Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ARP Poison Attack


  • This topic is locked This topic is locked
16 replies to this topic

#1 Nephel

Nephel

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 08 July 2011 - 07:38 AM

Greetings,

I really need help please.. I started disconnecting from internet the other day.. 2 days ago. was happening a lot. 4-5 times in an hour. Never has the internet done this before, so I knew something was wrong. I first contacted cable no issues. I found in my router logs [Lan Access from Remote] uh oh. I had an issue and wasnt sure how to deal with it.

*edit* Oh yah.. Ran several virus scans.. AVG and Zonealarm, used Spybot, Malware removal and used bitdefender. Nothing popped up.

Could I really be over reacting or do I have an issue of someone capturing my interweb infos?
*/edit*

I acquired a new IP address.. reset my passwords and no more Lan access from remote logs.. Then comes the Dos Attack Fin Scan and Dos attack Smurf. I check my Firewall logs and they are going crazy every second!!

I am not sure what info I should relay in this post.. But have copy of info saved on computer... If someone could please assist me or direct me to someone who might be able to help.

Would a complete reinstall of windows work? I think I am at that point :(

Kind Regards
Nephel

Edited by Nephel, 08 July 2011 - 07:59 AM.


BC AdBot (Login to Remove)

 


#2 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:09:37 AM

Posted 28 July 2011 - 02:51 PM

Hello and :welcome:

My name is patndoris. I will be glad to take a look at your log and help you with solving any malware problems. It will be very helpful if you follow these guidelines:
  • Malware logs are often lengthy and can take a lot of time to research and interpret. Please be patient while I review your logs.
  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  • Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • Please follow my instructions carefully and in the order they are posted. You may also find it helpful to print out the instructions you receive.
  • Please do not run any scans or install/uninstall any applications or delete anything without being directed to do so.
  • Remember, absence of symptoms does not mean the infection is all gone. Please stick with me till you're given the "all clear".
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • Please reply within 3 days. If I do not hear back from you in that time frame, I will post a reminder for you. Topics with no reply in 4 days are closed!


I apologize for the long delay but we have had a considerable number of assistance requests lately.

If you are still having trouble with the internet dropping, and concerns with what is trying to get through your firewall, I'd like to have you do the following:


OTL Custom Scan

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under Custom Scan paste this in

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %PROGRAMFILES%\Internet Explorer\*.dat
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
  • You may need two posts to fit them both in.




Scan With RootKitUnHooker

  • Please choose one link and download Rootkit Unhooker and save it to your desktop.

    Link 1
    Link 2
    Link 3
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers and Stealth
  • Uncheck the rest. then click OK
  • When prompted to Select Disks for Scan, make sure C:/ is checked and click OK
  • Wait till the scanner has finished and then click File > Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in your next reply.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#3 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:09:37 AM

Posted 02 August 2011 - 07:31 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#4 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:09:37 AM

Posted 02 August 2011 - 04:19 PM

This topic has been re-opened at the request of the person who originally posted.
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#5 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:09:37 AM

Posted 02 August 2011 - 04:19 PM

This topic has been re-opened at the request of the person who originally posted.
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#6 Nephel

Nephel
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 02 August 2011 - 04:23 PM

OTL logfile created on: 8/2/2011 5:00:47 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Users\James\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.75 Gb Available Physical Memory | 68.87% Memory free
11.81 Gb Paging File | 10.43 Gb Available in Paging File | 88.31% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 139.73 Gb Total Space | 8.55 Gb Free Space | 6.12% Space Free | Partition Type: NTFS

Computer Name: NEPHEL | User Name: James | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\James\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\AVG\AVG PC Tuneup 2011\BoostSpeed.exe (AVG)
PRC - C:\Program Files (x86)\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files (x86)\AVG\AVG10\avgfws.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files (x86)\Razer\Naga\RazerNagaSysTray.exe (Razer USA Ltd)
PRC - C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe ()
PRC - C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files (x86)\AVG\AVG10\avgam.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files (x86)\EVGA Precision\Bundle\OSDServer\RTSS.exe ()
PRC - C:\Program Files (x86)\EVGA Precision\EVGAPrecision.exe ()
PRC - C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)


========== Modules (SafeList) ==========

MOD - C:\Users\James\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll (Microsoft Corporation)
MOD - C:\Program Files (x86)\EVGA Precision\Bundle\OSDServer\RTSSHooks.dll ()


========== Win32 Services (SafeList) ==========

SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (AVGIDSAgent) -- C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
SRV - (npggsvc) -- C:\Windows\SysWow64\GameMon.des (INCA Internet Co., Ltd.)
SRV - (Creative Audio Engine Licensing Service) -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe (Creative Labs)
SRV - (avgfws) -- C:\Program Files (x86)\AVG\AVG10\avgfws.exe (AVG Technologies CZ, s.r.o.)
SRV - (avgwd) -- C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (McComponentHostService) -- C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe (McAfee, Inc.)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (CTAudSvcService) -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe (Creative Technology Ltd)
SRV - (YahooAUService) -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)


========== Driver Services (SafeList) ==========

DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation)
DRV:64bit: - (atksgt) -- C:\Windows\SysNative\drivers\atksgt.sys ()
DRV:64bit: - (lirsgt) -- C:\Windows\SysNative\drivers\lirsgt.sys ()
DRV:64bit: - (AVGIDSDriver) -- C:\Windows\SysNative\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
DRV:64bit: - (Avgtdia) -- C:\Windows\SysNative\drivers\avgtdia.sys (AVG Technologies CZ, s.r.o.)
DRV:64bit: - (Avgrkx64) -- C:\Windows\SysNative\drivers\avgrkx64.sys (AVG Technologies CZ, s.r.o.)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (Avgmfx64) -- C:\Windows\SysNative\drivers\avgmfx64.sys (AVG Technologies CZ, s.r.o.)
DRV:64bit: - (AVGIDSEH) -- C:\Windows\SysNative\drivers\AVGIDSEH.sys (AVG Technologies CZ, s.r.o. )
DRV:64bit: - (AVGIDSFilter) -- C:\Windows\SysNative\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
DRV:64bit: - (Avgldx64) -- C:\Windows\SysNative\drivers\avgldx64.sys (AVG Technologies CZ, s.r.o.)
DRV:64bit: - (RzSynapse) -- C:\Windows\SysNative\drivers\RzSynapse.sys (Razer USA Ltd)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (pbfilter) -- C:\Program Files\PeerBlock\pbfilter.sys ()
DRV:64bit: - (Avgfwfd) -- C:\Windows\SysNative\drivers\avgfwd6a.sys (AVG Technologies CZ, s.r.o.)
DRV:64bit: - (yukonw7) -- C:\Windows\SysNative\drivers\yk62x64.sys ()
DRV:64bit: - (P17) -- C:\Windows\SysNative\drivers\P17.sys (Creative Technology Ltd.)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (Ntfs) -- C:\Windows\SysNative\wbem\ntfs.mof ()
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (hamachi) -- C:\Windows\SysNative\drivers\hamachi.sys (LogMeIn, Inc.)
DRV:64bit: - (BVRPMPR5a64) -- C:\Windows\SysNative\drivers\BVRPMPR5a64.SYS (Avanquest Software)
DRV:64bit: - (MTsensor) -- C:\Windows\SysNative\drivers\ASACPI.sys ()
DRV - (RTCore64) -- C:\Program Files (x86)\EVGA Precision\RTCore64.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?ocid=OIE9HP
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 5C 2E 66 B0 F6 38 CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:10.0.0.1209
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}:6.0.25


FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@fileplanet.com/fpdlm: C:\Program Files (x86)\Download Manager\npfpdlm.dll (IGN Entertainment)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.8: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files (x86)\AVG\AVG10\Firefox4\ [2011/07/12 10:57:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/06/26 05:44:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/05/12 18:18:02 | 000,000,000 | ---D | M]

[2011/03/11 05:30:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\James\AppData\Roaming\Mozilla\Extensions
[2011/07/29 06:15:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\4njngypd.default\extensions
[2011/07/29 06:15:41 | 000,000,000 | ---D | M] (BitDefender QuickScan) -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\4njngypd.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
[2011/05/04 22:29:05 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/05/04 22:29:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
File not found (No name found) --
[2011/07/12 10:57:11 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES (X86)\AVG\AVG10\FIREFOX4
[2011/06/26 05:44:48 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/05/04 22:29:00 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2011/05/12 18:18:01 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/07/12 10:04:26 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2:64bit: - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssiea.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Razer Naga Driver] C:\Program Files (x86)\Razer\Naga\RazerNagaSysTray.exe (Razer USA Ltd)
O4 - HKCU..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe (PeerBlock, LLC)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgppa.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/03/10 09:40:59 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~2\AVG\AVG10\avgchsva.exe /sync) - C:\Program Files (x86)\AVG\AVG10\avgchsva.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~2\AVG\AVG10\avgrsa.exe /sync /restart) - C:\Program Files (x86)\AVG\AVG10\avgrsa.exe (AVG Technologies CZ, s.r.o.)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/08/02 16:55:07 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Users\James\Desktop\OTL.exe
[2011/07/31 19:08:56 | 000,000,000 | ---D | C] -- C:\$WINDOWS.~BT
[2011/07/30 16:04:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SQUARE ENIX
[2011/07/30 15:43:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SquareEnix
[2011/07/23 14:08:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Games for Windows Marketplace
[2011/07/22 17:32:28 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\microsoft
[2011/07/22 17:31:43 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\xlive
[2011/07/22 17:31:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Games for Windows - LIVE
[2011/07/22 17:31:16 | 001,942,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\D3DCompiler_39.dll
[2011/07/22 17:31:16 | 001,493,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\D3DCompiler_39.dll
[2011/07/22 17:31:16 | 000,540,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx10_39.dll
[2011/07/22 17:31:16 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx10_39.dll
[2011/07/22 17:31:15 | 004,992,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\D3DX9_39.dll
[2011/07/22 17:31:15 | 003,851,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\D3DX9_39.dll
[2011/07/13 11:31:40 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\Adobe
[2011/07/12 22:10:41 | 000,421,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\KernelBase.dll
[2011/07/12 22:10:41 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
[2011/07/12 22:10:41 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-security-base-l1-1-0.dll
[2011/07/12 22:10:41 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
[2011/07/12 22:10:41 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-file-l1-1-0.dll
[2011/07/12 22:10:41 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
[2011/07/12 22:10:41 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
[2011/07/12 22:10:41 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
[2011/07/12 22:10:41 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
[2011/07/12 22:10:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
[2011/07/12 22:10:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
[2011/07/12 22:10:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
[2011/07/12 22:10:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
[2011/07/12 22:10:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
[2011/07/12 22:10:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
[2011/07/12 22:10:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
[2011/07/12 22:10:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
[2011/07/12 22:10:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-util-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-string-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-io-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
[2011/07/12 22:10:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-console-l1-1-0.dll
[2011/07/12 22:10:38 | 000,325,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\usbport.sys
[2011/07/12 22:10:38 | 000,007,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\usbd.sys
[2011/07/12 22:10:27 | 002,565,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\esent.dll
[2011/07/12 22:10:27 | 001,699,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\esent.dll
[2011/07/12 22:10:27 | 000,189,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\storport.sys
[2011/07/12 22:10:27 | 000,107,904 | ---- | C] (Advanced Micro Devices) -- C:\Windows\SysNative\drivers\amdsata.sys
[2011/07/12 22:10:27 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\fsutil.exe
[2011/07/12 22:10:27 | 000,074,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\fsutil.exe
[2011/07/12 22:10:27 | 000,027,008 | ---- | C] (Advanced Micro Devices) -- C:\Windows\SysNative\drivers\amdxata.sys
[2011/07/12 22:10:25 | 001,162,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kernel32.dll
[2011/07/12 22:10:25 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64win.dll
[2011/07/12 22:10:25 | 000,338,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\conhost.exe
[2011/07/12 22:10:24 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll
[2011/07/12 22:10:24 | 000,214,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
[2011/07/12 22:10:24 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
[2011/07/12 22:10:24 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntvdm64.dll
[2011/07/12 22:10:24 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
[2011/07/12 22:10:24 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64cpu.dll
[2011/07/12 22:10:24 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
[2011/07/12 22:10:24 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
[2011/07/12 22:10:24 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
[2011/07/12 11:17:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Marvell
[2011/07/12 11:01:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG PC Tuneup 2011
[2011/07/12 10:57:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG 2011
[2011/07/12 10:57:11 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\drivers\AVG
[2011/07/12 10:56:36 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\AVG
[2011/07/12 10:56:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG
[2011/07/12 10:06:59 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/07/12 10:04:30 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/07/12 09:58:44 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/07/12 08:59:12 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\appmgmt
[2011/07/11 00:03:04 | 000,000,000 | ---D | C] -- C:\Users\James\Documents\GSC
[2011/07/09 21:44:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PeerBlock
[2011/07/09 21:44:39 | 000,000,000 | ---D | C] -- C:\Program Files\PeerBlock
[2011/07/08 21:29:12 | 000,000,000 | RH-D | C] -- C:\Users\James\AppData\Roaming\SecuROM
[2011/07/08 21:13:23 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\My Games
[2011/07/08 21:12:39 | 000,499,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSVCP71.DLL
[2011/07/08 21:12:28 | 000,499,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MSVCP71.DLL
[2011/07/08 21:10:37 | 000,348,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msvcr71.dll
[2011/07/08 21:10:25 | 000,348,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msvcr71.dll
[2011/07/08 21:01:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firaxis Games
[2011/07/08 21:01:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Firaxis Games
[2011/07/07 23:26:25 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Roaming\QuickScan
[2011/07/07 19:23:08 | 000,000,000 | -HSD | C] -- C:\Windows\SysNative\%APPDATA%
[2011/07/06 02:24:21 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\ElevatedDiagnostics
[2011/07/05 05:13:30 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Roaming\Malwarebytes
[2011/07/05 05:13:23 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2011/07/05 05:13:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/07/05 05:13:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/07/05 05:13:20 | 000,025,912 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2011/07/05 05:13:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/07/05 05:11:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2011/07/05 05:11:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2011/07/05 05:11:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2011/07/04 08:26:06 | 000,000,000 | ---D | C] -- C:\Users\James\Documents\EveHQ
[2011/07/04 08:26:05 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Roaming\EveHQ
[2011/07/03 22:41:16 | 000,035,840 | R--- | C] (Avanquest Software) -- C:\Windows\SysNative\drivers\BVRPMPR5a64.SYS
[2011/07/03 22:40:51 | 000,000,000 | ---D | C] -- C:\Netgear
[2011/07/03 21:31:39 | 000,055,384 | ---- | C] (Sunbelt Software) -- C:\Windows\SysNative\drivers\SBREDrv.sys
[2011/07/03 21:29:54 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\DRVSTORE
[2011/07/03 21:29:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/02 16:56:57 | 000,139,264 | ---- | M] () -- C:\Users\James\Desktop\RKUnhookerLE.EXE
[2011/08/02 16:55:08 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\James\Desktop\OTL.exe
[2011/08/02 16:24:21 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/02 15:53:00 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/08/02 15:53:00 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/08/02 15:48:58 | 000,659,282 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\iavifw.avm
[2011/08/02 15:45:50 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/08/02 15:45:40 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/08/02 15:45:28 | 3220,529,152 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/02 05:08:04 | 126,555,711 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\incavi.avm
[2011/07/31 19:08:28 | 000,001,890 | ---- | M] () -- C:\Windows\diagwrn.xml
[2011/07/31 19:08:28 | 000,001,890 | ---- | M] () -- C:\Windows\diagerr.xml
[2011/07/27 15:01:30 | 000,779,142 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/07/27 15:01:30 | 000,660,226 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/07/27 15:01:30 | 000,121,154 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/07/26 20:11:19 | 000,155,482 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\iavichjg.avm
[2011/07/23 16:12:51 | 000,870,128 | ---- | M] () -- C:\Users\James\AppData\Roaming\mcs.rma
[2011/07/23 16:12:51 | 000,000,004 | ---- | M] () -- C:\Users\James\AppData\Roaming\F45C71
[2011/07/13 01:55:18 | 000,275,760 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/07/13 01:34:00 | 000,007,601 | ---- | M] () -- C:\Users\James\AppData\Local\Resmon.ResmonCfg
[2011/07/12 10:57:12 | 000,000,953 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2011/07/12 10:57:11 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\drivers\AVG\incavi.avm
[2011/07/12 10:57:11 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\drivers\AVG\iavifw.avm
[2011/07/12 10:57:11 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\drivers\AVG\iavichjw.avm
[2011/07/12 10:04:26 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2011/07/12 07:56:58 | 000,000,000 | ---- | M] () -- C:\Users\James\AppData\Local\prvlcl.dat
[2011/07/10 21:30:00 | 000,000,064 | ---- | M] () -- C:\Windows\SysWow64\rp_stats.dat
[2011/07/10 21:30:00 | 000,000,044 | ---- | M] () -- C:\Windows\SysWow64\rp_rules.dat
[2011/07/08 21:30:49 | 000,002,168 | ---- | M] () -- C:\Users\James\Desktop\Civ4BeyondSword.exe - Shortcut.lnk
[2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2011/07/06 19:52:42 | 000,025,912 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2011/07/05 05:34:33 | 000,435,542 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20110707-195124.backup
[2011/07/05 05:11:23 | 000,001,278 | ---- | M] () -- C:\Users\James\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/07/05 05:11:23 | 000,001,254 | ---- | M] () -- C:\Users\James\Desktop\Spybot - Search & Destroy.lnk
[2011/07/03 21:31:38 | 000,055,384 | ---- | M] (Sunbelt Software) -- C:\Windows\SysNative\drivers\SBREDrv.sys
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/02 16:56:56 | 000,139,264 | ---- | C] () -- C:\Users\James\Desktop\RKUnhookerLE.EXE
[2011/08/02 15:48:58 | 000,659,282 | ---- | C] () -- C:\Windows\SysNative\drivers\AVG\iavifw.avm
[2011/08/02 05:08:04 | 126,555,711 | ---- | C] () -- C:\Windows\SysNative\drivers\AVG\incavi.avm
[2011/07/31 19:08:26 | 000,001,890 | ---- | C] () -- C:\Windows\diagwrn.xml
[2011/07/31 19:08:26 | 000,001,890 | ---- | C] () -- C:\Windows\diagerr.xml
[2011/07/26 20:11:19 | 000,155,482 | ---- | C] () -- C:\Windows\SysNative\drivers\AVG\iavichjg.avm
[2011/07/23 14:08:20 | 000,001,338 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live ID.lnk
[2011/07/12 10:57:12 | 000,000,953 | ---- | C] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2011/07/12 10:57:11 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\drivers\AVG\incavi.avm
[2011/07/12 10:57:11 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\drivers\AVG\iavifw.avm
[2011/07/12 10:57:11 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\drivers\AVG\iavichjw.avm
[2011/07/10 04:24:35 | 000,000,064 | ---- | C] () -- C:\Windows\SysWow64\rp_stats.dat
[2011/07/10 04:24:35 | 000,000,044 | ---- | C] () -- C:\Windows\SysWow64\rp_rules.dat
[2011/07/08 21:30:49 | 000,002,168 | ---- | C] () -- C:\Users\James\Desktop\Civ4BeyondSword.exe - Shortcut.lnk
[2011/07/05 05:11:23 | 000,001,278 | ---- | C] () -- C:\Users\James\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/07/05 05:11:23 | 000,001,254 | ---- | C] () -- C:\Users\James\Desktop\Spybot - Search & Destroy.lnk
[2011/06/25 04:12:22 | 000,765,798 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/06/24 03:20:06 | 000,000,262 | ---- | C] () -- C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
[2011/06/06 01:48:24 | 000,000,023 | ---- | C] () -- C:\Windows\BlendSettings.ini
[2011/05/30 19:31:17 | 000,007,601 | ---- | C] () -- C:\Users\James\AppData\Local\Resmon.ResmonCfg
[2011/05/20 22:35:28 | 000,304,744 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe
[2011/04/14 01:30:47 | 000,000,000 | ---- | C] () -- C:\Users\James\AppData\Local\prvlcl.dat
[2011/04/09 18:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011/04/02 23:47:47 | 000,870,128 | ---- | C] () -- C:\Users\James\AppData\Roaming\mcs.rma
[2011/04/02 23:47:47 | 000,000,004 | ---- | C] () -- C:\Users\James\AppData\Roaming\F45C71
[2011/03/11 05:25:13 | 000,148,480 | ---- | C] () -- C:\Windows\SysWow64\APOMngr.DLL
[2011/03/11 05:25:13 | 000,073,728 | ---- | C] () -- C:\Windows\SysWow64\CmdRtr.DLL
[2009/07/14 01:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 22:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 22:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 20:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2008/11/13 07:07:24 | 000,002,177 | ---- | C] () -- C:\Windows\P17EP.ini

========== LOP Check ==========

[2011/05/07 05:18:50 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\.minecraft
[2011/05/06 17:17:31 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\.Nitrous
[2011/07/12 11:16:33 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\AVG
[2011/03/12 00:22:34 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\AVG10
[2011/07/04 08:44:55 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\EveHQ
[2011/06/28 17:38:35 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\EVEMon
[2011/07/22 15:12:22 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\fotw
[2011/06/21 15:55:11 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\Perpetuum Planner
[2011/07/23 11:37:58 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\QuickScan
[2011/03/12 21:40:31 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\RIFT
[2011/06/06 04:17:34 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\RobotSoft
[2011/04/23 10:32:24 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\Stardock
[2011/03/25 04:39:47 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\The Creative Assembly
[2011/05/23 04:00:49 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\Ubisoft
[2011/07/19 11:04:12 | 000,032,622 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< >

< %SYSTEMDRIVE%\*.* >
[2011/07/12 05:33:55 | 000,006,268 | ---- | M] () -- C:\aaw7boot.log
[2011/03/10 09:40:59 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2011/03/10 09:36:55 | 000,000,213 | -H-- | M] () -- C:\Boot.BAK
[2011/03/11 08:12:09 | 000,000,357 | RHS- | M] () -- C:\Boot.ini.saved
[2010/11/20 08:40:07 | 000,383,786 | RHS- | M] () -- C:\bootmgr
[2011/03/11 08:12:10 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2011/07/12 10:06:58 | 000,015,275 | ---- | M] () -- C:\ComboFix.txt
[2011/03/10 09:40:59 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2011/03/11 05:51:45 | 000,203,316 | RHS- | M] () -- C:\grldr
[2011/08/02 15:45:28 | 3220,529,152 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/10 09:40:59 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/03/10 09:40:59 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2006/04/04 08:00:00 | 000,047,772 | RHS- | M] () -- C:\NTDETECT.COM
[2006/04/04 08:00:00 | 000,295,536 | RHS- | M] () -- C:\ntldr
[2011/08/02 15:45:28 | 4093,640,703 | -HS- | M] () -- C:\pagefile.sys
[2011/07/12 09:15:21 | 000,195,736 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_12.07.2011_09.07.57_log.txt
[2011/03/11 05:51:58 | 000,000,003 | RHS- | M] () -- C:\win7ldr

< %systemroot%\Fonts\*.com >
[2009/07/14 01:32:31 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2009/07/14 01:32:31 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2009/07/14 01:32:31 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2009/07/14 01:32:31 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/06/10 16:49:50 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2009/07/14 00:54:24 | 000,000,174 | -HS- | M] () -- C:\Program Files (x86)\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2011/07/02 16:39:14 | 000,000,221 | -HS- | M] () -- C:\Users\James\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2011/08/02 16:55:08 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\James\Desktop\OTL.exe
[2011/08/02 16:56:57 | 000,139,264 | ---- | M] () -- C:\Users\James\Desktop\RKUnhookerLE.EXE

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

========== Alternate Data Streams ==========

@Alternate Data Stream - 188 bytes -> C:\ProgramData\TEMP:0B4227B4

< End of report >

OTL Extras logfile created on: 8/2/2011 5:00:47 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Users\James\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.75 Gb Available Physical Memory | 68.87% Memory free
11.81 Gb Paging File | 10.43 Gb Available in Paging File | 88.31% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 139.73 Gb Total Space | 8.55 Gb Free Space | 6.12% Space Free | Partition Type: NTFS

Computer Name: NEPHEL | User Name: James | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l File not found
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.1 (r518)
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{9B48B0AC-C813-4174-9042-476A887592C7}" = Windows Live ID Sign-in Assistant
"{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 270.61
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 270.61
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.10.0514
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.1.34
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}" = Ventrilo Client for Windows x64
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F991EC04-D713-466B-A70B-78D460AC85D8}" = AVG 2011
"{FA109F0F-122E-4D48-9DBF-14DC02EE85E4}" = AVG 2011
"AVG" = AVG 2011
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"WinRAR archiver" = WinRAR 4.00 (64-bit)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{13C1E98C-4434-4026-AADB-4A8A348B9402}" = ANNO 1404 Venedig Entwickler-Tools
"{15FA5ED6-2F98-4B5E-AF0B-18E5F4723FAD}_is1" = Cities In Motion
"{1CF028E5-705D-4B62-AC1D-A59593B7C0BB}" = Sid Meier's Civilization 4
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216025FF}" = Java™ 6 Update 25
"{34D52D01-C65D-4A29-99E0-E02030597B4F}_is1" = Cities In Motion - Patch 1.0.14
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CB0307C-565E-4441-86BE-0DF2E4FB828C}" = Microsoft Games for Windows Marketplace
"{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup 2011
"{5A336D74-E680-4986-96F4-E9CEBC784F56}" = Naga Firmware Updater 1.13
"{63860309-DA8A-4BAE-9EAE-CE1D6D79340C}" = The Settlers 7 - Paths to a Kingdom
"{68CE86BC-8CA1-4B4D-A1AC-50C95F8BBC8A}" = Dawn of Discovery - Gold Edition
"{6A09EC92-016B-4032-8CF1-6840B20C254A}" = Dawn of Discovery - Gold Edition
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{81E2D8D7-F104-4EB9-97A7-98996A611FF6}" = Sid Meier's Civilization 4 - Beyond the Sword
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A84BD759-4C74-4F66-9038-D51E90D19F47}" = Sid Meier's Civilization 4 - Warlords
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9F6CFB0-806D-11E0-8EA1-B8AC6F97B88E}" = Google Earth Plug-in
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}" = NVIDIA PhysX
"{D7A0A22A-C132-4B6F-8D68-67B95117DE93}" = RIFT
"{EA450D5D-95EA-4FD0-B8B0-6D8E68FBE2C7}" = Impulse
"{ED4108A9-60FD-4F18-AF42-122219977773}" = Razer Naga
"{F2508213-9989-4E85-A078-72BE483917EF}" = Microsoft Games for Windows - LIVE Redistributable
"{F2C4E6E0-EB78-4824-A212-6DF6AF0E8E82}" = FINAL FANTASY XIV
"{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}" = Visual Studio 2008 x64 Redistributables
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AudioCS" = Creative Audio Control Panel
"Creative Software AutoUpdate" = Creative Software AutoUpdate
"Creative Sound Blaster Properties x64 Edition" = Creative Sound Blaster Properties x64 Edition
"Download Manager" = Download Manager 2.3.10
"EVE" = EVE Online (remove only)
"EVEMon" = EVEMon
"Galactic Civilizations II" = Galactic Civilizations II
"GalCiv II - Dark Avatar" = GalCiv II - Dark Avatar
"GalCiv II - Twilight of the Arnor" = GalCiv II - Twilight of the Arnor
"Impulse" = Impulse
"InstallShield_{D7A0A22A-C132-4B6F-8D68-67B95117DE93}" = RIFT
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"Marvell Miniport Driver" = Marvell Miniport Driver
"McAfee Security Scan" = McAfee Security Scan Plus
"Mozilla Firefox 5.0 (x86 en-US)" = Mozilla Firefox 5.0 (x86 en-US)
"Perpetuum" = Perpetuum
"Precision" = EVGA Precision 2.0.2
"Rhapsody" = Rhapsody
"Steam App 15680" = Warhammer® 40,000™: Dawn of War® II - Single Player Demo
"Steam App 34330" = Total War: SHOGUN 2
"Steam App 80200" = Fate of the World
"Steam App 8930" = Sid Meier's Civilization V
"Steam App 9440" = Warhammer 40,000: Dawn of War – Soulstorm Demo
"VLC media player" = VLC media player 1.1.8
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

#7 Nephel

Nephel
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 02 August 2011 - 04:27 PM

"attacks continue to this day.. mostly between 4pm and 10pm est every 10 min unable to connect to internet, probably DNS attack.. hvae logged several ip address port scanning my computer..


I have tried all three DL of the RootKitUnhooker and get the following error when trying to open it

Exception code : 0xC0000005
Instruction address : 0x00402EAA
Attempt to read at address : 0xFFFFFFFF

I must leave for work.. But do appreciate your time in helping me with my issue and Thank you for reopening my topic.

best Regards
Nephel

#8 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:09:37 AM

Posted 02 August 2011 - 04:30 PM

Let me take a look at the logs. I see you have a 64-bit machine, so the rootkit scanners won't run. That's fine

I'll post back shortly with instructions.
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#9 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:09:37 AM

Posted 02 August 2011 - 04:54 PM

Well, I'm certainly not seeing any signs of malware from the OTL log. To be on the safe side, let's run a couple more scans, and clear a few things out that may be related to DNS and your router.


I see you have Malwarebytes already on your machine. Please run it by right-clicking and choosing Run as Administrator on the icon on the desktop.
  • Click on the tab labeled Update and then click on the button Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    Posted Image
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.


This scan make take awhile depending on how many items are on the computer. You may want to run it at a time you won't be needing the machine. It should be run from IE and I'd recommend not doing anything else while it's running.


http://www.eset.eu/online-scanner
Go here to run an online scannner from ESET.
Click the green ESET Online Scanner button.
Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
Click on the Start button next to it.
You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
A new window will appear asking "Do you want to install this software?"".
Answer Yes to download and install the ActiveX controls that allows the scan to run.
Click Start.
Uncheck Remove found threats.
Click Scan to begin.
If offered the option to get information or buy software. Just close the window.
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic.








Copy and paste these lines in Notepad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0


Save as flush.bat to your desktop. Right-click and choose Run as Administrator on the file.
The computer will reboot itself.


I would like to have you reset your router. Most routers have a reset pin hole on the back.

1. With the unit on, place an straightend paperclip into the hole on the back on the unit labeled Reset.
2. Hold the paperclip/reset down for 10 seconds and then release it.
3. The unit will reboot on its own.
4. As soon as the lights stop blinking, the unit is ready.
5. You may need to reinstall the router to regain your internet access.

Note: If you changed your password, it will be gone so refer to your user's guide for your router.

If you have not already done so after doing this, please go into your router's settings and change the default password to a stronger one.


Please post the Malwarebytes log as well as the ESET log and let me know how things are behaving at this point.
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#10 Nephel

Nephel
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 03 August 2011 - 06:08 AM

Will not be able to test thoroughly until this weekend as I work third shift.. the time I am using the internet when I Get home from work the attacks are not happening. The attacks are usually from 3-4pm -9-10pm



ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=12
esets_scanner_update returned -1 esets_gle=12



Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7364

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

8/3/2011 6:04:07 AM
mbam-log-2011-08-03 (06-04-07).txt

Scan type: Quick scan
Objects scanned: 181744
Time elapsed: 1 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:09:37 AM

Posted 03 August 2011 - 06:21 AM

It's fine if it's the weekend before you can let me know if there is improvement. I'll leave this open so you can post back and let me know.
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#12 Nephel

Nephel
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 06 August 2011 - 04:48 PM

still happening

[DoS attack: STORM] attack packets in last 20 sec from ip [192.168.1.2], Saturday, Aug 06,2011 12:20:14
[DoS attack: STORM] attack packets in last 20 sec from ip [192.168.1.2], Saturday, Aug 06,2011 12:19:49

#13 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:09:37 AM

Posted 06 August 2011 - 04:57 PM

Is your router password protected? And do you have any other computers/gaming consoles accessing your network besides the one you are using?
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#14 Nephel

Nephel
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 06 August 2011 - 05:03 PM

Router is pw protected with a very lengthy alphanumeric pw.. but i am not sure if someone has captured the pw or not.. i have changed it recently

I have two computers on the router... and a ps3 but it is not online atm


I am getting these messages
DHCP IP: (192.168.1.5)] to MAC address 00:1F:3C:3F:89:82

I and the other computer is not on ip address 192.168.1.5

Edited by Nephel, 06 August 2011 - 05:07 PM.


#15 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:09:37 AM

Posted 06 August 2011 - 05:16 PM

You should be able to see the attached devices from your router page to identify what device has that address.

I don't believe it is malware on your computer that is causing the problem as we are not seeing any evidence of such in the scans. I'm not an expert when it comes to routers, so I'd like to direct you to our Networking Forum to help you narrow down which of your devices is causing this and/or how to set the router to stop it.

Feel free to link whomever is helping you to this thread. If you are unable to get assistance there, please let me know.
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users