:\Program Files (x86)\OpenVPN\bin\openvpn.exe
PRC - [2010/09/08 03:21:06 | 000,390,736 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2010/09/08 03:19:12 | 005,479,424 | ---- | M] (Acronis) -- C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2010/08/31 22:18:24 | 002,941,984 | ---- | M] (Hagel Technologies Ltd.) -- C:\Program Files (x86)\internet tools\DU Meter\DUMeter.exe
PRC - [2010/08/31 10:27:38 | 001,411,616 | ---- | M] (Hagel Technologies Ltd.) -- C:\Program Files (x86)\internet tools\DU Meter\DUMeterSvc.exe
PRC - [2010/08/26 03:18:34 | 000,075,048 | ---- | M] (cyberlink) -- C:\Program Files (x86)\Cyberlink\Shared files\brs.exe
PRC - [2010/06/01 10:17:48 | 005,252,408 | ---- | M] (Yahoo! Inc.) -- C:\Program Files (x86)\internet tools\Messenger\YahooMessenger.exe
PRC - [2010/03/24 08:44:12 | 000,245,760 | ---- | M] () -- C:\My programs\utac\UTAC.exe
PRC - [2010/03/01 01:23:35 | 008,319,560 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\internet tools\Thunderbird\thunderbird.exe
PRC - [2010/01/03 10:27:58 | 000,026,248 | ---- | M] () -- C:\Program Files (x86)\Accessories\Strokeit .97\strokeit.exe
PRC - [2009/11/22 18:54:18 | 003,673,488 | ---- | M] (Babylon Ltd.) -- C:\Program Files (x86)\Reference tools\Babylon\Babylon.exe
PRC - [2009/10/25 23:20:33 | 000,212,992 | ---- | M] () -- C:\Program Files (x86)\Video tools\The Maxifier\The Maxifier.exe
PRC - [2009/07/10 16:53:52 | 000,372,736 | ---- | M] (Orbiscom Ltd. All rights reserved.) -- C:\Program Files (x86)\Virtual Account Numbers\CitiVAN.exe
PRC - [2009/07/10 16:50:36 | 000,145,920 | ---- | M] (Orbiscom Ltd.) -- C:\Windows\SysWOW64\OBroker.exe
PRC - [2009/06/17 04:44:11 | 000,085,160 | ---- | M] (Elaborate Bytes AG) -- C:\Program Files (x86)\Accessories\VirtualCloneDrive\VCDDaemon.exe
PRC - [2009/06/04 20:03:32 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2009/06/04 20:03:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2009/03/12 18:18:48 | 000,602,624 | ---- | M] () -- C:\Program Files (x86)\Everything\Everything.exe


========== Modules (SafeList) ==========

MOD - [2011/06/26 10:32:09 | 000,579,072 | ---- | M] (OldTimer Tools) -- Y:\Firefox downloads\OTL.exe
MOD - [2010/08/20 22:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/03/24 04:24:58 | 000,095,976 | ---- | M] (SANDBOXIE L.T.D) [Auto | Running] -- C:\Program Files\Accessories\Sandboxie\SbieSvc.exe -- (SbieSvc)
SRV:64bit: - [2010/11/11 15:36:38 | 000,282,616 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2010/11/11 15:36:38 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2010/09/22 18:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2009/07/13 18:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/06/05 17:42:04 | 000,111,616 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\SysNative\AEADISRV.EXE -- (AEADIFilters)
SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/04/07 22:14:00 | 002,218,600 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011/04/07 21:54:52 | 000,378,472 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2011/01/09 22:26:23 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/01/01 22:19:56 | 003,975,088 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2010/11/08 14:04:26 | 000,036,352 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe -- (OpenVPNService)
SRV - [2010/09/08 03:23:48 | 001,078,968 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2010/08/31 10:27:38 | 001,411,616 | ---- | M] (Hagel Technologies Ltd.) [Auto | Running] -- C:\Program Files (x86)\internet tools\DU Meter\DUMeterSvc.exe -- (DUMeterSvc)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009/06/10 14:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/06/04 20:03:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2008/05/04 23:58:08 | 000,063,488 | ---- | M] (WR Consulting) [Auto | Running] -- C:\Program Files (x86)\Accessories\ZoneTick\timesync.exe -- (ZTime)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/03/24 04:24:54 | 000,148,072 | ---- | M] (SANDBOXIE L.T.D) [Kernel | On_Demand | Running] -- C:\Program Files\Accessories\Sandboxie\SbieDrv.sys -- (SbieDrv)
DRV:64bit: - [2011/02/08 13:23:56 | 000,066,552 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\mozy.sys -- (mozyFilter)
DRV:64bit: - [2011/01/02 23:46:54 | 000,230,352 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\truecrypt.sys -- (truecrypt)
DRV:64bit: - [2011/01/01 22:19:58 | 000,279,136 | ---- | M] (Acronis) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\afcdp.sys -- (afcdp)
DRV:64bit: - [2011/01/01 22:19:55 | 001,263,200 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\tdrpm273.sys -- (tdrpman273) Acronis Try&Decide and Restore Points filter (build 273)
DRV:64bit: - [2011/01/01 22:19:54 | 000,970,336 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\timntr.sys -- (timounter)
DRV:64bit: - [2011/01/01 22:19:51 | 000,277,088 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\snapman.sys -- (snapman)
DRV:64bit: - [2010/11/08 14:04:26 | 000,030,720 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tap0901.sys -- (tap0901)
DRV:64bit: - [2010/10/24 22:25:38 | 000,072,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2010/07/21 17:59:28 | 000,045,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64)
DRV:64bit: - [2009/12/17 15:25:17 | 000,034,472 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV:64bit: - [2009/09/28 10:22:00 | 000,395,264 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\yk62x64.sys -- (yukonw7)
DRV:64bit: - [2009/08/13 23:10:18 | 000,073,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)
DRV:64bit: - [2009/08/09 14:25:45 | 000,036,352 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VClone.sys -- (VClone)
DRV:64bit: - [2009/07/13 18:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 18:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 18:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 17:01:09 | 000,679,936 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xnacc.sys -- (xnacc)
DRV:64bit: - [2009/07/09 03:00:00 | 000,055,280 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2009/06/10 13:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/06/05 17:42:04 | 000,475,136 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV:64bit: - [2009/06/04 19:54:36 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2009/05/18 14:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/05/11 15:49:10 | 000,178,728 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mv61xx.sys -- (mv61xx)
DRV:64bit: - [2009/03/02 15:12:18 | 000,011,576 | ---- | M] (Samsung Electronics) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\SSPORT.SYS -- (SSPORT)
DRV:64bit: - [2009/03/02 15:12:14 | 000,053,816 | ---- | M] (Samsung Electronics Co., Ltd.) [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\DGIVECP.SYS -- (DgiVecp)
DRV:64bit: - [2008/04/16 09:39:00 | 000,014,464 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\wdcsam.sys -- (WDC_SAM)
DRV:64bit: - [2005/03/29 02:30:38 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV - [2011/05/03 13:36:58 | 000,014,440 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Accessories\EVGA Precision\RTCore64.sys -- (RTCore64)
DRV - [2010/08/31 10:27:44 | 000,020,904 | ---- | M] (Hagel Technologies Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\internet tools\DU Meter\DUMetr64.sys -- (DUMeterDrv)
DRV - [2010/08/26 13:18:24 | 000,146,928 | ---- | M] (CyberLink Corp.) [2011/01/31 15:38:57] [Kernel | Auto | Running] -- C:\Program Files (x86)\Video tools\PowerDVD\PowerDVD10\NavFilter\000.fcl -- ({1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC})
DRV - [2008/07/26 23:30:36 | 000,014,544 | ---- | M] (OpenLibSys.org) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\System tools\Real Temp\WinRing0x64.sys -- (WinRing0_1_2_0)
DRV - [2007/02/07 11:27:46 | 000,014,104 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | Boot | Running] -- C:\Windows\SysWOW64\speedfan.sys -- (speedfan)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://hk.msn.com/?rd=1
IE - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 62 C1 C0 3F EA 1F CC 01 [binary data]
IE - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9}:6.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}: C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9} [2011/03/30 23:14:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\citius@orbiscom: C:\Program Files (x86)\Virtual Account Numbers [2011/05/23 20:59:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files (x86)\internet tools\Mozilla Firefox\components [2011/03/17 20:05:15 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files (x86)\internet tools\Mozilla Firefox\plugins [2011/06/17 23:44:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Sunbird 1.0b1\extensions\\Components: C:\Program Files (x86)\Accessories\Sunbird\components [2011/04/29 19:39:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Sunbird 1.0b1\extensions\\Plugins: C:\Program Files (x86)\Accessories\Sunbird\plugins
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files (x86)\internet tools\Thunderbird\components [2011/05/06 19:36:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files (x86)\internet tools\Thunderbird\plugins

[2011/06/17 20:37:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Therefore\AppData\Roaming\Mozilla\Extensions
[2011/05/05 23:42:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Therefore\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/04/29 19:39:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Therefore\AppData\Roaming\Mozilla\Extensions\{718e30fb-e89b-41dd-9da7-e25a45638b28}
[2011/06/17 20:37:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Therefore\AppData\Roaming\Mozilla\Extensions\postbox@postbox-inc.com
[2011/04/08 01:02:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Therefore\AppData\Roaming\Mozilla\Firefox\Profiles\3z39v4aa.default\extensions
[2011/05/03 14:09:52 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Therefore\AppData\Roaming\Mozilla\Sunbird\Profiles\dfuo9oiu.default\extensions
[2011/03/30 23:14:52 | 000,000,000 | ---D | M] (Adobe Contribute Toolbar) -- C:\PROGRAM FILES (X86)\ADOBE\ADOBE CONTRIBUTE CS5\PLUGINS\FIREFOXPLUGIN\{01A8CA0A-4C96-465B-A49B-65C46FAD54F9}
[2011/01/09 15:34:55 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES (X86)\INTERNET TOOLS\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/01/09 22:39:09 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES (X86)\INTERNET TOOLS\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
File not found (No name found) -- C:\PROGRAM FILES (X86)\INTERNET TOOLS\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

O1 HOSTS File: ([2011/03/30 19:02:13 | 000,000,611 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O1 - Hosts: 127.0.0.1 hl2rcv.adobe.com
O2:64bit: - BHO: (LastPass Browser Helper Object) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\internet tools\LastPass\LPBar64.dll (LastPass)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll (Adobe Systems, Inc.)
O2 - BHO: (Virtual Account Numbers Helper) - {17424104-1444-4810-85D7-B4DA413C5A9A} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANHelper.dll (Orbiscom Ltd. All rights reserved.)
O2 - BHO: (LastPass Browser Helper Object) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\internet tools\LastPass\LPBar.dll (LastPass)
O2 - BHO: (Babylon IE plugin) - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll (Babylon Ltd.)
O3:64bit: - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\internet tools\LastPass\LPBar64.dll (LastPass)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll (Adobe Systems, Inc.)
O3 - HKLM\..\Toolbar: (Virtual Account Numbers) - {7A21A046-B886-4A62-9D69-EF2059B0A27B} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANToolbar.dll (Orbiscom Ltd. All rights reserved.)
O3 - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\internet tools\LastPass\LPBar.dll (LastPass)
O4:64bit: - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4:64bit: - HKLM..\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [SoundMAX] C:\Program Files (x86)\Analog Devices\SoundMAX\soundmax.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [Babylon Client] C:\Program Files (x86)\Reference tools\Babylon\Babylon.exe (Babylon Ltd.)
O4 - HKLM..\Run: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared files\brs.exe (cyberlink)
O4 - HKLM..\Run: [Citi Virtual Account Numbers] C:\Program Files (x86)\Virtual Account Numbers\CitiVAN.exe (Orbiscom Ltd. All rights reserved.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [VirtualCloneDrive] C:\Program Files (x86)\Accessories\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000..\Run: [DU Meter] C:\Program Files (x86)\internet tools\DU Meter\DUMeter.exe (Hagel Technologies Ltd.)
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000..\Run: [Eraser] C:\Program Files\System tools\Eraser\Eraser.exe (The Eraser Project)
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000..\Run: [SandboxieControl] C:\Program Files\Accessories\Sandboxie\SbieCtrl.exe (SANDBOXIE L.T.D)
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000..\Run: [StrokeIt] C:\Program Files (x86)\Accessories\Strokeit .97\strokeit.exe ()
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000..\Run: [The Maxifier] C:\Program Files (x86)\Video tools\The Maxifier\The Maxifier.exe ()
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000..\Run: [TrueCrypt] C:\Program Files\Accessories\TrueCrypt\TrueCrypt.exe (TrueCrypt Foundation)
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1000..\Run: [ZoneTick] C:\Program Files (x86)\Accessories\ZoneTick\zonetick.exe (WR Consulting)
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1006..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] File not found
O4 - HKU\S-1-5-21-2726670456-4082904526-3747161708-1006..\RunOnce: [mctadmin] File not found
O4 - Startup: C:\Users\Therefore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyperSnap 6.lnk = C:\Program Files (x86)\Accessories\HyperSnap 6\HprSnap6.exe (Hyperionics Technology LLC)
O4 - Startup: C:\Users\Therefore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SABnzbd.lnk = C:\Program Files (x86)\internet tools\SABnzbd\SABnzbd.exe ()
O4 - Startup: C:\Users\Therefore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Task Manager.lnk = C:\Windows\SysWOW64\taskmgr.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Therefore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UTAC.exe - Shortcut.lnk = C:\My programs\utac\UTAC.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O8:64bit: - Extra context menu item: Translate this web page with Babylon - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll (Babylon Ltd.)
O8:64bit: - Extra context menu item: Translate with Babylon - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll (Babylon Ltd.)
O8 - Extra context menu item: Translate this web page with Babylon - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll (Babylon Ltd.)
O8 - Extra context menu item: Translate with Babylon - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll (Babylon Ltd.)
O9:64bit: - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\internet tools\LastPass\LPBar64.dll (LastPass)
O9 - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\internet tools\LastPass\LPBar.dll (LastPass)
O9 - Extra Button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll (Babylon Ltd.)
O9 - Extra 'Tools' menuitem : Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files (x86)\Reference tools\Babylon\Utils\BabylonIEPI.dll (Babylon Ltd.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 208.67.220.220
O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/06 19:26:17 | 000,000,000 | RH-D | M] - E:\autorun -- [ NTFS ]
O32 - AutoRun File - [2002/10/16 05:56:50 | 000,000,036 | RH-- | M] () - E:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/07/09 18:33:44 | 000,000,000 | RH-D | M] - N:\autorun -- [ NTFS ]
O32 - AutoRun File - [2002/10/16 05:56:50 | 000,000,036 | RH-- | M] () - N:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{18cfc4eb-16f9-11e0-a662-00248c52e457}\Shell - "" = AutoRun
O33 - MountPoints2\{18cfc4eb-16f9-11e0-a662-00248c52e457}\Shell\AutoRun\command - "" = H:\AUTORUN.EXE
O33 - MountPoints2\{8e0ff7ab-512a-11e0-8c98-00248c52e457}\Shell - "" = AutoRun
O33 - MountPoints2\{8e0ff7ab-512a-11e0-8c98-00248c52e457}\Shell\AutoRun\command - "" = F:\autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/27 20:11:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2011/06/27 20:10:55 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2011/06/27 20:10:55 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2011/06/27 20:10:55 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2011/06/27 20:10:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java
[2011/06/27 13:23:54 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{05A41BB2-551C-4DF4-800D-A4ABE7615AC8}
[2011/06/24 13:21:39 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{5CA32382-4CA3-40D5-85C3-B34FE8269DEA}
[2011/06/19 01:20:20 | 000,066,552 | ---- | C] (Mozy, Inc.) -- C:\Windows\SysNative\drivers\mozy.sys
[2011/06/19 01:20:20 | 000,000,000 | --SD | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MozyHome
[2011/06/19 01:20:19 | 000,000,000 | ---D | C] -- C:\Program Files\MozyHome
[2011/06/19 01:18:19 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{F6C8432C-25BC-4DCA-A5B3-58C655DF3B0C}
[2011/06/17 20:36:38 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Roaming\Postbox
[2011/06/17 20:36:38 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\Postbox
[2011/06/17 19:28:52 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{8304750C-0B20-48B2-B9CC-A95B8E5029E1}
[2011/06/16 12:13:19 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/06/14 19:27:00 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{9C741EDA-B6CD-4BE3-BC28-BC99A1A3C4D4}
[2011/06/14 08:23:44 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2011/06/14 07:26:38 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{1931026D-B60D-4EAB-8255-C99A19668245}
[2011/06/04 07:19:19 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{2DBC1C08-0125-4518-9419-1EA69DAAD386}
[2011/06/02 20:49:35 | 000,000,000 | ---D | C] -- C:\Users\Therefore\Documents\Movie maker projects
[2011/06/02 19:59:03 | 000,000,000 | ---D | C] -- C:\Users\Therefore\Documents\Pinnacle VideoSpin
[2011/06/02 19:55:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Pinnacle
[2011/06/02 19:51:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Pando Networks
[2011/06/02 19:17:56 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{5A86DEFD-C5FC-4D02-9E96-54A3F28E6829}
[2011/06/01 19:17:22 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{E98CCB46-25B1-422E-A7A6-25197A72D7F7}
[2011/06/01 19:06:09 | 000,000,000 | ---D | C] -- C:\Windows\en
[2011/06/01 19:04:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
[2011/06/01 19:03:43 | 003,860,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\UIRibbon.dll
[2011/06/01 19:03:43 | 002,983,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\UIRibbon.dll
[2011/06/01 19:03:43 | 001,164,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\UIRibbonRes.dll
[2011/06/01 19:03:43 | 001,164,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\UIRibbonRes.dll
[2011/06/01 15:43:17 | 000,000,000 | ---D | C] -- C:\Users\Therefore\Documents\Gothic3 backup saves
[2011/05/31 22:03:57 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{D43059C9-B7AA-4FB4-820C-EC3B643E51C6}
[2011/05/31 10:03:32 | 000,000,000 | ---D | C] -- C:\Users\Therefore\AppData\Local\{4FE06B96-576C-4A56-A7BF-E401351465FC}

========== Files - Modified Within 30 Days ==========

[2011/06/27 20:34:30 | 000,013,440 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/27 20:34:30 | 000,013,440 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/27 20:26:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/06/27 20:25:43 | 529,854,463 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/27 20:10:51 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2011/06/27 20:10:50 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deployJava1.dll
[2011/06/27 20:10:50 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2011/06/27 20:10:50 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2011/06/27 19:24:00 | 000,000,924 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2726670456-4082904526-3747161708-1000UA.job
[2011/06/27 17:07:45 | 000,065,024 | ---- | M] () -- C:\Users\Therefore\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/27 12:18:52 | 000,002,534 | ---- | M] () -- C:\Windows\Sandboxie.ini
[2011/06/27 10:29:59 | 000,011,320 | ---- | M] () -- C:\Windows\mozy.blk
[2011/06/27 10:29:59 | 000,000,198 | ---- | M] () -- C:\Windows\mozy.flt
[2011/06/27 10:24:27 | 000,851,274 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/06/27 10:24:27 | 000,711,292 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/06/27 10:24:27 | 000,139,874 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/06/27 01:24:00 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2726670456-4082904526-3747161708-1000Core.job
[2011/06/26 14:26:56 | 000,056,020 | ---- | M] () -- C:\Users\Therefore\Desktop\witcher ctrls.jpg
[2011/06/19 13:40:52 | 000,001,445 | ---- | M] () -- C:\Users\Therefore\Desktop\Mozy Decrypt.lnk
[2011/06/19 01:20:20 | 000,000,932 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MozyHome Status.lnk
[2011/06/16 12:13:19 | 000,003,021 | ---- | M] () -- C:\Users\Therefore\Desktop\HiJackThis.lnk
[2011/06/14 08:34:50 | 000,001,251 | ---- | M] () -- C:\Users\Therefore\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/12 19:34:24 | 000,001,284 | ---- | M] () -- C:\Users\Therefore\Desktop\Windows Live Movie Maker.lnk
[2011/06/10 09:29:19 | 000,001,149 | ---- | M] () -- C:\Users\Therefore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyperSnap 6.lnk
[2011/06/08 23:27:36 | 000,001,209 | ---- | M] () -- C:\Users\Therefore\Desktop\EVGA Precision.lnk
[2011/06/04 06:44:27 | 004,977,768 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/06/01 20:48:27 | 000,184,955 | ---- | M] () -- C:\Users\Therefore\Documents\Joseph Graduation 2011.wlmp

========== Files Created - No Company Name ==========

[2011/06/19 13:40:52 | 000,001,445 | ---- | C] () -- C:\Users\Therefore\Desktop\Mozy Decrypt.lnk
[2011/06/19 01:20:20 | 000,000,932 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MozyHome Status.lnk
[2011/06/17 23:44:46 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/16 12:13:19 | 000,003,021 | ---- | C] () -- C:\Users\Therefore\Desktop\HiJackThis.lnk
[2011/06/14 07:52:15 | 000,001,203 | ---- | C] () -- C:\Users\Therefore\Desktop\Maxifier.lnk
[2011/06/12 19:34:24 | 000,001,284 | ---- | C] () -- C:\Users\Therefore\Desktop\Windows Live Movie Maker.lnk
[2011/06/10 14:21:25 | 000,056,020 | ---- | C] () -- C:\Users\Therefore\Desktop\witcher ctrls.jpg
[2011/06/10 09:29:19 | 000,001,149 | ---- | C] () -- C:\Users\Therefore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyperSnap 6.lnk
[2011/06/04 12:50:03 | 000,001,188 | ---- | C] () -- C:\Users\Therefore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SABnzbd.lnk
[2011/06/01 20:48:27 | 000,184,955 | ---- | C] () -- C:\Users\Therefore\Documents\Joseph Graduation 2011.wlmp
[2011/06/01 19:05:44 | 000,001,284 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Movie Maker.lnk
[2011/06/01 19:05:04 | 000,001,353 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Photo Gallery.lnk
[2011/05/15 20:27:57 | 000,158,720 | ---- | C] () -- C:\Windows\SysWow64\WS_VideoConverterContextMenu.dll
[2011/02/17 21:40:55 | 000,484,352 | ---- | C] () -- C:\Windows\SysWow64\lame_enc.dll
[2011/02/04 16:52:03 | 000,007,599 | ---- | C] () -- C:\Users\Therefore\AppData\Local\Resmon.ResmonCfg
[2011/01/26 19:57:22 | 000,323,584 | ---- | C] () -- C:\Windows\SysWow64\FoxImager.dll
[2011/01/16 18:55:02 | 000,069,632 | R--- | C] () -- C:\Windows\SysWow64\xmltok.dll
[2011/01/16 18:55:02 | 000,036,864 | R--- | C] () -- C:\Windows\SysWow64\xmlparse.dll
[2011/01/04 01:35:22 | 000,165,376 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
[2011/01/04 01:35:21 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
[2011/01/04 01:35:19 | 000,810,496 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2011/01/04 01:35:19 | 000,183,808 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2011/01/04 01:35:19 | 000,080,896 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2011/01/03 16:29:50 | 000,002,534 | ---- | C] () -- C:\Windows\Sandboxie.ini
[2011/01/01 20:37:17 | 000,065,024 | ---- | C] () -- C:\Users\Therefore\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/01 18:14:19 | 000,864,020 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/07/13 22:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 19:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 19:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 17:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 14:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 14:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2005/04/07 19:16:43 | 000,063,125 | -H-- | C] () -- C:\Users\Therefore\AppData\Roaming\Thereforelog.dat

< End of report >

The ESAT scan came up clean. It took all night long to run.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 28 June 2011 - 08:55 PM

Hello, Therefore.

Yeah, while thorough, the online antivirus scans can take a long time if you have a lot of files. The good news is that you appear clean. Let's update Java to close a known security hole. Besides that, how is it running?

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 25..
  • Save it to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version(s) shown below:
    Java 6 Update 24
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586-s.exe to install the newest version.


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 Therefore

Therefore
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 28 June 2011 - 10:19 PM

I have already installed Java 6 Update 26. Is there something indicating that it didn't take? I've attached a screen print of my installed programs.

I figured Eset would take awhile, particularly since it was going through archives -- I have lots and lots of storage

Things are running great, thanks for all your invaluable help!

Attached Files



#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 29 June 2011 - 06:52 AM

Hello, Therefore.

Great...it was version 24 when it started, but the automatic update must have kicked in while we worked this. No action needed with Java then.




Ok, good news. Your log appears clean. Let's clean up our mess. If your computer is running well; please do the steps listed below. At the end, I've also listed a few completely optional things you can do to further secure your computer. Safe surfing!



Step 1

Next, we need to remove the other tools we have used.
  • Please download OTC by OldTimer and save it to you desktop
  • If that link doesn't work, try this one.
  • Doubleclick the Posted Image icon to start the program.
  • Then, click the big Posted Image button.
  • You will get a prompt saying Begin Cleanup Process. Click Yes.
  • Restart your computer when prompted.



Step 2

We need to purge your system restore so malware is not accidently restored. First, let's create a new restore point.
  • Go to Start and type in SystemPropertiesProtection and run that program.
  • Select the System Protection tab.
  • Press Create.
  • Give the restore point a name and press create.
  • You'll see it work, then say that it was created sucessfully.


Now, we need to remove the old, infected points using DiskCleanup.
  • Click on Start --> My Computer
  • Right-click on C: and select Properties.
  • Click on Disk Cleanup.
  • Double-click Files from all users on this computer.
  • Click on More Options tab and press Clean Up... under System Restore and Shadow Copies.
  • Click OK.
  • You'll get a couple of prompts asking if you're sure you want do to this, select Yes for them.
  • Disk cleanup will remove those restore points and close itself.

If you ran Defogger and disabled your emulator, please don't forget to run it again and reenable it. See the instructions here to do so.


Optional Items

Please take the time to read below to secure your machine and take the necessary steps to keep it that way.


System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If you are running Windows Vista or Windows 7, please right-click on the icon, and select "Run As Administrator"; otherwise it won't work.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

Protect yourself from malicious sites

The HOSTS file can protect you from connecting to bad sites. See The Hosts File and what it can do for you for more background.

Please download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Keep Windows Up to Date
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install an AntiSpyware Program

A highly recommended AntiSpyware program isMalwarebytes Anti-Malware. You can download the free version..

Installing this program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Update all these programs regularly
Make sure you update all your programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. You can use Secunia PSI to keep track of necessary updates. It can run in the background and constantly monitor your software; although I just run it once a week manually. It will alert you when an update is available for a variety of software. It is very useful.

Follow this list and your potential for being infected again will reduce dramatically.

Good luck!

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 03 July 2011 - 10:05 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users