Author Topic: I have Hidden Kernel Modules that don't look right (Read 5967 times)

Flim · « **Reply #20 on:** November 14, 2009, 09:52:36 PM »

I'm just making a TrueImage backup. Be about 30 min.

Flim · « **Reply #21 on:** November 14, 2009, 11:00:01 PM »

Not much here. The time stamp is current but I'm not sure it's right. There was just a short display of the command window and that's it. Should I have deleted the old log file first or does it matter?

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

guestolo · « **Reply #22 on:** November 14, 2009, 11:14:55 PM »

user & kernel MBR OK
That looks fine

Let's do the following
Can you exit out of Outpost Firewall, by right clicking it's icon by the clock and choose to Exit

Then run the following:
Go to START>>RUN>>
Copy/paste the following command, then click OK

[color=\"#FF0000\"]combofix /u[/color]

This wiill uninstall Combofix and it's components

Next: If you still want to remove remnants of Sptd from Daemon tools
Right click on MyComputer icon and select Properties
Hardware>Device Manager>View>"Show Hidden devices"
Expand on "Non Plug and Play Drivers"
Look for sptd
right click on it and choose "Uninstall"

Follow the prompts and reboot when required
Back in Windows
download [color=\"red\"]SystemLook[/color] from one of the links below and save it to your Desktop.
[color=\"blue\"]Download Mirror #1[/color]
[color=\"blue\"]Download Mirror #2[/color][/b]

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code: [Select]
:filefind sptd.sys :regfind sptd
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Flim · « **Reply #23 on:** November 14, 2009, 11:58:13 PM »

Before I get too far - I ran the combofix uninstall - it ran a full scan, produced a report and left the executable on the desktop. PEV.exe also crashed again.

When i went into device manager catchme was there with the yellow asteric. Is this what you were expecting? I've stopped here for now.

guestolo · « **Reply #24 on:** November 15, 2009, 12:01:45 AM »

Quote

Before I get too far - I ran the combofix uninstall - it ran a full scan, produced a report and left the executable on the desktop. PEV.exe also crashed again.

Chances are Outpost is still interfering

Quote

When i went into device manager catchme was there with the yellow asteric. Is this what you were expecting? I've stopped here for now.

You can right click on "catchme" in device manager and choose Uninstall
Don't reboot at the prompt
Then look for "sptd" and choose uninstall, follow the prompts and reboot when required
Then carry on with the rest of the instructions

Flim · « **Reply #25 on:** November 15, 2009, 12:41:59 AM »

SystemLook log is below. I'll try the combofix uninstall again.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 21:33 on 14/11/2009 by B4BD (Administrator - Elevation successful)

========== filefind ==========

Searching for "sptd.sys"
C:\WINDOWS\system32\drivers\sptd.sys --a--- 717296 bytes [14:35 16/01/2008] [02:53 02/09/2008] (Unable to calculate MD5)

========== regfind ==========

Searching for "sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPTD]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPTD\0000\Control]
"ActiveService"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\sptd]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd]
"ImagePath"="System32\Drivers\sptd.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd]
"ImagePath"="System32\Drivers\sptd.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Enum]
"0"="Root\LEGACY_SPTD\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SPTD]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\sptd]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd]
"ImagePath"="System32\Drivers\sptd.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd]
"ImagePath"="System32\Drivers\sptd.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD\0000\Control]
"ActiveService"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\sptd]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd]
"ImagePath"="System32\Drivers\sptd.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd]
"ImagePath"="System32\Drivers\sptd.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Enum]
"0"="Root\LEGACY_SPTD\0000"

-=End Of File=-

guestolo · « **Reply #26 on:** November 15, 2009, 12:57:52 AM »

Double click on OTL.exe to run it

Under the [color=\"#0000FF\"]Custom Scans/Fixes[/color] box at the bottom, copy/paste in the following in the quote box below. don't include the word Quote please
Quote
:Processes
explorer.exe
:Files
C:\WINDOWS\system32\drivers\sptd.sys
:Reg
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPTD]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\sptd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SPTD]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\sptd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\sptd]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd]

:Commands
[EmptyTemp]
[Start Explorer]
[Reboot]
Then click the [color=\"#FF0000\"]Run Fix[/color] button at the top
Let the program run unhindered, reboot the PC when it is done

On startup, Allow OTL to run if prompted
please post the log that OTL produces
A copy of this log can also be found in
C:\_OTL\Moved Files folder

Flim · « **Reply #27 on:** November 15, 2009, 02:28:05 AM »

Here's the OTL Log-

All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
C:\WINDOWS\system32\drivers\sptd.sys moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPTD\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\sptd\ deleted successfully.
Registry delete failed. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\ scheduled to be deleted on reboot.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SPTD\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\sptd\ deleted successfully.
Registry delete failed. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\ scheduled to be deleted on reboot.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\sptd\ not found.
Registry delete failed. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\ scheduled to be deleted on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: B4BD
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 376858 bytes
->Java cache emptied: 3441647 bytes
->FireFox cache emptied: 901644 bytes
->Google Chrome cache emptied: 43139149 bytes
->Opera cache emptied: 601678 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 65536 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
->FireFox cache emptied: 13570837 bytes

User: MCX1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 59.25 mb

OTL by OldTimer - Version 3.1.4.0 log created on 11142009_231802

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\ deleted successfully.
Registry delete failed. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\ scheduled to be deleted on reboot.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\ not found.

guestolo · « **Reply #28 on:** November 15, 2009, 10:53:42 AM »

Quote

I wouldn't mind having a go. I don't like the way it interferes in Safe Mode and I think it may contribute to me not being able to get SP3 to work.

Can you get to safe mode?
Not sure what you mean about SP3, what is the problem?

I see this in your OTL.txt log
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

Possibly, you are controlling this not to run with some program installed
Can we remove it and get rid of it another way
Double click on OTL.exe to run it

Under the [color=\"#0000FF\"]Custom Scans/Fixes[/color] box at the bottom, copy/paste in the following in the quote box below. don't include the word Quote please
Quote
:Reg
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
Then click the [color=\"#FF0000\"]Run Fix[/color] button at the top

On startup, Allow OTL to run if prompted

Afterwards, run a fresh scan with OTL and post it's new log that opens

Flim · « **Reply #29 on:** November 15, 2009, 11:40:42 AM »

[quote name=\'guestolo\' post=\'466323\' date=\'Nov 15 2009, 07:53 AM\']Can you get to safe mode?
Not sure what you mean about SP3, what is the problem?[/quote]

Yes I can usually get to Safe Mode, but it always asked about loading spdt before we removed it. Haven't tried since yet.

Haven't ever been able to get SP3 to work. Tried numerous times and have had varying results, but the last few tries the install halts when it's trying to reload after the first restart and hangs at the driver loading. I try every few months to see if anythings has changed.

I have been uninstalling a few apps to clean up the list of ones I don't use. I restarted so that I could follow your new instructions and when the desktop started to load, OTL loaded and halted the rest of the loading. I closed it without doing anything and everything carried on normally. Anything you want to run before we proceed?

I have to go out for a few hours. Will be back at it later.

Thanks for your help>

guestolo · « **Reply #30 on:** November 15, 2009, 11:43:05 AM »

On startup, Allow OTL to run if prompted

Are you saying you didn't follow that instruction?

Just run a fresh scan with OTL.exe and post it's new log

Flim · « **Reply #31 on:** November 15, 2009, 03:58:12 PM »

Sorry for the confusion there guestolo. I was editing my response to add that the Safe Mode issue always seemed to occur with a freeze at loading of the spdt driver and that's what was happening with SP3 the last few times when you replied earlier and then had to run out.

I didn't run the fix because I wasn't sure about the OTL situation. It had already booted after the last run and didn't request another run then so I wanted to check.

Anyway, here's the log from a fresh scan -

OTL logfile created on: 15/11/2009 12:43:51 PM - Run 3
OTL by OldTimer - Version 3.1.4.0 Folder = C:\Documents and Settings\B4BD\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 94.66 Gb Total Space | 32.21 Gb Free Space | 34.02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 203.43 Gb Total Space | 24.25 Gb Free Space | 11.92% Space Free | Partition Type: NTFS
Drive F: | 230.85 Gb Total Space | 68.72 Gb Free Space | 29.77% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
Drive H: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive O: | 465.76 Gb Total Space | 211.62 Gb Free Space | 45.44% Space Free | Partition Type: NTFS
Drive P: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive Q: | 152.66 Gb Total Space | 101.93 Gb Free Space | 66.77% Space Free | Partition Type: NTFS
Drive R: | 931.51 Gb Total Space | 507.73 Gb Free Space | 54.51% Space Free | Partition Type: NTFS
Drive S: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive T: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive U: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive V: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive X: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive Y: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS

Computer Name: BNMC01
Current User Name: B4BD
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

[color=\"#E56717\"]========== Processes (SafeList) ==========[/color]

PRC - [2009/11/14 08:21:11 | 02,020,120 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2009/11/14 08:21:10 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/11/11 05:33:41 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/11/08 07:26:24 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\B4BD\Desktop\OTL.exe
PRC - [2009/10/18 09:48:30 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/10/18 09:48:30 | 00,502,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/10/18 09:48:28 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2009/10/18 09:48:28 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/10/18 09:48:28 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/10/18 09:48:27 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/09/23 16:41:30 | 01,270,080 | ---- | M] (Agnitum Ltd.) -- C:\Program Files\Agnitum\Outpost Firewall Pro\op_mon.exe
PRC - [2009/09/23 16:40:50 | 01,338,560 | ---- | M] (Agnitum Ltd.) -- C:\Program Files\Agnitum\Outpost Firewall Pro\acs.exe
PRC - [2009/08/31 11:25:16 | 00,623,960 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
PRC - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/03/15 12:00:34 | 00,031,744 | ---- | M] (NirSoft) -- C:\AppsNoInstall\volumouse\volumouse.exe
PRC - [2009/03/12 11:53:46 | 00,483,422 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
PRC - [2009/03/12 11:53:46 | 00,254,036 | ---- | M] (IDT, Inc.) -- c:\Program Files\IDT\IntelXPV_v103\WDM\stacsv.exe
PRC - [2008/10/30 23:00:00 | 00,266,752 | ---- | M] () -- C:\AppsNoInstall\notepad2\Notepad2.exe
PRC - [2007/10/30 19:51:44 | 00,492,720 | ---- | M] () -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
PRC - [2007/10/30 19:11:48 | 00,909,208 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
PRC - [2007/10/30 19:07:40 | 00,140,568 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2007/10/30 19:07:38 | 00,427,288 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2007/10/30 19:06:42 | 02,595,616 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2007/06/13 02:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/10/18 20:05:26 | 00,204,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2005/12/12 14:03:54 | 00,417,855 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
PRC - [2005/12/12 14:02:24 | 00,176,193 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
PRC - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
PRC - [2004/08/10 04:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2002/03/19 16:30:00 | 00,045,632 | ---- | M] () -- C:\WINDOWS\system32\TaskSwitch.exe

[color=\"#E56717\"]========== Modules (SafeList) ==========[/color]

MOD - [2009/11/08 07:26:24 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\B4BD\Desktop\OTL.exe
MOD - [2009/03/15 12:00:00 | 00,007,168 | ---- | M] (NirSoft) -- C:\AppsNoInstall\volumouse\vlmshlp.dll
MOD - [2006/08/25 08:45:56 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/10 04:00:00 | 00,185,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll
MOD - [2004/08/10 04:00:00 | 00,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mslbui.dll

[color=\"#E56717\"]========== Win32 Services (SafeList) ==========[/color]

SRV - File not found -- -- (FirebirdServerMAGIXInstance)
SRV - [2009/10/18 09:48:28 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/10/18 09:48:27 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/09/23 16:40:50 | 01,338,560 | ---- | M] (Agnitum Ltd.) -- C:\Program Files\Agnitum\Outpost Firewall Pro\acs.exe -- (acssrv)
SRV - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/04/19 20:03:33 | 00,069,632 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2009/03/26 05:19:12 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/03/12 11:53:46 | 00,254,036 | ---- | M] (IDT, Inc.) -- c:\Program Files\IDT\IntelXPV_v103\WDM\stacsv.exe -- (STacSV)
SRV - [2009/03/05 20:46:56 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c99e16a3dd4ece)
SRV - [2009/03/03 02:19:28 | 00,691,200 | ---- | M] (FileZilla Project) -- C:\Apps\FileZilla Server\FileZilla Server.exe -- (FileZilla Server)
SRV - [2008/12/23 07:35:20 | 00,117,264 | ---- | M] (CACE Technologies, Inc.) -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd)
SRV - [2008/09/01 11:53:13 | 00,380,536 | ---- | M] (Emsi Software GmbH) -- c:\program files\a-squared free\a2service.exe -- (a2free)
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/06/24 05:58:41 | 00,557,056 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2008/06/03 19:33:35 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/05/15 11:58:12 | 00,823,296 | ---- | M] (Hauppauge Computer Works) -- C:\Program Files\WinTV\HCWTVServer.exe -- (HauppaugeTVServer)
SRV - [2008/04/15 16:59:38 | 00,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
SRV - [2007/10/30 19:51:44 | 00,492,720 | ---- | M] () -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe -- (TryAndDecideService)
SRV - [2007/10/30 19:07:38 | 00,427,288 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2007/10/25 14:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 10:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2007/09/10 23:45:04 | 00,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)
SRV - [2007/02/27 20:53:58 | 00,020,480 | ---- | M] ( ) -- c:\Program Files\DVRMSToolbox\DVRMSFileWatcherService.exe -- (DVRMSFileWatcherService)
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2006/10/09 15:16:56 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehrecvr.exe -- (ehRecvr)
SRV - [2006/09/13 13:25:56 | 00,491,520 | ---- | M] (Locktime Software) -- C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe -- (nlsvc)
SRV - [2006/06/14 13:10:04 | 00,495,616 | ---- | M] ( ) -- C:\WINDOWS\System32\LMabcoms.exe -- (lmab_device)
SRV - [2005/12/12 14:02:24 | 00,176,193 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe -- (APC UPS Service)
SRV - [2005/10/20 19:55:50 | 00,096,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\McrdSvc.exe -- (McrdSvc)
SRV - [2005/10/20 19:55:40 | 00,028,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\RMSvc.exe -- (RMSvc)
SRV - [2005/09/07 18:18:34 | 00,049,336 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe -- (ehMonitor)
SRV - [2005/08/07 04:54:00 | 00,167,936 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- (RichVideo)
SRV - [2005/08/05 13:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehSched.exe -- (ehSched)
SRV - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/08/10 04:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2003/11/12 04:48:20 | 00,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)

[color=\"#E56717\"]========== Standard Registry (SafeList) ==========[/color]

[color=\"#E56717\"]========== Internet Explorer ==========[/color]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/B4BD/Application%20Data/LastPass/iehome.html
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

[color=\"#E56717\"]========== FireFox ==========[/color]

FF - prefs.js..browser.search.selectedEngine: "Google"

FF - HKLM\software\mozilla\Firefox\Extensions\\{400F0BDB-6C49-43A4-BE1F-76D7327A604D}: C:\Program Files\Common Files\fluxDVD\Download Manager\Mozilla [2007/12/28 07:07:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/04 05:31:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/01/09 09:42:58 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2009/11/09 19:10:09 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/11 05:33:45 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/11 05:33:45 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/08/20 20:50:21 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2008/12/28 08:25:14 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\Mozilla Thunderbird

[2008/08/02 09:58:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Extensions
[2008/08/02 09:58:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2008/06/14 04:04:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2008/09/11 20:36:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Extensions\[email protected]
[2009/07/05 20:52:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Extensions\[email protected]
[2008/04/04 20:54:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Extensions\[email protected]
[2009/02/21 21:53:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\extensions
[2009/02/21 21:17:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\extensions\[email protected]
[2009/02/21 21:53:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions
[2006/02/13 20:44:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions\{0cdfdd5e-eea6-45ff-b035-81243cf02efb}
[2006/02/13 20:44:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions\{3143B27B-F7DE-49d8-BF08-C2E4DEA71DBB}
[2006/02/13 20:42:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions\{44851136-3425-48cc-a957-5a29b9396a5f}
[2006/02/13 20:44:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions\{8803789a-23eb-44b4-bd48-6762fd320242}
[2006/02/01 19:52:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions\{904524FC-3F89-11DA-8BDE-F66BAD1E3F3A}
[2006/02/01 19:53:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2006/02/13 20:45:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions\{a81bafeb-b6ed-4501-aa17-15a2b3857e56}
[2009/02/21 21:17:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions\[email protected]
[2009/11/15 06:39:01 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/11 05:33:40 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2007/04/18 18:21:48 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
[2007/08/14 19:39:39 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
[2007/10/11 07:13:45 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2009/01/08 11:42:34 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/01/09 09:43:12 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/03/28 05:24:09 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/10/08 19:31:08 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/11/11 05:33:40 | 00,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/11/11 05:33:40 | 00,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2007/04/10 16:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
[2007/08/07 13:35:32 | 00,049,152 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
[2007/03/02 05:17:24 | 00,095,200 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPAPIX.dll
[2009/07/25 04:23:01 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2007/07/26 15:03:34 | 00,717,312 | ---- | M] (DivX,Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
[2007/09/05 15:03:36 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
[2007/01/17 03:18:04 | 00,095,200 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPFluxBrowserHelper.dll
[2008/12/28 08:25:14 | 00,072,960 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2007/03/20 05:24:22 | 00,099,224 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPMPDRM.dll
[2009/11/11 05:33:42 | 00,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2007/03/22 18:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
[2004/12/14 01:19:18 | 00,057,344 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2005/04/06 23:52:20 | 00,139,305 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
[2007/09/12 18:36:23 | 00,151,552 | ---- | M] (PopCap Games) -- C:\Program Files\Mozilla Firefox\plugins\nppopcaploader.dll
[2007/06/14 05:07:26 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2007/06/14 05:07:26 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2007/06/14 05:07:26 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2007/06/14 05:07:26 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2007/06/14 05:07:26 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2005/04/06 23:39:02 | 00,081,967 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
[2007/03/09 10:35:00 | 00,365,056 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npupd62.dll
[2006/02/23 07:16:00 | 00,034,048 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\upd62i9x.dll
[2006/02/23 07:16:00 | 00,045,056 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\upd62int.dll
[2009/06/16 23:35:40 | 00,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/06/16 23:35:40 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/06/16 23:35:40 | 00,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/06/16 23:35:40 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/06/16 23:35:40 | 00,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/06/16 23:35:40 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/06/16 23:35:40 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/06/16 23:35:40 | 00,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (LastPass Browser Helper Object) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Documents and Settings\B4BD\Application Data\LastPass\LPBar.dll ()
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Documents and Settings\B4BD\Application Data\LastPass\LPBar.dll ()
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [CoolSwitch] C:\WINDOWS\system32\TaskSwitch.exe ()
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe (Agnitum Ltd.)
O4 - HKLM..\Run: [OutpostMonitor] C:\Program Files\Agnitum\Outpost Firewall Pro\op_mon.exe (Agnitum Ltd.)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKCU..\Run: [$Volumouse$] C:\AppsNoInstall\volumouse\volumouse.exe (NirSoft)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2009/11/11 15:30:58 | 00,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\B4BD\Start Menu\Programs\Startup\AutorunsDisabled [2007/03/03 08:22:54 | 00,000,000 | -H-D | M]
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsMenu = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsHistory = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartBanner = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Evernote - C:\Program Files\Evernote\Evernote3\enbar.dll (Evernote Corporation)
O9 - Extra Button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall Pro\ie_bar.dll (Agnitum Ltd.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative.com/su/ocx/15031/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://catalog.update.microsoft.com/v7/sit...b?1211239737950 (MUCatalogWebControl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1229314090703 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1217687312828 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative.com/su/ocx/15034/CTPID.cab (Creative Software AutoUpdate Support Package)
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\intu-qt2007 {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll (Intuit Canada, a general partnership/une sociÃ©tÃ© en nom collectif.)
O18 - Protocol\Handler\AutorunsDisabled\intu-qt2008 {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll (Intuit Canada, a general partnership/une sociÃ©tÃ© en nom collectif.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/12/23 14:59:37 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

[color=\"#E56717\"]========== Files/Folders - Created Within 14 Days ==========[/color]

[2009/11/14 23:18:02 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/11/14 21:47:16 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/11/14 17:34:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/11/11 06:23:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2009/11/09 06:23:10 | 00,000,000 | ---D | C] -- C:\rsit
[2009/11/08 22:42:31 | 00,806,985 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwtvwnd.dll
[2009/11/08 22:42:31 | 00,294,968 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwpnp32.dll
[2009/11/08 22:42:31 | 00,213,066 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwdvbsubtitles.ax
[2009/11/08 22:42:31 | 00,204,871 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\HCWPsiParser.ax
[2009/11/08 22:42:31 | 00,176,197 | ---- | C] (Hauppauge Computer Works Inc.) -- C:\WINDOWS\System32\hcwmux.ax
[2009/11/08 22:42:31 | 00,118,851 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwNowNext.ax
[2009/11/08 22:42:31 | 00,106,559 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwTVDlg.dll
[2009/11/08 22:42:31 | 00,106,552 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwi2c32.dll
[2009/11/08 22:42:31 | 00,094,208 | ---- | C] (Hauppuage Computer Works) -- C:\WINDOWS\System32\hcwsstereo.ax
[2009/11/08 22:42:31 | 00,090,190 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\Bt848WST.DLL
[2009/11/08 22:42:31 | 00,081,920 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwSplit.ax
[2009/11/08 22:42:31 | 00,081,920 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwNull.ax
[2009/11/08 22:42:31 | 00,073,728 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwSnap.ax
[2009/11/08 22:42:31 | 00,073,728 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwFRead.ax
[2009/11/08 22:42:31 | 00,069,632 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwPP2PP.ocx
[2009/11/08 22:42:31 | 00,065,536 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwdlg.ocx
[2009/11/08 22:42:31 | 00,057,344 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwFWrit.ax
[2009/11/08 22:42:31 | 00,053,248 | ---- | C] (DScaler Project, see http://www.dscaler.org/) -- C:\WINDOWS\System32\HCWdlace.ax
[2009/11/08 22:42:31 | 00,036,921 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwutl32.dll
[2009/11/08 22:42:31 | 00,030,720 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwWinTVCI.dll
[2009/11/08 22:42:31 | 00,011,264 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwhook.dll
[2009/11/08 22:42:07 | 00,393,216 | ---- | C] (Snowbound Software Corporation (www.Snowbnd.com)) -- C:\WINDOWS\System32\hcwsnbd9.dll
[2009/11/08 21:36:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\WinTV
[2009/11/08 07:38:52 | 00,000,000 | ---D | C] -- C:\Fix
[2009/11/08 07:26:23 | 00,528,896 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\B4BD\Desktop\OTL.exe
[2009/11/05 06:18:37 | 00,096,256 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwcp.ax.hcw
[2009/11/03 20:33:01 | 00,000,000 | ---D | C] -- C:\found.000
[2009/11/03 06:35:52 | 00,000,000 | ---D | C] -- C:\MGtools
[2009/11/03 05:38:44 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\B4BD\Desktop\RootRepeal.exe
[2009/11/02 19:30:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/11/02 19:29:48 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/11/02 19:29:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\B4BD\Application Data\SUPERAntiSpyware.com
[2009/11/02 05:57:24 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Installer Clean Up
[2009/11/01 13:50:28 | 00,000,000 | ---D | C] -- C:\Hauppauge
[2008/01/04 14:36:51 | 00,094,208 | ---- | C] (VSO Software) -- C:\Documents and Settings\B4BD\Application Data\ezplay.sys
[2008/01/04 14:36:27 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\B4BD\Application Data\pcouffin.sys
[2008/01/04 14:36:24 | 02,279,464 | ---- | C] (VSO Software SARL) -- C:\Program Files\PcSetup.exe
[2007/04/05 06:18:52 | 00,348,160 | ---- | C] ( ) -- C:\WINDOWS\System32\lexlog.dll
[2007/04/05 06:18:17 | 00,987,136 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabusb1.dll
[2007/04/05 06:18:17 | 00,671,744 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabpmui.dll
[2007/04/05 06:18:16 | 00,569,344 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabiobj.dll
[2007/04/05 06:18:16 | 00,409,600 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabinpa.dll
[2007/04/05 06:18:15 | 01,196,032 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabserv.dll
[2007/04/05 06:18:15 | 00,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabprox.dll
[2007/04/05 06:18:15 | 00,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabpplc.dll
[2007/04/05 06:18:14 | 01,052,672 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabip1.dll
[2007/04/05 06:18:14 | 00,557,056 | ---- | C] ( ) -- C:\WINDOWS\System32\LMablmpm.dll
[2007/04/05 06:18:14 | 00,532,480 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabpar1.dll
[2007/04/05 06:18:13 | 00,610,304 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabcomc.dll
[2007/04/05 06:18:13 | 00,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabcomm.dll
[2007/04/05 06:18:13 | 00,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabhcp.dll

[color=\"#E56717\"]========== Files - Modified Within 14 Days ==========[/color]

[2009/11/15 12:35:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/15 12:34:58 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/15 12:34:49 | 34,875,47392 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/15 12:32:00 | 22,020,096 | ---- | M] () -- C:\Documents and Settings\B4BD\ntuser.dat
[2009/11/15 12:31:36 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\B4BD\ntuser.ini
[2009/11/15 08:46:52 | 45,159,593 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/11/15 08:46:37 | 00,092,923 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/11/15 07:08:46 | 00,003,003 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/15 07:08:46 | 00,000,020 | ---- | M] () -- C:\WINDOWS\PM20.INI
[2009/11/14 21:58:50 | 00,000,277 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/14 21:20:04 | 00,102,660 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\SystemLook.exe
[2009/11/14 17:43:14 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/11/14 17:19:43 | 03,559,909 | R--- | M] () -- C:\Documents and Settings\B4BD\Desktop\ComboFix.exe
[2009/11/14 16:17:33 | 00,077,312 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\mbr.exe
[2009/11/14 06:19:26 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/14 01:47:57 | 00,260,608 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/11/13 20:05:23 | 00,843,167 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\SecurityCheck.exe
[2009/11/12 05:59:25 | 00,001,840 | -H-- | M] () -- E:\Data\Default.rdp
[2009/11/11 09:20:49 | 00,291,840 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\ftw126s4.exe
[2009/11/11 06:51:33 | 00,001,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Desktop Manager.lnk
[2009/11/11 06:42:25 | 00,000,256 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\pool.bin
[2009/11/11 06:08:05 | 03,762,218 | -H-- | M] () -- C:\Documents and Settings\B4BD\Local Settings\Application Data\IconCache.db
[2009/11/10 06:29:46 | 00,001,843 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
[2009/11/09 21:23:22 | 00,000,174 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\Fix2.url
[2009/11/09 21:22:39 | 00,000,144 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\Fix1.url
[2009/11/09 09:51:39 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/11/09 06:18:17 | 00,001,489 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinTV Radio.lnk
[2009/11/08 22:44:36 | 00,006,542 | ---- | M] () -- C:\WINDOWS\HCWPNP.INI
[2009/11/08 22:42:32 | 00,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2009/11/08 22:42:32 | 00,000,717 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2009/11/08 22:42:11 | 00,000,645 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinTV.lnk
[2009/11/08 07:26:24 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\B4BD\Desktop\OTL.exe
[2009/11/05 06:18:26 | 00,000,489 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Install WinTV 7 CD 1.2a.lnk
[2009/11/04 20:35:54 | 00,001,555 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\CCleaner.lnk
[2009/11/04 08:23:51 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/11/03 06:40:43 | 00,197,676 | ---- | M] () -- C:\MGlogs.zip
[2009/11/03 05:41:39 | 00,000,015 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\settings.dat
[2009/11/01 22:01:09 | 00,000,674 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\Shortcut to HijackThis.exe.lnk
[2009/11/01 16:35:55 | 00,000,156 | ---- | M] () -- C:\WINDOWS\Twunk001.MTX
[2009/11/01 16:35:55 | 00,000,005 | ---- | M] () -- C:\WINDOWS\Twain001.Mtx

[color=\"#E56717\"]========== Files Created - No Company Name ==========[/color]

[2009/11/14 21:20:04 | 00,102,660 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\SystemLook.exe
[2009/11/14 17:23:16 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/11/14 17:17:59 | 03,559,909 | R--- | C] () -- C:\Documents and Settings\B4BD\Desktop\ComboFix.exe
[2009/11/14 16:17:33 | 00,077,312 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\mbr.exe
[2009/11/13 20:05:21 | 00,843,167 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\SecurityCheck.exe
[2009/11/11 16:15:34 | 34,875,47392 | -HS- | C] () -- C:\hiberfil.sys
[2009/11/11 09:20:48 | 00,291,840 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\ftw126s4.exe
[2009/11/11 06:23:09 | 00,001,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Desktop Manager.lnk
[2009/11/10 06:36:50 | 00,000,725 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\Search Everything.lnk
[2009/11/10 06:29:45 | 00,001,843 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
[2009/11/10 05:43:20 | 00,000,256 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\pool.bin
[2009/11/09 21:22:48 | 00,000,174 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\Fix2.url
[2009/11/09 21:22:20 | 00,000,144 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\Fix1.url
[2009/11/08 22:46:05 | 00,001,489 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinTV Radio.lnk
[2009/11/08 22:43:17 | 00,046,680 | ---- | C] () -- C:\WINDOWS\System32\HCWTVServer.tlb
[2009/11/08 22:42:31 | 00,413,696 | ---- | C] () -- C:\WINDOWS\System32\HCWChMgr.ocx
[2009/11/08 22:42:31 | 00,163,840 | ---- | C] () -- C:\WINDOWS\System32\hcwChDB.dll
[2009/11/08 22:42:31 | 00,023,304 | ---- | C] () -- C:\WINDOWS\System32\HcwChDB.tlb
[2009/11/08 22:42:11 | 00,000,645 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinTV.lnk
[2009/11/08 22:41:31 | 00,006,542 | ---- | C] () -- C:\WINDOWS\HCWPNP.INI
[2009/11/05 06:18:37 | 00,066,048 | ---- | C] () -- C:\WINDOWS\System32\hcwxds.dll.hcw
[2009/11/05 06:18:26 | 00,000,489 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Install WinTV 7 CD 1.2a.lnk
[2009/11/03 06:37:07 | 00,197,676 | ---- | C] () -- C:\MGlogs.zip
[2009/11/03 05:39:26 | 00,000,015 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\settings.dat
[2009/11/01 22:01:09 | 00,000,674 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\Shortcut to HijackThis.exe.lnk
[2009/11/01 17:48:01 | 00,001,473 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\Media Center.lnk
[2009/09/03 05:49:04 | 00,017,664 | ---- | C] () -- C:\WINDOWS\System32\drivers\OXUDIDRV_X32.sys
[2009/08/20 17:36:39 | 00,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/08/20 17:36:38 | 00,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/08/20 17:36:33 | 00,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/08/20 17:36:33 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/07/06 18:52:57 | 00,037,728 | ---- | C] () -- C:\Documents and Settings\B4BD\Application Data\Comma Separated Values (Windows).ADR
[2009/06/30 05:05:56 | 00,000,032 | ---- | C] () -- C:\WINDOWS\gca631.INI
[2009/05/12 21:28:34 | 00,066,048 | ---- | C] () -- C:\WINDOWS\System32\hcwxds.dll
[2009/05/09 06:43:00 | 00,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/02/20 06:13:54 | 00,872,448 | ---- | C] () -- C:\Documents and Settings\B4BD\Local Settings\Application Data\filesync.metadata
[2009/01/15 08:00:34 | 00,000,772 | ---- | C] () -- C:\Documents and Settings\B4BD\Application Data\KiwiLogFileViewer.ini
[2009/01/15 08:00:34 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\KiwiLogFileViewer.ini
[2009/01/11 21:50:03 | 00,000,038 | ---- | C] () -- C:\WINDOWS\camcodec100.ini
[2009/01/09 15:25:19 | 00,000,012 | ---- | C] () -- C:\WINDOWS\dirsaver.ini
[2008/12/23 07:33:18 | 00,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2008/11/25 21:20:43 | 00,000,035 | ---- | C] () -- C:\WINDOWS\dice.ini
[2008/11/24 06:26:59 | 00,000,247 | ---- | C] () -- C:\WINDOWS\phedit.ini
[2008/11/15 09:50:34 | 00,001,293 | ---- | C] () -- C:\WINDOWS\MultiTimer.ini
[2008/11/03 06:04:53 | 00,000,026 | ---- | C] () -- C:\WINDOWS\COOWIZCK.INI
[2008/11/03 06:03:56 | 00,000,042 | ---- | C] () -- C:\WINDOWS\coowiz20.ini
[2008/10/02 02:53:12 | 00,528,384 | ---- | C] () -- C:\WINDOWS\System32\BladeEnc.dll
[2008/10/02 02:53:12 | 00,120,832 | ---- | C] () -- C:\WINDOWS\System32\ShnDll32.dll
[2008/08/15 21:31:27 | 00,000,018 | ---- | C] () -- C:\WINDOWS\phsrch5.ini
[2008/06/30 07:30:48 | 00,000,703 | ---- | C] () -- C:\WINDOWS\NewsRover.INI
[2008/06/10 21:05:07 | 00,000,023 | ---- | C] () -- C:\Documents and Settings\B4BD\Local Settings\Application Data\kodakpcd.ini
[2008/05/29 21:00:11 | 00,000,549 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2008/05/29 21:00:04 | 00,819,200 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2008/04/26 06:08:22 | 00,120,376 | ---- | C] () -- C:\WINDOWS\System32\rrsec.dll
[2008/04/10 19:00:08 | 00,000,032 | ---- | C] () -- C:\WINDOWS\CD_Start.INI
[2008/03/26 03:27:37 | 00,000,525 | ---- | C] () -- C:\WINDOWS\my.ini
[2008/01/27 11:57:45 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\cygz.dll
[2008/01/27 11:57:45 | 00,007,196 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_3GP_AAC.ini
[2008/01/27 11:57:45 | 00,006,490 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_PSP.ini
[2008/01/27 11:57:45 | 00,005,028 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_3GP2_AAC.ini
[2008/01/27 11:57:45 | 00,004,296 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_Zune.ini
[2008/01/27 11:57:45 | 00,003,045 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_iPod.ini
[2008/01/27 11:57:45 | 00,002,956 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_PMP.ini
[2008/01/27 11:57:45 | 00,002,910 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_3GP_AMR.ini
[2008/01/27 11:57:45 | 00,002,516 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_PPC.ini
[2008/01/27 11:57:45 | 00,002,175 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_iPhone.ini
[2008/01/27 11:57:45 | 00,001,964 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP2_QVGA_AAC.ini
[2008/01/27 11:57:45 | 00,001,964 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP2_QCIF_AAC.ini
[2008/01/27 11:57:45 | 00,001,878 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_Xbox.ini
[2008/01/27 11:57:45 | 00,001,814 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP_QCIF_AMR.ini
[2008/01/27 11:57:45 | 00,001,814 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP_QCIF_AAC.ini
[2008/01/27 11:57:45 | 00,001,739 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_AppleTV.ini
[2008/01/27 11:57:45 | 00,000,036 | ---- | C] () -- C:\WINDOWS\System32\INI_Add_mfra.ini
[2008/01/27 11:57:44 | 00,001,814 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP_QVGA_AMR.ini
[2008/01/27 11:57:44 | 00,001,814 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP_QVGA_AAC.ini
[2008/01/19 08:10:04 | 00,000,068 | ---- | C] () -- C:\WINDOWS\xpsyspad.ini
[2008/01/04 14:36:51 | 00,007,861 | ---- | C] () -- C:\Documents and Settings\B4BD\Application Data\ezplay.cat
[2008/01/04 14:36:51 | 00,001,103 | ---- | C] () -- C:\Documents and Settings\B4BD\Application Data\ezplay.inf
[2008/01/04 14:36:51 | 00,000,125 | ---- | C] () -- C:\Documents and Settings\B4BD\Application Data\ezplay.ini
[2008/01/04 14:36:27 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\B4BD\Application Data\pcouffin.cat
[2008/01/04 14:36:27 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\B4BD\Application Data\pcouffin.inf
[2007/12/31 07:15:22 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\M05.Support.Mjpeg.dll
[2007/11/28 21:09:20 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIDIB4.dll
[2007/10/08 18:27:58 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2007/10/08 18:13:37 | 00,029,696 | ---- | C] () -- C:\WINDOWS\System32\unsxkic.dll
[2007/10/08 18:13:37 | 00,027,650 | ---- | C] () -- C:\WINDOWS\System32\s3pitwa.dll
[2007/10/08 18:13:37 | 00,026,626 | ---- | C] () -- C:\WINDOWS\System32\tapiinh.dll
[2007/09/17 07:04:54 | 00,394,240 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll
[2007/09/17 07:04:51 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2007/08/20 16:26:52 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2007/08/20 16:26:52 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2007/08/15 14:33:14 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/08/15 14:30:26 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/07/29 06:12:55 | 00,000,081 | ---- | C] () -- C:\WINDOWS\USRWIZ.INI
[2007/06/10 20:20:12 | 00,004,053 | ---- | C] () -- C:\WINDOWS\32bifax.ini
[2007/05/10 20:25:42 | 00,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/05/10 20:25:42 | 00,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/04/15 10:01:04 | 00,000,219 | ---- | C] () -- C:\WINDOWS\ngmap.ini
[2007/04/14 13:44:17 | 00,000,080 | ---- | C] () -- C:\WINDOWS\encore_launcher.ini
[2007/03/24 21:08:49 | 00,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/03/05 20:14:27 | 00,000,000 | ---- | C] () -- C:\WINDOWS\pp.ini
[2007/03/05 13:34:28 | 00,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/02/18 07:57:03 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2007/02/18 06:57:10 | 00,000,823 | ---- | C] () -- C:\WINDOWS\tsc.ini
[2007/02/18 06:57:09 | 00,071,749 | ---- | C] () -- C:\WINDOWS\hcextoutput.dll
[2007/02/18 06:56:29 | 00,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2007/02/11 05:19:33 | 00,001,178 | ---- | C] () -- C:\WINDOWS\ARCHPR.INI
[2007/01/12 20:10:40 | 00,172,056 | ---- | C] () -- C:\WINDOWS\System32&

guestolo · « **Reply #32 on:** November 15, 2009, 04:14:44 PM »

Daemon tools can definitely interfere with Windows Updates and getting into safe mode
It is probably also the reason we were seeing infected MBR in ComboFix

Quote

I have been uninstalling a few apps to clean up the list of ones I don't use.

What other applications did you remove beside Daemon tools?

I'm getting confused as to where we stand right now
Don't do nothing else for now but the below
Can you do the following:

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code: [Select]
:reg [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Flim · « **Reply #33 on:** November 15, 2009, 04:43:44 PM »

I deleted some media converter programs and time management tools that I haven't used. Let me know if you need a list.

Here's scan log-

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 13:30 on 15/11/2009 by B4BD (Administrator - Elevation successful)

========== reg ==========

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Acronis Scheduler2 Service"=""C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe""
"AcronisTimounterMonitor"=""C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe""
"AVG9_TRAY"="C:\PROGRA~1\AVG\AVG9\avgtray.exe"
"BlackBerryAutoUpdate"="C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background"
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe"
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe"
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe"
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe"
"Malwarebytes Anti-Malware (reboot)"=""C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript"
"OutpostFeedBack"=""C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dump:os_startup"
"OutpostMonitor"=""C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" /tray /noservice"
"SysTrayApp"="%ProgramFiles%\IDT\WDM\sttray.exe"
"TrueImageMonitor.exe"=""C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\AutorunsDisabled]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

-=End Of File=-

guestolo · « **Reply #34 on:** November 15, 2009, 05:08:32 PM »

Ok, looks like it didn't work with OTL
Can you do the following:
Right click on Outpost Firewall icon by the clock and select
Firewall Policy
Then choose Disable

This should stop Outpost from interfering
Then run the following again, if you couldn't run it earlier

START>>RUN
Copy/paste the following then hit OK

combofix /u

Afterwards
We need to update a couple of your programs to ensure we plug some security holes malware can exploit
Open Adobe Reader, click on HELP>>Check for Updates
Update the software

Afterwards: Close down all browser windows
Access your Add and Remove Programs
uninstall both the following:
Javaâ„¢ 6 Update 15
Javaâ„¢ 6 Update 13
We'll update these in a bit

Come back here
Double click on OTL.exe to run it

Under the [color=\"#0000FF\"]Custom Scans/Fixes[/color] box at the bottom, copy/paste in the following in the quote box below. don't include the word Quote please
Quote
:Reg
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Malwarebytes Anti-Malware (reboot)"=-
Then click the [color=\"#FF0000\"]Run Fix[/color] button at the top
Let the program run unhindered, reboot the PC when it is done

On startup, Allow OTL to run if prompted
please post the log that OTL produces
A copy of this log can also be found in
C:\_OTL\Moved Files folder

You can reenable Outpost protection

Quote

I deleted some media converter programs and time management tools that I haven't used. Let me know if you need a list.

Yes please, I want to ensure there are no leftovers in OTL log
Do you know the programs off hand?

We'll update Sun Java next step
Just do the above for now

Flim · « **Reply #35 on:** November 15, 2009, 05:53:05 PM »

[quote name=\'guestolo\' post=\'466332\' date=\'Nov 15 2009, 02:08 PM\']This should stop Outpost from interfering
Then run the following again, if you couldn't run it earlier

START>>RUN
Copy/paste the following then hit OK

combofix /u[/quote]

ComboFix didn't uninstall again. I had to use "suspend protection" to get Outpost to stop asking.

I'm updating Reader right now. Do you want the ComboFix log?

guestolo · « **Reply #36 on:** November 15, 2009, 05:56:42 PM »

Sure post the log, but I need you to do the rest of the instructions

Flim · « **Reply #37 on:** November 15, 2009, 05:58:57 PM »

I just about to runt OTL

Here's the programs I removed

My Sirius Studio
Presto! PageManager 6
Replay Screencast 1.21
Scott's Wallpaper Switcher v 1.1
Software Virtualization Trinket
Task Coach 0.71.3
version 3.5 (which as also Winxmedia converter - was in here twice)
WinXMedia DVD MPEG/AVI/Audio Converter 3.5

Here's the last CF Log

ComboFix 09-11-15.01 - B4BD 15/11/2009 14:28.6.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.3326.2511 [GMT -8:00]
Running from: c:\documents and settings\B4BD\Desktop\ComboFix.exe
Command switches used :: /u
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Outpost Firewall Pro *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((( Files Created from 2009-10-15 to 2009-11-15 )))))))))))))))))))))))))))))))
.

2009-11-15 07:18 . 2009-11-15 07:18 -------- d-----w- C:\_OTL
2009-11-14 16:21 . 2009-11-09 17:51 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-14 16:21 . 2009-11-09 17:51 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-14 16:21 . 2009-11-09 17:51 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-14 16:21 . 2009-10-18 17:48 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-14 16:21 . 2009-11-09 17:51 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-14 16:21 . 2009-10-24 07:05 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-14 14:12 . 2009-11-14 14:12 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-11 14:48 . 2009-11-11 14:47 2124089 ----a-w- c:\temp\pictures.zip
2009-11-11 14:23 . 2009-11-11 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-11-09 17:50 . 2009-10-18 17:48 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-09 14:23 . 2009-11-09 14:24 -------- d-----w- C:\rsit
2009-11-09 06:42 . 2008-05-30 01:00 806985 ----a-w- c:\windows\system32\hcwtvwnd.dll
2009-11-09 06:42 . 2008-05-09 05:13 294968 ----a-w- c:\windows\system32\hcwpnp32.dll
2009-11-09 06:42 . 2008-04-22 22:53 163840 ----a-w- c:\windows\system32\hcwChDB.dll
2009-11-09 06:42 . 2008-03-26 22:54 30720 ----a-w- c:\windows\system32\hcwWinTVCI.dll
2009-11-09 06:42 . 2008-03-12 01:36 106552 ----a-w- c:\windows\system32\hcwi2c32.dll
2009-11-09 06:42 . 2004-06-08 08:03 36921 ----a-w- c:\windows\system32\hcwutl32.dll
2009-11-09 06:42 . 2004-01-26 22:49 90190 ----a-w- c:\windows\system32\Bt848WST.DLL
2009-11-09 06:42 . 2003-11-07 20:45 106559 ----a-w- c:\windows\system32\hcwTVDlg.dll
2009-11-09 06:42 . 1999-04-28 00:26 11264 ----a-w- c:\windows\system32\hcwhook.dll
2009-11-09 06:42 . 2001-07-19 16:44 393216 ----a-w- c:\windows\system32\hcwsnbd9.dll
2009-11-08 15:38 . 2009-11-15 13:17 -------- d-----w- C:\Fix
2009-11-04 04:33 . 2009-11-04 04:33 -------- d-----w- C:\found.000
2009-11-03 14:37 . 2009-11-03 14:40 197676 ----a-w- C:\MGlogs.zip
2009-11-03 14:35 . 2009-11-03 14:40 -------- d-----w- C:\MGtools
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-03 03:29 . 2009-11-11 21:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 03:29 . 2009-11-11 21:38 -------- d-----w- c:\documents and settings\B4BD\Application Data\SUPERAntiSpyware.com
2009-11-02 13:57 . 2009-11-02 13:57 3584 ----a-r- c:\documents and settings\B4BD\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-11-02 13:57 . 2009-11-02 13:57 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-11-01 21:50 . 2009-11-09 05:32 -------- d-----w- C:\Hauppauge
2009-10-31 15:27 . 2009-01-28 19:52 142337 ----a-w- c:\windows\system32\Wait.exe
2009-10-31 15:27 . 2009-11-09 13:55 -------- d-----w- c:\program files\WinTV
2009-10-31 15:16 . 2009-11-11 21:39 363088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-25 18:46 . 2009-10-25 18:46 -------- d-----w- c:\documents and settings\B4BD\Application Data\AVG9
2009-10-24 16:08 . 2009-10-24 16:12 -------- d-----w- C:\I386
2009-10-24 07:06 . 2009-10-24 07:05 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-10-24 07:04 . 2009-10-18 17:48 842520 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-10-24 07:04 . 2009-10-24 07:04 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-10-23 04:23 . 2009-10-23 04:23 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-10-18 17:49 . 2009-10-20 03:13 -------- d-----w- C:\$AVG
2009-10-18 17:48 . 2009-11-09 17:51 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-18 17:48 . 2009-10-18 17:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-18 17:48 . 2009-10-18 17:48 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-18 17:48 . 2009-10-18 17:48 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-18 17:48 . 2009-11-15 16:46 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-18 17:48 . 2009-10-18 17:48 -------- d-----w- c:\program files\AVG
2009-10-18 17:48 . 2009-10-18 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 22:25 . 2009-02-20 04:46 -------- d-----w- c:\program files\Everything
2009-11-15 15:40 . 2007-01-06 00:43 -------- d-----w- c:\program files\WinXMedia
2009-11-15 15:08 . 2005-12-23 23:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-15 14:59 . 2007-09-19 05:18 -------- d-----w- c:\program files\Sirius
2009-11-15 00:54 . 2006-02-20 14:24 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-14 16:05 . 2009-01-08 19:57 1 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-11 21:38 . 2006-02-16 04:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-11 17:36 . 2007-08-08 03:35 -------- d-----w- c:\program files\ESET
2009-11-11 14:22 . 2009-07-10 13:45 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-11-11 14:13 . 2006-02-07 05:19 -------- d-----w- c:\documents and settings\B4BD\Application Data\AdobeUM
2009-11-10 14:32 . 2006-10-09 21:22 -------- d-----w- c:\program files\TimeLeft3
2009-11-10 14:30 . 2008-12-04 15:11 -------- d-----w- c:\program files\StationRipper
2009-11-10 14:29 . 2009-08-16 16:58 -------- d-----w- c:\program files\r2 Studios
2009-11-08 22:51 . 2007-09-19 05:21 -------- d-----w- c:\program files\Yahoo!
2009-11-08 22:51 . 2007-09-19 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\YAHOO
2009-11-05 07:33 . 2009-06-06 18:53 -------- d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 06:56 . 2007-03-02 13:45 -------- d-----w- c:\program files\WhatsRunning
2009-11-03 13:08 . 2007-11-21 05:35 -------- d-----w- c:\program files\EarthTime
2009-11-03 13:08 . 2007-01-06 01:01 -------- d-----w- c:\program files\Aurora Media Workshop
2009-11-02 13:56 . 2008-03-24 13:45 -------- d-----w- c:\program files\MSECache
2009-11-02 05:38 . 2009-06-12 05:26 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-02 05:09 . 2009-04-11 18:13 -------- d-----w- c:\program files\AML Registry Cleaner
2009-11-02 04:39 . 2007-06-12 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\River Past G5
2009-11-02 04:38 . 2007-10-09 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\River Past G4
2009-11-02 00:50 . 2009-01-15 16:06 -------- d-----w- c:\program files\Kiwi CatTools3
2009-11-02 00:50 . 2007-05-28 15:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 00:49 . 2009-10-01 12:44 -------- d-----w- c:\program files\Syslogd
2009-10-31 05:22 . 2008-03-16 03:13 492164 ------w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\ISSetup.dll
2009-10-31 05:22 . 2008-03-16 03:13 460248 ----a-w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\setup.exe
2009-10-31 05:22 . 2008-03-16 03:13 164784 ----a-w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\_Setup.dll
2009-10-25 21:03 . 2009-08-04 15:26 -------- d-----w- c:\documents and settings\B4BD\Application Data\vlc
2009-10-25 15:44 . 2009-04-18 13:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 15:43 . 2009-08-23 14:08 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-23 03:23 . 2008-03-02 18:02 -------- d-----w- c:\documents and settings\B4BD\Application Data\Canon
2009-10-20 13:03 . 2009-09-24 12:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-20 03:40 . 2007-10-18 13:06 -------- d-----w- c:\program files\SmartWhois
2009-10-18 17:54 . 2005-12-24 02:23 213936 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 17:22 . 2009-10-12 17:22 -------- d-----w- c:\program files\DemoForge
2009-10-09 03:30 . 2006-06-21 14:29 -------- d-----w- c:\program files\Java
2009-10-09 03:29 . 2009-10-09 03:29 152576 ----a-w- c:\documents and settings\B4BD\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-04 22:25 . 2009-02-26 15:03 -------- d-----w- c:\program files\Opera
2009-09-22 05:05 . 2009-09-22 05:05 -------- d-----w- c:\program files\JRE
2009-09-22 05:04 . 2009-01-08 19:46 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-21 03:50 . 2009-07-06 04:52 -------- d-----w- c:\program files\Songbird
2009-09-14 18:44 . 2008-07-15 05:31 256792 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-09-10 21:54 . 2009-04-18 13:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-04-18 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 13:27 . 2009-09-03 13:27 10134 ----a-r- c:\documents and settings\B4BD\Application Data\Microsoft\Installer\{57A5EB05-1B4C-4133-9315-5ECDFC01C0F4}\ARPPRODUCTICON.exe
2009-08-29 00:36 . 2008-04-26 15:56 714112 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-08-18 04:27 . 2009-08-18 04:27 686080 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2009-08-18 04:27 . 2009-08-18 04:27 568832 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcp90.dll
2009-08-18 04:27 . 2009-08-18 04:27 655872 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcr90.dll
2009-08-18 04:27 . 2009-08-18 04:27 583168 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2009-08-18 04:27 . 2009-08-18 04:27 224768 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcm90.dll
2007-04-11 20:12 . 2008-01-04 22:36 2279464 ----a-w- c:\program files\PcSetup.exe
2006-02-23 15:16 . 2007-06-24 14:50 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 15:16 . 2007-06-24 14:50 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll
2006-05-03 09:06 . 2009-08-17 05:09 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-08-17 05:09 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-08-17 05:09 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-13_05.01.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-15 20:35 . 2009-11-15 20:35 16384 c:\windows\temp\Perflib_Perfdata_8d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"$Volumouse$"="c:\appsnoinstall\volumouse\volumouse.exe" [2009-03-15 31744]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-12 483422]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-14 2020120]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-09-24 1270080]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2009-09-23 436552]

c:\documents and settings\B4BD\Start Menu\Programs\Startup\AutorunsDisabled
TimeLeft.lnk - c:\program files\TimeLeft3\TimeLeft3\TimeLeft.exe [2006-12-9 1026560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-9-15 221247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-4-19 25214]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-18 17:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Media Center Diagnostic Kit\\MCDiag.exe"=
"c:\\Program Files\\Media Center Diagnostic Kit\\MCEHostRemote.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\engine\\6\\Intel 32\\Ikernel.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPEZBkup.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVCheck.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"c:\\Program Files\\Red Chair Software\\Notmad Explorer\\notmgr.exe"=
"c:\\Program Files\\Red Chair Software\\Audigen Explorer\\audmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [21/06/2006 7:12 PM 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18/10/2009 9:48 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/10/2009 9:48 AM 360584]
R1 oxfwlf;oxfwlf;c:\windows\system32\drivers\OxFWLF.sys [02/12/2003 10:47 AM 12616]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [26/04/2008 7:56 AM 714112]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [26/04/2008 7:56 AM 1338560]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [18/10/2009 9:48 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [18/10/2009 9:48 AM 285392]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [26/04/2008 7:56 AM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [14/07/2008 9:31 PM 256792]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [12/05/2009 9:28 PM 1432960]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [07/09/2006 8:16 PM 10112]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [26/04/2008 7:56 AM 33920]
S3 DVRMSFileWatcherService;DVRMSFileWatcherService;c:\program files\DVRMSToolbox\DVRMSFileWatcherService.exe [27/02/2007 8:53 PM 20480]
S3 ehMonitor;Media Center Monitor Service;c:\program files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe [07/09/2005 6:18 PM 49336]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;

S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [08/11/2009 10:43 PM 823296]
S3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [23/12/2005 3:17 PM 38528]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23/12/2008 7:35 AM 50704]
S3 OXUDIDRV;OXUDIDRV;c:\windows\system32\drivers\OXUDIDRV_X32.sys [03/09/2009 5:49 AM 17664]
S3 OxUSBLF;Oxsemi USB filter driver;c:\windows\system32\drivers\OxUSBLF.sys [31/05/2005 2:39 PM 7808]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [24/03/2009 3:03 AM 7808]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\system32\drivers\p35u.sys [12/11/2006 8:34 AM 116448]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [17/06/2009 10:22 PM 30136]
S4 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [10/09/2007 11:45 PM 124832]
S4 gupdate1c99e16a3dd4ece;Google Update Service (gupdate1c99e16a3dd4ece);c:\program files\Google\Update\GoogleUpdate.exe [05/03/2009 8:47 PM 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-29 13:19]

2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 04:46]

2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 04:46]

2008-12-08 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\B4BD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-02 14:13]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Documents%20and%20Settings/B4BD/Application%20Data/LastPass/iehome.html
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
TCP: {241E0D44-3E60-4164-9E31-0D7447F037D1} = 208.67.222.222,208.67.220.220
Handler: AutorunsDisabled\intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-15 14:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1956)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2696)
c:\windows\system32\WININET.dll
c:\appsnoinstall\volumouse\vlmshlp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL
.
Completion time: 2009-11-15 14:43
ComboFix-quarantined-files.txt 2009-11-15 22:43
ComboFix091101.txt 2009-11-01 20:39
ComboFix2.txt 2009-11-15 06:02
ComboFix3.txt 2009-11-15 04:51
ComboFix4.txt 2009-11-15 01:51
ComboFix5.txt 2009-11-15 22:26

Pre-Run: 34,553,495,552 bytes free
Post-Run: 34,497,843,200 bytes free

- - End Of File - - ADEFF2D621F920CE9BE0E6C4F9DE4E8E

guestolo · « **Reply #38 on:** November 15, 2009, 06:01:24 PM »

ComboFix isn't reporting infected MBR anymore since the total removal of Daemon tools and its registry fix

Please complete the rest of the instructions from my last reply
Don't worry about uninstalling ComboFix for now

Flim · « **Reply #39 on:** November 15, 2009, 06:09:44 PM »

Here's the OTL Log. And by the way, I didn't download a new Combofix when I ran the last one in case that's an issue.

========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\\Malwarebytes Anti-Malware (reboot) deleted successfully.

OTL by OldTimer - Version 3.1.4.0 log created on 11152009_150040

News:

Author Topic: I have Hidden Kernel Modules that don't look right (Read 5967 times)