BleepingComputer.com: Personal Guard 2009 infection

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Personal Guard 2009 infection Don't know how to remove it

#1 User is offline   joonbaum 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 06-November 09

Posted 06 November 2009 - 04:56 PM

Hi--how do I remove this pesky thing? I ran DDS as suggested and the logs are included/attached. Couldn't run RootRepeal either online or once it was downloaded...I get a msg saying "not a valid Win32 application" ???? Also get the message when I try to run other anti-virus programs. Am using ZoneAlarm firewall as maybe you can see in the logs. Any help would be greatly appreciated! PS tried to run the Kaspersky anti-virus but it wanted be to remove ZoneAlarm so I declined.



DDS (Ver_09-10-26.01) - NTFSx86
Run by Tim at 13:27:30.17 on Fri 11/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.410 [GMT -8:00]

FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\FILEST~1\TURBOB~1\TBKNTService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Personal Guard 2009\personalguard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\winsc.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\FILEST~1\TURBOB~1\tbksche.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Tim\Local Settings\Temporary Internet Files\Content.IE5\RTTHJFYJ\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Shell=Explorer.exe logon.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TurboBackup] c:\progra~1\filest~1\turbob~1\tbksche.exe -s
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [P2kAutostart] c:\downloads\p2k-commander_3.3\p2k-commander 3.3.0 beta\P2kAutostart.exe
uRun: [Eraser] c:\program files\eraser\eraser.exe -hide
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [Zone Labs Client] c:\program files\zone labs\zonealarm\zlclient.exe
mRun: [ASUS Probe] c:\program files\asus\probe\AsusProb.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [personalguard] c:\program files\personal guard 2009\personalguard.exe
mRun: [wufugiyuw] Rundll32.exe "c:\windows\system32\gadagore.dll",a
dRun: [TurboBackup] c:\progra~1\filest~1\turbob~1\tbksche.exe -s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} - hxxp://download.tenebril.com/pub/bin/scanner2008/TenebrilSpywareScanner.ocx
DPF: {4AEF8AEE-3DE8-4B69-8B6E-6353B6C59B50} - hxxp://onesite.realpage.com/coreglobal/RealpageCab/Realpage.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: vanuloru.dll c:\windows\system32\gadagore.dll c:\windows\system32\wanifivo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SysNet - {CF86C081-CA7D-4C76-B526-526B6E398E3C} - c:\documents and settings\all users\microsoft adata\sysnet.dll
SSODL: nudiferej - {a44bfef3-a818-46e8-a8b2-023dc6567e0a} - c:\windows\system32\gadagore.dll
STS: kupuhivus: {a44bfef3-a818-46e8-a8b2-023dc6567e0a} - c:\windows\system32\gadagore.dll
LSA: Notification Packages = scecli fawokuwe.dll

============= SERVICES / DRIVERS ===============

R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2004-5-21 94080]
R2 TBKNTService;TBKNTService;c:\progra~1\filest~1\turbob~1\TBKNTService.exe [2007-9-5 57344]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [2006-6-22 1258432]
R3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2009-3-2 16896]
S3 mamovec;mamovec;c:\windows\system32\drivers\mamovec.sys [2008-8-2 24784]
S3 mamovem;mamovem;c:\windows\system32\drivers\mamovem.sys [2008-8-2 25044]
S3 mamoveu;mamoveu;c:\windows\system32\drivers\mamoveu.sys [2008-8-2 48853]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-2 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-2 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-8-2 23680]

=============== Created Last 30 ================

2009-11-06 20:15:41 0 d-----w- c:\windows\system32\NtmsData
2009-11-06 18:55:54 0 d-----w- c:\program files\Personal Guard 2009
2009-11-06 16:19:37 61440 --sh--w- c:\windows\system32\muhofola.dll
2009-11-06 16:17:31 39424 ------w- c:\windows\system32\yatevipi.dll
2009-11-06 16:17:02 91648 ------w- c:\windows\system32\gadagore.dll
2009-11-06 01:22:08 7864167 ----a-w- C:\unhackme.zip
2009-11-06 01:09:42 0 d-----w- c:\docume~1\tim\applic~1\Malwarebytes
2009-11-06 01:09:29 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 01:09:28 19160 ------w- c:\windows\system32\drivers\mbam.sys
2009-11-06 01:09:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 01:09:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-06 01:08:44 4045544 ----a-w- C:\mbam-setup.exe
2009-11-06 01:07:10 7256415 ----a-w- C:\SUPERAntiSpywarePro.exe
2009-11-05 23:32:25 39424 --sh--w- c:\windows\system32\gomigoka.dll
2009-11-05 23:28:35 380416 ------w- c:\windows\system32\winsc.exe
2009-11-05 23:28:34 51197 ----a-w- c:\windows\spoov.exe
2009-11-05 23:28:34 47872 ----a-w- c:\windows\certsystem.exe
2009-11-05 23:28:34 38352 ----a-w- c:\windows\regred.exe
2009-11-05 23:28:34 33149 ----a-w- c:\windows\usexplorer.exe
2009-11-05 23:28:34 28320 ----a-w- c:\windows\securits.com
2009-11-05 23:28:34 18941 ----a-w- c:\windows\microsoftdef.dll
2009-11-05 23:28:26 0 d-----w- c:\documents and settings\all users\Microsoft AData
2009-11-05 23:27:35 31236 ------w- c:\windows\system32\logon.exe
2009-10-29 02:43:44 0 d-----w- c:\docume~1\tim\applic~1\Auslogics
2009-10-29 02:43:40 0 d-----w- c:\program files\Auslogics
2009-10-29 02:17:36 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-28 23:20:40 29380 ---h--w- c:\windows\system32\mlfcache.dat

==================== Find3M ====================

2009-09-14 16:10:41 4212 ---h--w- c:\windows\system32\zllictbl.dat
2009-08-05 23:26:27 52736 --sh--w- c:\windows\system32\fawokuwe.dll
2009-08-05 23:26:27 52736 --sh--w- c:\windows\system32\foramiwe.dll
2009-08-05 23:32:14 92160 --sh--w- c:\windows\system32\suhuyaki.dll
2009-08-05 23:32:14 39424 --sh--w- c:\windows\system32\tuwezune.dll
2009-08-05 23:26:27 52736 --sh--w- c:\windows\system32\vanuloru.dll

============= FINISH: 13:28:06.93 ===============

Attached File(s)


#2 User is offline   thcbytes 

  • Bleepin' Teacher
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 12,270
  • Joined: 09-December 08
  • Gender:Male

Posted 06 November 2009 - 05:58 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen with briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.

==========

Download and run Win32kDiag:
Next......


Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.
      A black Command Prompt window will appear shortly: the program is running. If you are using Vista please right click and run as Admin!

  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.


  • Double click on thcbytes.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

==========

==========

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

With your next post please provide:

* Win32kDiag.txt
* Log.txt
* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#3 User is offline   joonbaum 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 06-November 09

Posted 06 November 2009 - 06:52 PM

Thanks for the quick response...I did what you asked and all worked OK except that ComboFix hung up during writing its txt file...after 5 minutes I re-booted the PC and the txt file isn't there. Combofix seemed to run OK and did reboot the machine, then hung up during the txt file write. SHould I run it again? The other 2 log files are attached.

Attached File(s)


#4 User is offline   thcbytes 

  • Bleepin' Teacher
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 12,270
  • Joined: 09-December 08
  • Gender:Male

Posted 06 November 2009 - 07:00 PM

Lets give it another go....

Do this.....

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==========

Re-run RKill please.

==========

Right click and delete you current copy of Combofix.

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.


  • Double click on thcbytes.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

==========

With your next post please provide:

* Exehelper og
* Combofix.txt
* Copy and paste the logs directly into your reply

Kind regards,
~t

This post has been edited by thcbytes: 06 November 2009 - 07:01 PM

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#5 User is offline   joonbaum 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 06-November 09

Posted 06 November 2009 - 08:49 PM

OK, Combofix ran to completion this time. The Personal Guard 2009 malware isn't popping up anymore. Here are the 2 requested logs:


exeHelper by Raktor
Build 20091021
Run at 16:04:47 on 11/06/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--




ComboFix 09-11-05.05 - Tim 11/06/2009 17:37.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.688 [GMT -8:00]
Running from: c:\documents and settings\Tim\Desktop\thcbytes.exe
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Tim\Desktop\exeHelper.com

.
((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-06 22:45 . 2009-11-06 22:45 -------- d-----w- c:\documents and settings\Tim\Application Data\GetRightToGo
2009-11-06 21:42 . 2009-11-06 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-06 20:15 . 2009-11-06 21:09 -------- d-----w- c:\windows\system32\NtmsData
2009-11-06 16:17 . 2009-11-06 16:17 39424 ------w- c:\windows\system32\yatevipi.dll
2009-11-06 01:22 . 2009-11-06 01:22 7864167 ----a-w- C:\unhackme.zip
2009-11-06 01:09 . 2009-11-06 01:09 -------- d-----w- c:\documents and settings\Tim\Application Data\Malwarebytes
2009-11-06 01:09 . 2009-09-10 22:54 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 01:09 . 2009-11-06 01:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 01:09 . 2009-11-06 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-06 01:09 . 2009-09-10 22:53 19160 ------w- c:\windows\system32\drivers\mbam.sys
2009-11-06 01:08 . 2009-11-06 01:08 4045544 ----a-w- C:\mbam-setup.exe
2009-11-06 01:07 . 2009-11-06 01:07 7256415 ----a-w- C:\SUPERAntiSpywarePro.exe
2009-11-05 23:32 . 2009-11-05 23:32 39424 --sh--w- c:\windows\system32\gomigoka.dll
2009-10-29 02:43 . 2009-10-29 02:43 -------- d-----w- c:\documents and settings\Tim\Application Data\Auslogics
2009-10-29 02:43 . 2009-10-29 02:43 -------- d-----w- c:\program files\Auslogics
2009-10-29 02:17 . 2009-10-29 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-28 23:20 . 2009-10-28 23:20 29380 ---h--w- c:\windows\system32\mlfcache.dat
2009-10-20 16:54 . 2009-10-20 16:54 59976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-07 00:22 . 2009-11-07 00:29 4779008 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2009-11-07 00:16 . 2009-07-21 15:01 -------- d-----w- c:\program files\Eraser
2009-11-07 00:11 . 2009-11-07 00:13 4779520 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2009-11-06 23:39 . 2009-11-06 23:43 4786176 ----a-w- c:\windows\Internet Logs\xDB20.tmp
2009-11-06 17:46 . 2006-06-23 03:17 -------- d-----w- c:\documents and settings\Tim\Application Data\Canon
2009-11-04 15:52 . 2007-04-06 21:51 -------- d-----w- c:\program files\Cryptainer PE
2009-10-02 23:48 . 2009-10-03 00:09 4676096 ----a-w- c:\windows\Internet Logs\xDB1F.tmp
2009-10-02 16:06 . 2009-10-02 23:24 4676096 ----a-w- c:\windows\Internet Logs\xDB1E.tmp
2009-09-30 15:46 . 2009-09-30 15:47 4675584 ----a-w- c:\windows\Internet Logs\xDB1D.tmp
2009-09-30 15:40 . 2009-09-30 15:42 4675072 ----a-w- c:\windows\Internet Logs\xDB1C.tmp
2009-09-29 16:16 . 2009-09-29 18:31 4674048 ----a-w- c:\windows\Internet Logs\xDB1B.tmp
2009-09-29 15:53 . 2009-09-29 16:14 4674048 ----a-w- c:\windows\Internet Logs\xDB1A.tmp
2009-09-29 15:46 . 2009-09-29 15:50 4674048 ----a-w- c:\windows\Internet Logs\xDB19.tmp
2009-09-26 14:42 . 2009-09-26 14:43 4670976 ----a-w- c:\windows\Internet Logs\xDB18.tmp
2009-09-23 02:42 . 2006-06-22 22:23 30504 ----a-w- c:\documents and settings\Tim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-23 02:41 . 2009-09-23 02:41 -------- d-----w- c:\program files\Microsoft
2009-09-23 02:41 . 2009-09-23 02:40 -------- d-----w- c:\program files\Windows Live
2009-09-23 02:40 . 2009-09-23 02:40 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-23 02:35 . 2009-09-23 02:35 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-20 18:40 . 2006-06-23 05:56 -------- d-----w- c:\documents and settings\Tim\Application Data\Apple Computer
2009-09-20 18:33 . 2009-09-20 18:32 -------- d-----w- c:\program files\iTunes
2009-09-20 18:33 . 2009-09-20 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-20 18:32 . 2006-06-23 06:01 -------- d-----w- c:\program files\iPod
2009-09-20 18:32 . 2008-01-27 01:11 -------- d-----w- c:\program files\Common Files\Apple
2009-09-20 18:31 . 2009-09-20 18:31 -------- d-----w- c:\program files\Bonjour
2009-09-20 18:30 . 2009-09-20 18:30 -------- d-----w- c:\program files\QuickTime
2009-09-20 18:20 . 2009-09-20 18:20 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-17 22:37 . 2008-02-07 02:43 -------- d-----w- c:\program files\Java
2009-09-17 22:36 . 2009-09-17 22:36 152576 ----a-w- c:\documents and settings\Tim\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-16 17:18 . 2009-09-13 23:40 -------- d-----w- c:\program files\Quicken Lawyer 2003 Personal
2009-09-14 16:10 . 2006-06-22 23:32 4212 ---h--w- c:\windows\system32\zllictbl.dat
2009-09-02 15:15 . 2009-09-02 15:15 152576 ----a-w- c:\documents and settings\Tim\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-08-05 23:32 . 2009-08-05 23:32 92160 --sh--w- c:\windows\system32\suhuyaki.dll
2009-08-05 23:32 . 2009-08-05 23:32 39424 --sh--w- c:\windows\system32\tuwezune.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"TurboBackup"="c:\progra~1\FILEST~1\TURBOB~1\tbksche.exe" [2007-07-15 512000]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"Eraser"="c:\program files\Eraser\eraser.exe" [2002-07-29 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 344064]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 755480]
"ASUS Probe"="c:\program files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-17 61952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TurboBackup"="c:\progra~1\FILEST~1\TURBOB~1\tbksche.exe" [2007-07-15 512000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\explorer.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\WINDOWS\\system32\\winlogon.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [5/21/2004 12:30 AM 94080]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [6/22/2006 2:21 PM 1258432]
R3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [3/2/2009 1:47 PM 16896]
S2 TBKNTService;TBKNTService;c:\progra~1\FILEST~1\TURBOB~1\TBKNTService.exe [9/5/2007 6:50 PM 57344]
S3 mamovec;mamovec;c:\windows\system32\drivers\mamovec.sys [8/2/2008 9:09 PM 24784]
S3 mamovem;mamovem;c:\windows\system32\drivers\mamovem.sys [8/2/2008 9:09 PM 25044]
S3 mamoveu;mamoveu;c:\windows\system32\drivers\mamoveu.sys [8/2/2008 9:09 PM 48853]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/2/2008 10:48 PM 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/2/2008 10:48 PM 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [8/2/2008 10:48 PM 23680]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: turbotax.com
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} - hxxp://download.tenebril.com/pub/bin/scanner2008/TenebrilSpywareScanner.ocx
DPF: {4AEF8AEE-3DE8-4B69-8B6E-6353B6C59B50} - hxxp://onesite.realpage.com/coreglobal/RealpageCab/Realpage.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{c106100e-cb55-4cbe-822b-a1f189d2d8ba} - foramiwe.dll
HKCU-Run-PhotoShow Deluxe Media Manager - c:\progra~1\Nero\data\Xtras\mssysmgr.exe
HKCU-Run-P2kAutostart - c:\downloads\p2k-commander_3.3\p2k-commander 3.3.0
HKLM-Run-personalguard - c:\program files\Personal Guard 2009\personalguard.exe
HKLM-Run-wufugiyuw - c:\windows\system32\gadagore.dll
HKLM-Run-Cmaudio - cmicnfg.cpl
HKLM-Run-nohuwijogo - fawokuwe.dll
SharedTaskScheduler-{a44bfef3-a818-46e8-a8b2-023dc6567e0a} - c:\windows\system32\gadagore.dll
SSODL-SysNet-{CF86C081-CA7D-4C76-B526-526B6E398E3C} - c:\documents and settings\All Users\Microsoft AData\sysnet.dll
SSODL-nudiferej-{a44bfef3-a818-46e8-a8b2-023dc6567e0a} - c:\windows\system32\gadagore.dll
AddRemove-Personal Guard 2009 - c:\program files\Personal Guard 2009\uninstalls.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 17:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-07 17:43
ComboFix-quarantined-files.txt 2009-11-07 01:43

Pre-Run: 91,837,227,008 bytes free
Post-Run: 91,798,994,944 bytes free

- - End Of File - - AE4A05A701B437D5BA4BDD26C3833B98

#6 User is offline   thcbytes 

  • Bleepin' Teacher
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 12,270
  • Joined: 09-December 08
  • Gender:Male

Posted 06 November 2009 - 10:16 PM

Jackpot :(

Still got work to do though......

==========

:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

File::
c:\windows\system32\yatevipi.dll
C:\unhackme.zip
C:\unhackme.zip
c:\windows\Internet Logs\xDB1F.tmp
c:\windows\Internet Logs\xDB1E.tmp
c:\windows\Internet Logs\xDB1D.tmp
c:\windows\Internet Logs\xDB1C.tmp
c:\windows\Internet Logs\xDB1B.tmp
c:\windows\Internet Logs\xDB1A.tmp
c:\windows\Internet Logs\xDB19.tmp
c:\windows\Internet Logs\xDB18.tmp
c:\windows\system32\suhuyaki.dll
c:\windows\system32\tuwezune.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated

    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.

    I see you have setup files for Kaspersky. That one is good also. But only install one antivirus program!!! No exceptions!!!

    Install AVG free antivirus
    • Visit http://free.avg.com/download?prd=afe to download AVG 8 setup file to your desktop.
    • Double click the downloaded setup file to Install AVG 8 then update it.
    • On the left side click Computer scanner and select Scan whole computer.
    • When the scan finished under Result Overview tap at the end of scan result click Export overview to file
    • Select File Type: All files Name:scan.txt and save it on your desktop.
    • Under Warnings tap press Remove all unhealed infections. Then close the application.
    • Copy/paste the content of scan.txt located on your desktop to your reply.

    ==========

    We need to create an OTL Report
    • Please download OTL from one of the following mirrors:
    • Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
    • Click the "Scan All Users" checkbox.
    • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
    • Push the Posted Image button.
    • Two reports will open, copy and paste them in a reply here:
      • OTListIt.txt <-- Will be opened
      • Extra.txt <-- Will be minimized

==========

With your next post please provide:

* Combofix.txt
* Antivirus log
* OTL.txt
* Extra.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#7 User is offline   joonbaum 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 06-November 09

Posted 07 November 2009 - 12:58 PM

OK, everything seemed to work OK. Here are the logs...


ComboFix 09-11-05.05 - Tim 11/07/2009 8:11.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.598 [GMT -8:00]
Running from: c:\documents and settings\Tim\Desktop\thcbytes.exe
Command switches used :: c:\documents and settings\Tim\Desktop\CFScript.txt
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"C:\unhackme.zip"
"c:\windows\Internet Logs\xDB18.tmp"
"c:\windows\Internet Logs\xDB19.tmp"
"c:\windows\Internet Logs\xDB1A.tmp"
"c:\windows\Internet Logs\xDB1B.tmp"
"c:\windows\Internet Logs\xDB1C.tmp"
"c:\windows\Internet Logs\xDB1D.tmp"
"c:\windows\Internet Logs\xDB1E.tmp"
"c:\windows\Internet Logs\xDB1F.tmp"
"c:\windows\system32\suhuyaki.dll"
"c:\windows\system32\tuwezune.dll"
"c:\windows\system32\yatevipi.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\unhackme.zip
c:\windows\Internet Logs\xDB18.tmp
c:\windows\Internet Logs\xDB19.tmp
c:\windows\Internet Logs\xDB1A.tmp
c:\windows\Internet Logs\xDB1B.tmp
c:\windows\Internet Logs\xDB1C.tmp
c:\windows\Internet Logs\xDB1D.tmp
c:\windows\Internet Logs\xDB1E.tmp
c:\windows\Internet Logs\xDB1F.tmp
c:\windows\system32\suhuyaki.dll
c:\windows\system32\tuwezune.dll
c:\windows\system32\yatevipi.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-06 22:45 . 2009-11-06 22:45 -------- d-----w- c:\documents and settings\Tim\Application Data\GetRightToGo
2009-11-06 21:42 . 2009-11-06 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-06 20:15 . 2009-11-06 21:09 -------- d-----w- c:\windows\system32\NtmsData
2009-11-06 01:09 . 2009-11-06 01:09 -------- d-----w- c:\documents and settings\Tim\Application Data\Malwarebytes
2009-11-06 01:09 . 2009-09-10 22:54 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 01:09 . 2009-11-06 01:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 01:09 . 2009-11-06 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-06 01:09 . 2009-09-10 22:53 19160 ------w- c:\windows\system32\drivers\mbam.sys
2009-11-06 01:08 . 2009-11-06 01:08 4045544 ----a-w- C:\mbam-setup.exe
2009-11-06 01:07 . 2009-11-06 01:07 7256415 ----a-w- C:\SUPERAntiSpywarePro.exe
2009-11-05 23:32 . 2009-11-05 23:32 39424 --sh--w- c:\windows\system32\gomigoka.dll
2009-10-29 02:43 . 2009-10-29 02:43 -------- d-----w- c:\documents and settings\Tim\Application Data\Auslogics
2009-10-29 02:43 . 2009-10-29 02:43 -------- d-----w- c:\program files\Auslogics
2009-10-29 02:17 . 2009-10-29 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-28 23:20 . 2009-10-28 23:20 29380 ---h--w- c:\windows\system32\mlfcache.dat
2009-10-20 16:54 . 2009-10-20 16:54 59976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-07 00:22 . 2009-11-07 00:29 4779008 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2009-11-07 00:16 . 2009-07-21 15:01 -------- d-----w- c:\program files\Eraser
2009-11-07 00:11 . 2009-11-07 00:13 4779520 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2009-11-06 23:39 . 2009-11-06 23:43 4786176 ----a-w- c:\windows\Internet Logs\xDB20.tmp
2009-11-06 17:46 . 2006-06-23 03:17 -------- d-----w- c:\documents and settings\Tim\Application Data\Canon
2009-11-04 15:52 . 2007-04-06 21:51 -------- d-----w- c:\program files\Cryptainer PE
2009-09-23 02:42 . 2006-06-22 22:23 30504 ----a-w- c:\documents and settings\Tim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-23 02:41 . 2009-09-23 02:41 -------- d-----w- c:\program files\Microsoft
2009-09-23 02:41 . 2009-09-23 02:40 -------- d-----w- c:\program files\Windows Live
2009-09-23 02:40 . 2009-09-23 02:40 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-23 02:35 . 2009-09-23 02:35 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-20 18:40 . 2006-06-23 05:56 -------- d-----w- c:\documents and settings\Tim\Application Data\Apple Computer
2009-09-20 18:33 . 2009-09-20 18:32 -------- d-----w- c:\program files\iTunes
2009-09-20 18:33 . 2009-09-20 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-20 18:32 . 2006-06-23 06:01 -------- d-----w- c:\program files\iPod
2009-09-20 18:32 . 2008-01-27 01:11 -------- d-----w- c:\program files\Common Files\Apple
2009-09-20 18:31 . 2009-09-20 18:31 -------- d-----w- c:\program files\Bonjour
2009-09-20 18:30 . 2009-09-20 18:30 -------- d-----w- c:\program files\QuickTime
2009-09-20 18:20 . 2009-09-20 18:20 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-17 22:37 . 2008-02-07 02:43 -------- d-----w- c:\program files\Java
2009-09-17 22:36 . 2009-09-17 22:36 152576 ----a-w- c:\documents and settings\Tim\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-16 17:18 . 2009-09-13 23:40 -------- d-----w- c:\program files\Quicken Lawyer 2003 Personal
2009-09-14 16:10 . 2006-06-22 23:32 4212 ---h--w- c:\windows\system32\zllictbl.dat
2009-09-02 15:15 . 2009-09-02 15:15 152576 ----a-w- c:\documents and settings\Tim\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"TurboBackup"="c:\progra~1\FILEST~1\TURBOB~1\tbksche.exe" [2007-07-15 512000]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"Eraser"="c:\program files\Eraser\eraser.exe" [2002-07-29 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 344064]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 755480]
"ASUS Probe"="c:\program files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-17 61952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TurboBackup"="c:\progra~1\FILEST~1\TURBOB~1\tbksche.exe" [2007-07-15 512000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [5/21/2004 12:30 AM 94080]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [6/22/2006 2:21 PM 1258432]
R3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [3/2/2009 1:47 PM 16896]
S2 TBKNTService;TBKNTService;c:\progra~1\FILEST~1\TURBOB~1\TBKNTService.exe [9/5/2007 6:50 PM 57344]
S3 mamovec;mamovec;c:\windows\system32\drivers\mamovec.sys [8/2/2008 9:09 PM 24784]
S3 mamovem;mamovem;c:\windows\system32\drivers\mamovem.sys [8/2/2008 9:09 PM 25044]
S3 mamoveu;mamoveu;c:\windows\system32\drivers\mamoveu.sys [8/2/2008 9:09 PM 48853]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/2/2008 10:48 PM 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/2/2008 10:48 PM 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [8/2/2008 10:48 PM 23680]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: turbotax.com
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} - hxxp://download.tenebril.com/pub/bin/scanner2008/TenebrilSpywareScanner.ocx
DPF: {4AEF8AEE-3DE8-4B69-8B6E-6353B6C59B50} - hxxp://onesite.realpage.com/coreglobal/RealpageCab/Realpage.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 08:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-07 8:16
ComboFix-quarantined-files.txt 2009-11-07 16:16
ComboFix2.txt 2009-11-07 01:43

Pre-Run: 91,822,178,304 bytes free
Post-Run: 91,809,230,848 bytes free

- - End Of File - - 92C81C82E191ACDB793A234070CF6681




"Scan ""Scan whole computer"" was finished."
"Infections";"27";"27";"0"
"Spyware";"8";"8";"0"
"Warnings";"98";"98";"0"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Saturday, November 07, 2009, 9:00:02 AM"
"Scan finished:";"Saturday, November 07, 2009, 9:44:12 AM (44 minute(s) 10 second(s))"
"Total object scanned:";"329156"
"User who launched the scan:";"Tim"

"Infections"
"File";"Infection";"Result"
"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\09QRO5MN\load-full[1].exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0003193.com";"Virus found Downloader.Banload";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000078.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000077.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000074.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000073.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000066.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000064.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000059.dll";"Trojan horse SHeur2.BPSD";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000045.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000043.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000040.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000038.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000035.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000033.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000030.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000028.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000022.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000021.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000018.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000016.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000011.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000010.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000006.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000005.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000004.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP1\A0000003.exe";"Virus found Win32/Cryptor";"Moved to Virus Vault"

"Spyware"
"File";"Infection";"Result"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP2\A0004326.exe:\unwise0018.bin:\Uninst.exe";"Adware Generic.EAV";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP2\A0004326.exe:\unwise0018.bin:\SaveNow.exe";"Adware Generic.EAU";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP2\A0004326.exe:\unwise0018.bin";"Adware Generic.EAU";"Moved to Virus Vault"
"C:\System Volume Information\_restore{5A4FC8FF-3551-4AC9-830B-665789E751CA}\RP2\A0004326.exe";"Adware Generic.EAU";"Moved to Virus Vault"
"C:\Downloads\waterfree.exe:\unwise0018.bin:\Uninst.exe";"Adware Generic.EAV";"Moved to Virus Vault"
"C:\Downloads\waterfree.exe:\unwise0018.bin:\SaveNow.exe";"Adware Generic.EAU";"Moved to Virus Vault"
"C:\Downloads\waterfree.exe:\unwise0018.bin";"Adware Generic.EAU";"Moved to Virus Vault"
"C:\Downloads\waterfree.exe";"Adware Generic.EAU";"Moved to Virus Vault"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\Tim\Cookies\tim@yadro[2].txt:\yadro.ru.c77afad5";"Found Tracking cookie.Yadro";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@yadro[2].txt:\yadro.ru.a4842f54";"Found Tracking cookie.Yadro";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@yadro[2].txt";"Found Tracking cookie.Yadro";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@web-stat[2].txt:\web-stat.com.f451ed4e";"Found Tracking cookie.Web-stat";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@web-stat[2].txt:\web-stat.com.e524be1b";"Found Tracking cookie.Web-stat";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@web-stat[2].txt";"Found Tracking cookie.Web-stat";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@tribalfusion[2].txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@tribalfusion[2].txt";"Found Tracking cookie.Tribalfusion";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@tacoda[2].txt:\tacoda.net.ed9c50d1";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@tacoda[2].txt:\tacoda.net.cd7ce44f";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@tacoda[2].txt:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@tacoda[2].txt:\tacoda.net.5935e89";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@tacoda[2].txt:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@tacoda[2].txt:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@tacoda[2].txt";"Found Tracking cookie.Tacoda";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@statse.webtrendslive[2].txt:\statse.webtrendslive.com.b4ca7df0";"Found Tracking cookie.Webtrendslive";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@statse.webtrendslive[2].txt";"Found Tracking cookie.Webtrendslive";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@smartadserver[2].txt:\smartadserver.com.c5827141";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@smartadserver[2].txt:\smartadserver.com.bf8b766";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@smartadserver[2].txt:\smartadserver.com.5550c4ed";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@smartadserver[2].txt:\smartadserver.com.321a5cf8";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@smartadserver[2].txt";"Found Tracking cookie.Smartadserver";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@serving-sys[2].txt:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@serving-sys[2].txt:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@serving-sys[2].txt:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@serving-sys[2].txt:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@serving-sys[2].txt:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@serving-sys[2].txt:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@serving-sys[2].txt";"Found Tracking cookie.Serving-sys";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@searchportal.information[2].txt:\searchportal.information.com.f1e62fe";"Found Tracking cookie.Information";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@searchportal.information[2].txt:\searchportal.information.com.44e78b2";"Found Tracking cookie.Information";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@searchportal.information[2].txt:\searchportal.information.com.3a8d7204";"Found Tracking cookie.Information";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@searchportal.information[2].txt:\searchportal.information.com.29bc608d";"Found Tracking cookie.Information";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@searchportal.information[2].txt";"Found Tracking cookie.Information";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@revsci[1].txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@revsci[1].txt:\revsci.net.cb09cf21";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@revsci[1].txt:\revsci.net.a5874ce1";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@revsci[1].txt:\revsci.net.8642c85d";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@revsci[1].txt:\revsci.net.80477c7f";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@revsci[1].txt:\revsci.net.73a3e177";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@revsci[1].txt:\revsci.net.738d89d";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@revsci[1].txt:\revsci.net.55564293";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@revsci[1].txt:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@revsci[1].txt:\revsci.net.4a124674";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@revsci[1].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@revsci[1].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@revsci[1].txt:\revsci.net.26b016c3";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@revsci[1].txt";"Found Tracking cookie.Revsci";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@questionmarket[2].txt:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@questionmarket[2].txt:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@questionmarket[2].txt";"Found Tracking cookie.Questionmarket";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@pointroll[1].txt:\pointroll.com.f2d5a6f6";"Found Tracking cookie.Pointroll";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@pointroll[1].txt:\pointroll.com.72c0abc9";"Found Tracking cookie.Pointroll";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@pointroll[1].txt";"Found Tracking cookie.Pointroll";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@overture[2].txt:\overture.com.d727de6f";"Found Tracking cookie.Overture";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@overture[2].txt:\overture.com.52ca467a";"Found Tracking cookie.Overture";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@overture[2].txt";"Found Tracking cookie.Overture";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@mediaplex[2].txt:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@mediaplex[2].txt:\mediaplex.com.dc30fb3c";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@mediaplex[2].txt";"Found Tracking cookie.Mediaplex";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@m.webtrends[2].txt:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@m.webtrends[2].txt";"Found Tracking cookie.Webtrends";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@ivwbox[2].txt:\ivwbox.de.41d82fe2";"Found Tracking cookie.Ivwbox";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@ivwbox[2].txt";"Found Tracking cookie.Ivwbox";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@hitbox[2].txt:\hitbox.com.bbf2a6e8";"Found Tracking cookie.Hitbox";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@hitbox[2].txt:\hitbox.com.2b95f8a3";"Found Tracking cookie.Hitbox";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@hitbox[2].txt";"Found Tracking cookie.Hitbox";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@doubleclick[2].txt:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@doubleclick[2].txt";"Found Tracking cookie.Doubleclick";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@clickbank[1].txt:\clickbank.net.82079eb1";"Found Tracking cookie.Clickbank";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@clickbank[1].txt";"Found Tracking cookie.Clickbank";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@bs.serving-sys[1].txt:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@bs.serving-sys[1].txt";"Found Tracking cookie.Serving-sys";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@bluestreak[1].txt:\bluestreak.com.bf396750";"Found Tracking cookie.Bluestreak";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@bluestreak[1].txt";"Found Tracking cookie.Bluestreak";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@atdmt[1].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@atdmt[1].txt:\atdmt.com.9e6d7fd3";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@atdmt[1].txt:\atdmt.com.74c5668";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@atdmt[1].txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@atdmt[1].txt";"Found Tracking cookie.Atdmt";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@advertising[2].txt:\advertising.com.f62113d5";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@advertising[2].txt:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@advertising[2].txt:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@advertising[2].txt:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@advertising[2].txt:\advertising.com.1dfa2206";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@advertising[2].txt:\advertising.com.1820df7a";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@advertising[2].txt";"Found Tracking cookie.Advertising";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@admarketplace[1].txt:\admarketplace.net.61a250a";"Found Tracking cookie.Admarketplace";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@admarketplace[1].txt";"Found Tracking cookie.Admarketplace";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@adengage[1].txt:\adengage.com.90cfe1c9";"Found Tracking cookie.Adengage";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@adengage[1].txt:\adengage.com.6b2a3f1";"Found Tracking cookie.Adengage";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@adengage[1].txt:\adengage.com.411a57fb";"Found Tracking cookie.Adengage";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@adengage[1].txt";"Found Tracking cookie.Adengage";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@7search[2].txt:\7search.com.f2cc2494";"Found Tracking cookie.7search";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@7search[2].txt:\7search.com.5bc4302d";"Found Tracking cookie.7search";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@7search[2].txt";"Found Tracking cookie.7search";"Healed"
"C:\Documents and Settings\Tim\Cookies\tim@2o7[2].txt:\2o7.net.9f8b156b";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Tim\Cookies\tim@2o7[2].txt";"Found Tracking cookie.2o7";"Healed"




OTL logfile created on: 11/7/2009 9:49:45 AM - Run 1
OTL by OldTimer - Version 3.1.4.0 Folder = C:\Documents and Settings\Tim\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.23 Mb Total Physical Memory | 437.07 Mb Available Physical Memory | 42.71% Memory free
2.41 Gb Paging File | 1.92 Gb Available in Paging File | 79.83% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 128.00 Gb Total Space | 85.16 Gb Free Space | 66.53% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 151.45 Gb Total Space | 122.25 Gb Free Space | 80.72% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TJ-MAIN
Current User Name: Tim
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/11/07 09:48:41 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tim\Desktop\OTL.exe
PRC - [2009/11/07 08:39:50 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/11/07 08:39:50 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/11/07 08:39:49 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/11/07 08:39:49 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/11/07 08:39:49 | 00,502,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/11/07 08:39:48 | 02,010,904 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2009/11/07 08:39:46 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/09/08 20:09:42 | 00,305,440 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/09/08 20:09:30 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/07/25 04:23:12 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/06/29 00:35:10 | 00,634,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/02/03 20:41:55 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2009/02/03 20:41:55 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/10/10 05:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/09/02 11:48:12 | 00,049,152 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PRC - [2008/09/02 11:40:46 | 00,049,152 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/14 23:00:00 | 00,512,000 | ---- | M] (FileStream, Inc.) -- C:\Program Files\FileStream\TurboBackup\tbksche.exe
PRC - [2007/01/24 17:45:10 | 00,074,240 | ---- | M] (Cypherix Software (India) Pvt. Ltd.) -- C:\WINDOWS\system32\cryptainersrv.exe
PRC - [2006/10/11 11:45:12 | 00,075,304 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
PRC - [2005/09/30 18:22:50 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2004/09/29 06:15:00 | 00,344,064 | ---- | M] (ATI Technologies, Inc.) -- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PRC - [2003/08/06 12:24:20 | 12,037,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
PRC - [2003/07/14 21:45:18 | 00,196,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2002/07/29 06:15:54 | 00,495,616 | ---- | M] (-) -- C:\Program Files\Eraser\eraser.exe


========== Modules (SafeList) ==========

MOD - [2009/11/07 09:48:41 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tim\Desktop\OTL.exe
MOD - [2008/04/13 16:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/13 16:11:53 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll
MOD - [2006/10/04 21:07:12 | 00,144,936 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/07 08:39:46 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/09/08 20:09:30 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/02/03 20:41:55 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2009/02/03 20:05:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/10/10 05:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/04/13 16:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2007/07/14 23:00:00 | 00,057,344 | ---- | M] () -- C:\Program Files\FileStream\TurboBackup\tbkntservice.exe -- (TBKNTService)
SRV - [2007/01/24 17:45:10 | 00,074,240 | ---- | M] (Cypherix Software (India) Pvt. Ltd.) -- C:\WINDOWS\System32\cryptainersrv.exe -- (ssoftservice)
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2006/03/16 10:33:12 | 01,693,464 | ---- | M] (Zone Labs, LLC) -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2005/09/30 18:22:50 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - File not found -- -- (catchme)
DRV - [2009/11/07 08:40:18 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/11/07 08:40:13 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/11/07 08:40:09 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/02/03 23:27:21 | 03,488,768 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/09/03 11:02:08 | 00,016,896 | ---- | M] (Wondershare) -- C:\WINDOWS\system32\drivers\VirtualAudio.sys -- (wsvad_driver)
DRV - [2008/04/13 08:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/11/02 13:36:10 | 00,018,176 | ---- | M] (Motorola) -- C:\WINDOWS\system32\drivers\motccgp.sys -- (motccgp)
DRV - [2007/10/21 16:16:44 | 00,006,912 | ---- | M] (NewTech Infosystems, Inc.) -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV - [2007/06/18 13:18:26 | 00,023,680 | ---- | M] (Motorola) -- C:\WINDOWS\system32\drivers\motport.sys -- (motport)
DRV - [2007/01/24 11:16:38 | 00,094,080 | ---- | M] (Cypherix Software (India) Pvt. Ltd.) -- C:\WINDOWS\system32\drivers\ssoftnt4.sys -- (ssoftnt4)
DRV - [2007/01/23 18:03:44 | 00,007,680 | ---- | M] (Motorola) -- C:\WINDOWS\system32\drivers\motccgpfl.sys -- (motccgpfl)
DRV - [2007/01/16 10:44:46 | 00,011,986 | ---- | M] (Mobile Action Technology Inc.) -- C:\WINDOWS\system32\drivers\MaVc2K.sys -- (MaVctrl)
DRV - [2007/01/09 17:32:42 | 00,048,853 | ---- | M] (Mobile Action Technology Inc.) -- C:\WINDOWS\system32\drivers\mamoveu.sys -- (mamoveu)
DRV - [2006/06/21 10:47:36 | 00,015,488 | ---- | M] (RapidSolution Software AG) -- C:\WINDOWS\system32\drivers\tbhsd.sys -- (tbhsd)
DRV - [2006/03/16 10:33:00 | 00,372,824 | ---- | M] (Zone Labs, LLC) -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2005/06/16 17:13:12 | 00,025,044 | ---- | M] (Mobile Action Technology Inc.) -- C:\WINDOWS\system32\drivers\mamovem.sys -- (mamovem)
DRV - [2005/06/16 17:11:58 | 00,024,784 | ---- | M] (Mobile Action Technology Inc.) -- C:\WINDOWS\system32\drivers\mamovec.sys -- (mamovec)
DRV - [2004/08/19 07:21:00 | 00,189,568 | ---- | M] (Marvell) -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2004/08/12 18:56:20 | 00,005,810 | R--- | M] () -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/08/04 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/07/27 08:06:54 | 01,258,432 | R--- | M] (C-Media Inc) -- C:\WINDOWS\system32\drivers\cmudax.sys -- (cmudax)
DRV - [2004/06/10 12:42:38 | 00,015,429 | R--- | M] ( ) -- C:\WINDOWS\system32\drivers\Sacm2A.sys -- (USBCM)
DRV - [2004/03/17 15:10:40 | 00,113,664 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [1997/04/22 09:16:00 | 00,006,272 | ---- | M] () -- C:\WINDOWS\system32\drivers\ASLM75.SYS -- (aslm75)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-583907252-1993962763-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-583907252-1993962763-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-583907252-1993962763-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-583907252-1993962763-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-583907252-1993962763-682003330-1004\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-583907252-1993962763-682003330-1004\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-583907252-1993962763-682003330-1004\S-1-5-21-583907252-1993962763-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-583907252-1993962763-682003330-1004\S-1-5-21-583907252-1993962763-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/17 14:41:05 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/09/02 07:16:16 | 00,000,000 | ---D | M]


O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (EWPBrowseObject Class) - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll ()
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-583907252-1993962763-682003330-1004\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe ()
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\Hdaudpropshortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
O4 - HKU\.DEFAULT..\Run: [TurboBackup] C:\Program Files\FileStream\TurboBackup\tbksche.exe (FileStream, Inc.)
O4 - HKU\S-1-5-18..\Run: [TurboBackup] C:\Program Files\FileStream\TurboBackup\tbksche.exe (FileStream, Inc.)
O4 - HKU\S-1-5-21-583907252-1993962763-682003330-1004..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe (-)
O4 - HKU\S-1-5-21-583907252-1993962763-682003330-1004..\Run: [MsnMsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-583907252-1993962763-682003330-1004..\Run: [TurboBackup] C:\Program Files\FileStream\TurboBackup\tbksche.exe (FileStream, Inc.)
O4 - HKU\S-1-5-21-583907252-1993962763-682003330-1004..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-583907252-1993962763-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-583907252-1993962763-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-583907252-1993962763-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-583907252-1993962763-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-583907252-1993962763-682003330-1004_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-583907252-1993962763-682003330-1004\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab (Support.com Configuration Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/viewers/ipixx.cab (iPIX ActiveX Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://active.macromedia.com/director/cabs/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} http://download.tenebril.com/pub/bin/scann...wareScanner.ocx (TenebrilSpywareScanner Control)
O16 - DPF: {4AEF8AEE-3DE8-4B69-8B6E-6353B6C59B50} http://onesite.realpage.com/coreglobal/Rea...ab/Realpage.cab (Utility Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/22 13:59:42 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/07 09:48:38 | 00,528,896 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tim\Desktop\OTL.exe
[2009/11/07 08:40:32 | 00,000,000 | -H-D | C] -- C:\$AVG
[2009/11/07 08:40:18 | 00,360,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/11/07 08:40:18 | 00,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/11/07 08:40:12 | 00,333,192 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/11/07 08:40:09 | 00,028,424 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/11/07 08:40:04 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/11/07 08:40:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2009/11/07 08:39:45 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/11/07 08:39:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/11/06 15:30:24 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/11/06 15:29:43 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/11/06 15:29:43 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/11/06 15:29:43 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/11/06 15:29:43 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/11/06 15:29:31 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/11/06 15:28:52 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/11/06 14:50:54 | 04,033,686 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Tim\Desktop\mbam-setup.exe
[2009/11/06 14:45:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tim\Application Data\GetRightToGo
[2009/11/06 13:42:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
[2009/11/06 13:35:33 | 00,471,004 | ---- | C] ( ) -- C:\Documents and Settings\Tim\Desktop\RootRepeal.exe
[2009/11/06 12:15:41 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2009/11/05 17:09:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tim\Application Data\Malwarebytes
[2009/11/05 17:09:29 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/11/05 17:09:28 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/05 17:09:28 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/11/05 17:09:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/11/05 17:08:44 | 04,045,544 | ---- | C] (Malwarebytes Corporation ) -- C:\mbam-setup.exe
[2009/10/28 18:43:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tim\Application Data\Auslogics
[2009/10/28 18:43:40 | 00,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2009/10/28 18:17:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/10/23 10:43:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tim\Desktop\temp mp3s etc
[2009/10/21 09:17:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tim\Desktop\M4As for phone
[2009/10/19 18:35:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tim\Desktop\MP3s for phone
[2009/10/15 14:00:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tim\Desktop\bolts
[2009/10/12 12:15:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tim\Desktop\mosaics
[2006/06/22 15:13:13 | 00,015,429 | R--- | C] ( ) -- C:\WINDOWS\System32\drivers\Sacm2A.sys
[2006/06/22 14:13:17 | 00,163,840 | R--- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[12 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/07 09:48:41 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tim\Desktop\OTL.exe
[2009/11/07 08:40:18 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/11/07 08:40:18 | 00,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/11/07 08:40:18 | 00,001,516 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2009/11/07 08:40:13 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/11/07 08:40:09 | 44,777,068 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/11/07 08:40:09 | 00,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2009/11/07 08:40:09 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/11/07 08:40:04 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/11/07 08:40:04 | 00,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/11/07 08:40:04 | 00,086,275 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/11/07 08:17:20 | 07,077,888 | ---- | M] () -- C:\Documents and Settings\Tim\ntuser.dat
[2009/11/07 08:16:41 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/07 08:15:20 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/06 17:32:43 | 00,035,981 | -H-- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/11/06 17:31:44 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/06 17:31:42 | 10,730,08640 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/06 16:34:07 | 03,562,655 | R--- | M] () -- C:\Documents and Settings\Tim\Desktop\thcbytes.exe
[2009/11/06 16:20:26 | 00,236,544 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\pev.exe
[2009/11/06 16:20:26 | 00,008,610 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\ncmd.cfxxe
[2009/11/06 16:20:26 | 00,000,439 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\rkill.reg
[2009/11/06 16:16:46 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Tim\ntuser.ini
[2009/11/06 15:38:14 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/11/06 15:36:10 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\mutupeva
[2009/11/06 15:30:29 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/11/06 15:13:58 | 00,047,616 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\Win32kDiag.exe
[2009/11/06 15:10:08 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\rkill.pif
[2009/11/06 14:51:02 | 04,033,686 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Tim\Desktop\mbam-setup.exe
[2009/11/06 13:35:33 | 00,471,004 | ---- | M] ( ) -- C:\Documents and Settings\Tim\Desktop\RootRepeal.exe
[2009/11/06 13:20:33 | 00,523,621 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\dds.scr
[2009/11/06 13:12:44 | 00,000,578 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\Slow Computer-browser Check Here First; It May Not Be Malware.url
[2009/11/06 10:53:52 | 00,267,264 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/11/06 10:16:59 | 00,000,017 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\stng260.opt
[2009/11/05 17:27:51 | 00,000,690 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/05 17:27:51 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/11/05 17:08:50 | 04,045,544 | ---- | M] (Malwarebytes Corporation ) -- C:\mbam-setup.exe
[2009/11/05 17:07:21 | 07,256,415 | ---- | M] () -- C:\SUPERAntiSpywarePro.exe
[2009/11/05 15:44:34 | 04,118,096 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\stinger1001624.exe
[2009/11/05 15:42:08 | 00,525,946 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/05 15:42:08 | 00,444,028 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/05 15:42:08 | 00,071,904 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/05 15:37:55 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/05 15:36:38 | 01,402,180 | -H-- | M] () -- C:\Documents and Settings\Tim\Local Settings\Application Data\IconCache.db
[2009/11/05 15:32:25 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\gomigoka.dll
[2009/11/04 16:22:21 | 00,044,987 | ---- | M] () -- C:\Documents and Settings\Tim\My Documents\ViewDocument.pdf
[2009/11/04 10:14:41 | 62,914,5600 | ---- | M] () -- C:\WINDOWS\System32\cxp1705
[2009/11/04 09:46:55 | 00,022,016 | ---- | M] () -- C:\Documents and Settings\Tim\My Documents\JB Payoff Schedule-revised 8-05-2009.xls
[2009/11/03 11:47:01 | 00,000,806 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\YouTube Downloader.lnk
[2009/11/02 19:27:30 | 00,000,281 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\Coconut Oi and Coconut Flour Health and Nutritional Benefits.url
[2009/11/02 18:39:29 | 00,000,208 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\FreeButyAcid_Cancer.url
[2009/11/02 11:55:38 | 00,000,002 | ---- | M] () -- C:\temphtm.HTM
[2009/10/31 21:31:49 | 00,000,284 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\Graviola supplement soursop, annona muricata.url
[2009/10/29 16:31:51 | 00,000,237 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\craigslist los angeles classifieds.url
[2009/10/28 15:20:40 | 00,029,380 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/10/26 18:09:20 | 00,000,255 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\GrassrootsHealth Vitamin D Action - GrassrootsHealth Vitamin D Action.url
[2009/10/26 17:19:43 | 00,406,774 | ---- | M] () -- C:\Documents and Settings\Tim\My Documents\Gilberto appt 10-26-09.rtf
[2009/10/26 11:36:16 | 00,000,158 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\Detailed Parcel Info - LA.url
[2009/10/25 06:11:34 | 00,077,312 | ---- | M] () -- C:\WINDOWS\MBR.exe
[2009/10/22 18:24:04 | 00,170,448 | ---- | M] () -- C:\Documents and Settings\Tim\My Documents\flouride interview.pdf
[2009/10/19 19:07:27 | 00,000,249 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\Anemoi - Wikipedia, the free encyclopedia.url
[2009/10/19 12:00:22 | 00,000,166 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\Public Search Page.url
[2009/10/17 10:48:05 | 04,155,068 | ---- | M] () -- C:\Documents and Settings\Tim\My Documents\Reclaim user guide.pdf
[2009/10/16 11:05:37 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Tim\My Documents\Internal Revenue ServiceOct 16.doc
[2009/10/13 17:58:38 | 00,000,186 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\Orti Farnesiani sul Palatino.url
[2009/10/13 17:52:19 | 00,000,339 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\Tart Cherry Concentrate Cherry Juice Concentrate Tart, C - Cherry Juice Concentrate.url
[2009/10/13 17:45:19 | 00,064,114 | ---- | M] () -- C:\Documents and Settings\Tim\My Documents\Alternative Cancer Treatments.mht
[2009/10/13 12:56:43 | 00,000,162 | -H-- | M] () -- C:\Documents and Settings\Tim\My Documents\~$ternative Cancer Treatments.mht
[2009/10/09 10:59:11 | 00,000,231 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\Stuart Witt Homepage.url
[2009/10/08 16:50:57 | 00,000,735 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\My eBay Summary.url
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[12 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/07 08:40:18 | 00,001,516 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2009/11/07 08:40:09 | 00,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2009/11/07 08:40:04 | 44,777,068 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/11/07 08:40:04 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/11/07 08:40:04 | 00,492,629 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/11/07 08:40:04 | 00,086,275 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/11/06 16:34:00 | 03,562,655 | R--- | C] () -- C:\Documents and Settings\Tim\Desktop\thcbytes.exe
[2009/11/06 16:20:26 | 00,236,544 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\pev.exe
[2009/11/06 16:20:26 | 00,008,610 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\ncmd.cfxxe
[2009/11/06 16:20:26 | 00,000,439 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\rkill.reg
[2009/11/06 15:30:29 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/11/06 15:30:26 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/11/06 15:29:43 | 00,267,264 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/11/06 15:29:43 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/11/06 15:29:43 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/11/06 15:29:43 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/11/06 15:29:43 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/11/06 15:13:58 | 00,047,616 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\Win32kDiag.exe
[2009/11/06 15:10:07 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\rkill.pif
[2009/11/06 13:20:32 | 00,523,621 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\dds.scr
[2009/11/06 13:12:44 | 00,000,578 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\Slow Computer-browser Check Here First; It May Not Be Malware.url
[2009/11/06 10:16:09 | 00,000,017 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\stng260.opt
[2009/11/06 10:04:05 | 04,118,096 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\stinger1001624.exe
[2009/11/05 17:07:10 | 07,256,415 | ---- | C] () -- C:\SUPERAntiSpywarePro.exe
[2009/11/05 15:32:25 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\gomigoka.dll
[2009/11/04 16:22:21 | 00,044,987 | ---- | C] () -- C:\Documents and Settings\Tim\My Documents\ViewDocument.pdf
[2009/11/02 19:27:30 | 00,000,281 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\Coconut Oi and Coconut Flour Health and Nutritional Benefits.url
[2009/11/02 18:39:29 | 00,000,208 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\FreeButyAcid_Cancer.url
[2009/10/31 21:31:49 | 00,000,284 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\Graviola supplement soursop, annona muricata.url
[2009/10/28 15:20:40 | 00,029,380 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/10/26 16:41:37 | 00,406,774 | ---- | C] () -- C:\Documents and Settings\Tim\My Documents\Gilberto appt 10-26-09.rtf
[2009/10/22 18:24:04 | 00,170,448 | ---- | C] () -- C:\Documents and Settings\Tim\My Documents\flouride interview.pdf
[2009/10/19 19:07:27 | 00,000,249 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\Anemoi - Wikipedia, the free encyclopedia.url
[2009/10/19 12:00:22 | 00,000,166 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\Public Search Page.url
[2009/10/17 10:48:05 | 04,155,068 | ---- | C] () -- C:\Documents and Settings\Tim\My Documents\Reclaim user guide.pdf
[2009/10/16 11:05:37 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\Tim\My Documents\Internal Revenue ServiceOct 16.doc
[2009/10/13 17:58:38 | 00,000,186 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\Orti Farnesiani sul Palatino.url
[2009/10/13 17:52:19 | 00,000,339 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\Tart Cherry Concentrate Cherry Juice Concentrate Tart, C - Cherry Juice Concentrate.url
[2009/10/13 12:56:43 | 00,000,162 | -H-- | C] () -- C:\Documents and Settings\Tim\My Documents\~$ternative Cancer Treatments.mht
[2009/10/13 12:50:25 | 00,064,114 | ---- | C] () -- C:\Documents and Settings\Tim\My Documents\Alternative Cancer Treatments.mht
[2009/03/02 12:23:28 | 00,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2008/08/03 00:45:52 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PanelExe.INI
[2007/10/22 11:14:51 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Jcmkr32.INI
[2007/10/21 16:16:44 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIDBD32.dll
[2007/10/21 16:15:52 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\ntiembed.dll
[2007/10/21 16:14:11 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2007/10/21 16:14:11 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK32.dll
[2007/09/23 13:13:42 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2007/09/23 13:13:16 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2007/09/23 13:11:48 | 00,000,416 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2007/09/05 18:50:20 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\mxv.dll
[2007/02/03 01:01:37 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/02/03 01:01:37 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/02/03 01:01:36 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/02/03 01:01:35 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/02/03 01:01:35 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007/02/03 00:25:43 | 00,000,975 | ---- | C] () -- C:\WINDOWS\wbocx.ini
[2006/10/18 19:08:20 | 00,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2006/07/10 12:32:35 | 00,003,326 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/07/03 07:16:56 | 00,006,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASLM75.SYS
[2006/06/29 14:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 14:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/06/22 17:23:41 | 00,073,216 | ---- | C] () -- C:\Documents and Settings\Tim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/06/22 16:48:06 | 00,005,632 | R--- | C] () -- C:\WINDOWS\System32\CNMVSya.DLL
[2006/06/22 16:47:57 | 00,000,356 | R--- | C] () -- C:\WINDOWS\System32\CNCASv50.ini
[2006/06/22 16:47:40 | 00,000,462 | R--- | C] () -- C:\WINDOWS\System32\CNCMP50.INI
[2006/06/22 15:13:14 | 00,053,693 | R--- | C] () -- C:\WINDOWS\UNDPX2A.sys
[2006/06/22 14:57:38 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/06/22 14:23:35 | 00,030,504 | ---- | C] () -- C:\Documents and Settings\Tim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2006/06/22 14:21:01 | 00,028,672 | R--- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2006/06/22 14:20:56 | 00,003,407 | R--- | C] () -- C:\WINDOWS\cmudax.ini
[2006/06/22 14:19:10 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2006/06/22 14:19:09 | 00,007,562 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2006/06/22 14:19:07 | 00,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2006/06/22 14:17:17 | 00,000,126 | ---- | C] () -- C:\Documents and Settings\Tim\Local Settings\Application Data\fusioncache.dat
[2006/06/22 14:16:15 | 01,402,180 | -H-- | C] () -- C:\Documents and Settings\Tim\Local Settings\Application Data\IconCache.db
[2006/06/22 14:05:38 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Tim\Application Data\desktop.ini
[2006/06/22 06:38:38 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2006/04/18 15:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 15:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2004/08/04 04:00:00 | 00,000,690 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 04:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/12/26 15:12:30 | 00,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/03 22:46:38 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/30 15:33:56 | 00,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/23 21:04:36 | 00,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll

========== LOP Check ==========

[2008/12/19 08:26:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ATI
[2009/11/07 08:41:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2009/11/07 08:39:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2007/02/06 21:45:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2007/02/06 23:09:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cadsoft
[2007/09/23 13:06:06 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2007/09/23 13:11:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/09/20 10:33:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2006/06/22 14:17:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\ATI
[2009/10/28 18:43:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\Auslogics
[2009/11/06 09:46:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\Canon
[2009/11/06 14:45:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\GetRightToGo
[2008/07/23 09:22:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\NCH Swift Sound
[2007/10/17 12:30:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\NewSoft
[2007/09/23 13:11:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\ScanSoft
[2007/10/21 12:24:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\Simple Star
[2007/10/21 14:45:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\Snapfish
[2009/03/17 16:41:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\tunebite
[2004/08/04 04:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/11/07 08:16:41 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========


< End of report >





OTL Extras logfile created on: 11/7/2009 9:49:45 AM - Run 1
OTL by OldTimer - Version 3.1.4.0 Folder = C:\Documents and Settings\Tim\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.23 Mb Total Physical Memory | 437.07 Mb Available Physical Memory | 42.71% Memory free
2.41 Gb Paging File | 1.92 Gb Available in Paging File | 79.83% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 128.00 Gb Total Space | 85.16 Gb Free Space | 66.53% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 151.45 Gb Total Space | 122.25 Gb Free Space | 80.72% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TJ-MAIN
Current User Name: Tim
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\MSN Messenger\msncall.exe" = C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) -- File not found
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe" = C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:TrueVector Service -- (Zone Labs, LLC)
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\TurboTax\Premier 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Premier 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Premier 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Premier 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02EBDBB9-4600-41D3-B566-40CB861511D2}" = World of Warcraft FREE Trial
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{083F79E4-6FE9-46FB-A6C6-4F8862742947}" = ATI HYDRAVISION
"{08F76731-BB08-4ABC-9595-ECE26C466965}" = MyInvoices & Estimates Deluxe
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0D25F7CC-B99C-44ee-9945-B14532B2BB7B}" = Canon MP830
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.5.3
"{1E06D48E-5448-4BCC-9F87-9FB4EBD59898}" = SA30xx Media Converter
"{1ED6E4D0-8DB0-A333-DEA6-188F957F5A43}" = Catalyst Control Center Graphics Light
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 15
"{289CDCBA-1E82-460A-9DCA-E9FB6BAC1A42}" = SA30xx Device Manager
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3964B238-02DC-425E-B025-3B007C8ECCF7}" = Road Runner Medic 6.0.0.6
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{407E0CBD-D6BF-F243-6DE9-F1EEA525BA1C}" = Catalyst Control Center Graphics Full Existing
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4E68EAA3-775A-4542-A08A-47DB8E8E74A6}" = NTI Backup NOW! 3
"{5B30AA25-BF39-4BE4-8FEE-51938BAB214D}" = TurboTax 2008 wcaiper
"{5EC634FA-5047-38B2-A53A-15963D9BD872}" = CCC Help English
"{651AFCC8-2F1A-8132-0A33-FA5F041380BA}" = Catalyst Control Center Graphics Full New
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69EF33D7-3425-1409-0BE1-C4F3A6FB57A8}" = ccc-utility
"{7510EF8C-99B9-8533-524E-BF41BDC04188}" = Skins
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{773040E1-3B60-6507-C387-71F8F0A03C59}" = ccc-core-static
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{8307E622-89E1-435A-BC8A-678C678F6A43}" = SA30xx Media Converter
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}" = URGE
"{8FDD2A92-9F75-4706-B8C2-08499A9863E6}" = NTI DriveBackup! 3
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{92DEC792-A722-5991-2607-3EE3A4BD502B}" = Catalyst Control Center HydraVision Full
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96793032-8651-805A-67EF-E1759C1A8E3D}" = Catalyst Control Center Graphics Previews Common
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A1BC8E02-6B5B-4B4A-A75F-B27A16918C2B}" = DiscWizard for Windows
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A73EFA95-4872-4AE3-8EE9-10D2E2D713CF}" = RoadRunner
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B094F70F-2CC2-5062-8534-D3830FC4B018}" = Catalyst Control Center Core Implementation
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{BD57EA4D-026E-4F08-9B93-080E282B81FE}" = iPod for Windows 2006-06-28
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1E693A4-B1D5-4DCD-B68D-2087835B7184}" = ScanSoft OmniPage SE 4.0
"{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778}" = NTI DVD-Maker
"{C816DD98-67D9-472E-9276-55B7BE4C97C0}" = 3D Home Architect Landscape Design Deluxe 8
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CA42C38C-B369-B190-AD06-76D3AC95CFAC}" = ccc-core-preinstall
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}" = Presto! PageManager 7.15.14
"{D31612BB-C6D7-4142-96AE-16DB062354CF}" = NTI DVD Player
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{EC2A8F27-4FBF-4E41-B27B-FE822511B761}" = iTunes
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Aimersoft AlM4V Converter_is1" = Aimersoft AlM4V Converter(Build 1.0.1.16)
"All ATI Software" = ATI - Software Uninstall Utility
"ASUS Probe V2.23.01" = ASUS Probe V2.23.01
"ATI Display Driver" = ATI Display Driver
"AVG9Uninstall" = AVG Free 9.0
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"Canon MP830 User Registration" = Canon MP830 User Registration
"C-Media Audio Driver" = C-Media High Definition Audio Driver
"ComcastHSI" = Comcast High-Speed Internet Install Wizard
"CSCLIB" = Canon Camera Support Core Library
"DebugMode Wink" = DebugMode Wink
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-WebPrint" = Easy-WebPrint
"EOS Utility" = Canon Utilities EOS Utility
"Eraser 5.5.2" = Eraser 5.5.2
"ffdshow_is1" = ffdshow [rev 2527] [2008-12-19]
"FLVPlayer" = FLV Player 1.3.3
"Golden" = Golden Records
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{4E68EAA3-775A-4542-A08A-47DB8E8E74A6}" = NTI Backup NOW! 3
"InstallShield_{8FDD2A92-9F75-4706-B8C2-08499A9863E6}" = NTI DriveBackup! 3
"InstallShield_{BD57EA4D-026E-4F08-9B93-080E282B81FE}" = iPod for Windows 2006-06-28
"InstallShield_{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778}" = NTI DVD-Maker Gold
"InstallShield_{C816DD98-67D9-472E-9276-55B7BE4C97C0}" = 3D Home Architect Landscape Design Deluxe 8
"KLiteCodecPack_is1" = K-Lite Codec Pack 2.83 Full
"LucasArts' Monkey 4" = LucasArts' Monkey 4
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MP Navigator 2.2" = Canon MP Navigator 2.2
"MP4 MP3 Converter" = MP4 MP3 Converter 3.0 build 818
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhotoStitch" = Canon Utilities PhotoStitch
"Quicken Lawyer 2003 Personal" = Quicken Lawyer 2003 Personal
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"sscrpe_is1" = Cryptainer PE
"Tag&Rename_is1" = Tag&Rename 3.2
"tunebite_is1" = tunebite 3.0.1.8
"TurboBackup" = TurboBackup
"TurboTax 2008" = TurboTax 2008
"TurboTax Business 2005" = TurboTax Business 2005
"TurboTax Deluxe 2005" = TurboTax Deluxe 2005
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"TurboTax Premier Investments 2006" = TurboTax Premier Investments 2006
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WebSTAR DPC2100 Uninstall" = Scientific-Atlanta WebSTAR 2000 series Cable Modem
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoneAlarm Pro" = ZoneAlarm Pro
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/6/2009 3:26:17 PM | Computer Name = TJ-MAIN | Source = ESENT | ID = 447
Description = wlcomm (3708) A bad page link (error -338) has been detected in a
B-Tree (ObjectId: 10, PgnoRoot: 42) of database C:\Documents and Settings\Tim\Local
Settings\Application Data\Microsoft\Windows Live Contacts\{f60f29e9-2fb7-4c45-9d57-78585dea6d84}\DBStore\contacts.edb
(42 => 222, 223).

Error - 11/6/2009 3:34:32 PM | Computer Name = TJ-MAIN | Source = ESENT | ID = 448
Description = wlcomm (1516) Data inconsistency detected in table streamTable-v081111-0856-1203
of database C:\Documents and Settings\Tim\Local Settings\Application Data\Microsoft\Windows
Live Contacts\{f60f29e9-2fb7-4c45-9d57-78585dea6d84}\DBStore\contacts.edb (229,78).

Error - 11/6/2009 3:39:32 PM | Computer Name = TJ-MAIN | Source = ESENT | ID = 447
Description = wlcomm (1516) A bad page link (error -338) has been detected in a
B-Tree (ObjectId: 10, PgnoRoot: 42) of database C:\Documents and Settings\Tim\Local
Settings\Application Data\Microsoft\Windows Live Contacts\{f60f29e9-2fb7-4c45-9d57-78585dea6d84}\DBStore\contacts.edb
(42 => 222, 223).

Error - 11/6/2009 7:39:18 PM | Computer Name = TJ-MAIN | Source = ESENT | ID = 448
Description = wlcomm (3240) Data inconsistency detected in table streamTable-v081111-0856-1203
of database C:\Documents and Settings\Tim\Local Settings\Application Data\Microsoft\Windows
Live Contacts\{f60f29e9-2fb7-4c45-9d57-78585dea6d84}\DBStore\contacts.edb (229,78).

Error - 11/6/2009 7:43:55 PM | Computer Name = TJ-MAIN | Source = ESENT | ID = 448
Description = wlcomm (2900) Data inconsistency detected in table streamTable-v081111-0856-1203
of database C:\Documents and Settings\Tim\Local Settings\Application Data\Microsoft\Windows
Live Contacts\{f60f29e9-2fb7-4c45-9d57-78585dea6d84}\DBStore\contacts.edb (229,78).

Error - 11/6/2009 7:48:56 PM | Computer Name = TJ-MAIN | Source = ESENT | ID = 447
Description = wlcomm (2900) A bad page link (error -338) has been detected in a
B-Tree (ObjectId: 10, PgnoRoot: 42) of database C:\Documents and Settings\Tim\Local
Settings\Application Data\Microsoft\Windows Live Contacts\{f60f29e9-2fb7-4c45-9d57-78585dea6d84}\DBStore\contacts.edb
(42 => 222, 223).

Error - 11/6/2009 8:13:50 PM | Computer Name = TJ-MAIN | Source = ESENT | ID = 448
Description = wlcomm (2632) Data inconsistency detected in table streamTable-v081111-0856-1203
of database C:\Documents and Settings\Tim\Local Settings\Application Data\Microsoft\Windows
Live Contacts\{f60f29e9-2fb7-4c45-9d57-78585dea6d84}\DBStore\contacts.edb (229,78).

Error - 11/6/2009 8:19:21 PM | Computer Name = TJ-MAIN | Source = ESENT | ID = 448
Description = wlcomm (2544) Data inconsistency detected in table streamTable-v081111-0856-1203
of database C:\Documents and Settings\Tim\Local Settings\Application Data\Microsoft\Windows
Live Contacts\{f60f29e9-2fb7-4c45-9d57-78585dea6d84}\DBStore\contacts.edb (229,78).

Error - 11/6/2009 8:30:20 PM | Computer Name = TJ-MAIN | Source = ESENT | ID = 448
Description = wlcomm (2656) Data inconsistency detected in table streamTable-v081111-0856-1203
of database C:\Documents and Settings\Tim\Local Settings\Application Data\Microsoft\Windows
Live Contacts\{f60f29e9-2fb7-4c45-9d57-78585dea6d84}\DBStore\contacts.edb (229,78).

Error - 11/6/2009 9:32:51 PM | Computer Name = TJ-MAIN | Source = ESENT | ID = 448
Description = wlcomm (2652) Data inconsistency detected in table streamTable-v081111-0856-1203
of database C:\Documents and Settings\Tim\Local Settings\Application Data\Microsoft\Windows
Live Contacts\{f60f29e9-2fb7-4c45-9d57-78585dea6d84}\DBStore\contacts.edb (229,78).

[ System Events ]
Error - 11/6/2009 2:59:13 PM | Computer Name = TJ-MAIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 11/6/2009 3:24:09 PM | Computer Name = TJ-MAIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 11/6/2009 3:32:36 PM | Computer Name = TJ-MAIN | Source = DCOM | ID = 10010
Description = The server {380689D0-AFAA-47E6-B80E-A33436FE314B} did not register
with DCOM within the required timeout.

Error - 11/6/2009 7:31:27 PM | Computer Name = TJ-MAIN | Source = Service Control Manager | ID = 7034
Description = The TBKNTService service terminated unexpectedly. It has done this
1 time(s).

Error - 11/6/2009 7:38:20 PM | Computer Name = TJ-MAIN | Source = Service Control Manager | ID = 7034
Description = The TBKNTService service terminated unexpectedly. It has done this
1 time(s).

Error - 11/6/2009 7:39:56 PM | Computer Name = TJ-MAIN | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\D.

Error - 11/6/2009 7:40:16 PM | Computer Name = TJ-MAIN | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 11/6/2009 8:35:56 PM | Computer Name = TJ-MAIN | Source = Service Control Manager | ID = 7034
Description = The TBKNTService service terminated unexpectedly. It has done this
1 time(s).

Error - 11/6/2009 9:36:52 PM | Computer Name = TJ-MAIN | Source = Service Control Manager | ID = 7034
Description = The TBKNTService service terminated unexpectedly. It has done this
1 time(s).

Error - 11/7/2009 12:02:15 PM | Computer Name = TJ-MAIN | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 76.168.64.22 on
the Network Card with network address 0011D82A4A57.


< End of report >

#8 User is offline   thcbytes 

  • Bleepin' Teacher
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 12,270
  • Joined: 09-December 08
  • Gender:Male

Posted 07 November 2009 - 01:13 PM

Well done. :(

==========

Congratulations! You now appear clean!

==========

Please pay particularly close attention to the instructions that follow. To neglect these steps risk needless reinfection!!

Run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :Commands
[resethosts]
[emptytemp]
[Reboot]

  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.

**********

Are things running okay? Do you have any more questions?

**********

Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

    Posted Image

  • The following will implement some very important cleanup procedures as well as reset System Restore points.

**********

Run OTL again

We will now remove the tools we used during this fix using OTL.
  • Double click the OTL icon to start the program.
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

**********

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install an Anti-Spyware program, and update it regularly
    Malwarebytes' Anti-Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Prevention article : To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    Windows XP
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

  • Keep your other software up to date as well. Software does not need to be made by Microsoft to be insecure. Download Secunia Software Inspector to keep all your software up to date.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
**********

System Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

**********

Good luck & safe surfing,
Regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#9 User is offline   joonbaum 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 06-November 09

Posted 08 November 2009 - 01:48 PM

Well everything looks OK. I couldn't find the log made by the last run of OTL.EXE to send you. Is that OK?

Thanks for all your effort! You guys are the greatest!

#10 User is offline   thcbytes 

  • Bleepin' Teacher
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 12,270
  • Joined: 09-December 08
  • Gender:Male

Posted 08 November 2009 - 03:27 PM

No problem.
Your welcome. :(

Since this topic appears to be resolved, I will now close it.
If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users