Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antivirus System Pro


  • This topic is locked This topic is locked
16 replies to this topic

#1 KateC

KateC

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 21 November 2009 - 12:16 PM

Yesterday I was infected by Antivirus System Pro on my desktop. It wouldn't let me go to any websites, open any programs, nor open in Safe Mode.

The first thing I attempted was running a Rescue Disk by Kaspersky. The disk would start up and run through a lot of commands, but once it was time for the GUI to open, nothing would happen. I think the virus may have been preventing this?


Then, using another computer and flash drive, I was able to copy the 'rkill.com' file onto the infected comp. After attempting to open the file 20 or so times, it finally was able to run and make the virus stop and allow me to actually open some programs, for the most part anyway. This then allowed me to finish the steps you listed on this page:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

However, Malwarebytes apparently didn't find the virus, as once I restarted the comp, the virus was still in full force. I tried to update it, but I got an error message.

I've gone through all your steps in the Prep Guide, including running DDS and RootRepeal. However, I'm getting a lot of errors when trying to run RootRepeal and cannot run a scan to generate the report.

I really appreciate the help!!!




DDS (Ver_09-10-26.01) - NTFSx86
Run by kate at 11:39:16.33 on Sat 11/21/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_07
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1837 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Retrospect\Retrospect 7.6\retrorun.exe
C:\Windows\System32\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\zHotkey.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Extensis\Extensis Suitcase 11\Suitcase.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\kate\AppData\Local\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\windows defender\MSASCui.exe
C:\Program Files\Retrospect\Retrospect 7.6\retrospect.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\kate\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/webhp?rls=ig
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5656
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5656
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5656
BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AdobeBridge]
uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
uRun: [Google Update] "c:\users\kate\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [taxjqbgm] c:\users\kate\appdata\local\qugjam\wyajsysguard.exe
mRun: [CHotkey] zHotkey.exe
mRun: []
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\kate\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\users\kate\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\suitca~1.lnk - c:\windows\installer\{7451c9b5-3e10-4e59-ad37-ab7438d84288}\_01D57C9244869186542E24.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\iepro\iepro.dll
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~4.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\kate\appdata\roaming\mozilla\firefox\profiles\1ehzpvcj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://wral.com/weather/
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\users\kate\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\windows\system32\nvSCPAPISvr.exe [2009-6-10 232960]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2009-11-20 23:59:09 0 d-----w- c:\users\kate\appdata\roaming\Malwarebytes
2009-11-20 23:59:05 0 d-----w- c:\programdata\Malwarebytes
2009-11-20 17:59:11 0 d-----w- c:\programdata\Kaspersky Lab
2009-11-13 17:00:48 0 d-----w- c:\users\kate\{07e48c32-8b0d-4c4c-83e8-8729237307ed}
2009-11-13 16:57:20 0 d-----w- c:\users\kate\{8e66d967-8f73-4a29-b220-16b9bdfce6da}
2009-11-13 16:54:56 0 d-----w- c:\program files\Microsoft
2009-11-13 16:52:56 80896 ----a-w- c:\windows\system32\MSNP.ax
2009-11-13 16:52:56 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-11-13 16:52:56 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-11-13 16:52:56 217088 ----a-w- c:\windows\system32\psisrndr.ax
2009-11-13 16:52:56 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2009-11-13 16:52:49 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-13 16:52:27 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-11-13 16:52:24 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-13 16:52:07 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-04 03:53:33 29272 ----a-r- c:\windows\system32\AdobePDF.dll
2009-10-27 18:16:16 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-27 18:16:16 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-10-27 18:15:43 0 d-----w- c:\program files\iPod
2009-10-27 18:15:42 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2009-11-21 00:08:48 71910 ----a-w- c:\programdata\nvModes.dat
2009-11-13 18:53:11 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-13 18:53:11 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-13 18:53:03 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-27 22:47:30 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-27 22:47:00 92776 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-27 22:47:00 805480 ----a-w- c:\windows\system32\nvsvc.dll
2009-09-27 22:47:00 4033128 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-27 22:47:00 3553896 ----a-w- c:\windows\system32\nvgames.dll
2009-09-27 22:47:00 3172968 ----a-w- c:\windows\system32\nvwss.dll
2009-09-27 22:47:00 215656 ----a-w- c:\windows\system32\nvvsvc.exe
2009-09-27 22:47:00 195176 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-27 22:47:00 1309288 ----a-w- c:\windows\system32\nvsvs.dll
2009-09-27 22:47:00 1292904 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-27 22:46:00 4942440 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-27 22:46:00 13949544 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-10 17:30:12 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 12:24:34 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-08-28 23:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 12:39:07 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32:41 833024 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:29:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 10:58:58 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-05-06 18:50:39 0 ---ha-w- c:\program files\.BridgeLabelsAndRatings
2008-06-13 07:08:34 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-04-20 15:31:59 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-05-06 19:24:19 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-06 19:24:19 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-06 19:24:19 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-05-02 13:10:47 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-02 13:10:47 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-02 13:10:47 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-05-02 13:10:47 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-04-30 21:11:17 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 11:39:55.50 ===============

Attached Files


Edited by KateC, 21 November 2009 - 01:47 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:54 AM

Posted 21 November 2009 - 05:45 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %systemdrive%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5
    %SYSTEMDRIVE%\nvatabus.sys /s /md5
    %SYSTEMDRIVE%\viamraid.sys /s /md5
    %SYSTEMDRIVE%\nvata.sys /s /md5
    %SYSTEMDRIVE%\tdl*.dll /s /md5
    CREATERESTOREPOINT



  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 KateC

KateC
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 21 November 2009 - 06:53 PM

Hi Sam, THANK YOU for responding!

I started the scan according to your directions. But I'm sorry to report that while running it, it stops responding when it gets to 'Manual File Scan - Getting file structure...'. I attempted to rerun the program about 3 times and it stops responding each time at that point.

Any ideas?

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:54 AM

Posted 21 November 2009 - 07:15 PM

Just be patient and let it run. It may take a while to get past that part. If it still doesn't respond after 30 minutes let me know and we'll try something else.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 KateC

KateC
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 21 November 2009 - 09:05 PM

It worked! Here's OLT.txt:

OTL logfile created on: 11/21/2009 8:29:20 PM - Run 1
OTL by OldTimer - Version 3.1.6.2 Folder = C:\Users\kate\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.57 Gb Available Physical Memory | 78.66% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 454.96 Gb Total Space | 280.59 Gb Free Space | 61.67% Space Free | Partition Type: NTFS
Drive D: | 10.80 Gb Total Space | 4.53 Gb Free Space | 41.89% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 1.88 Gb Total Space | 1.81 Gb Free Space | 96.06% Space Free | Partition Type: FAT

Computer Name: KATE-PC
Current User Name: kate
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/21 18:11:36 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Users\kate\Desktop\OTL.exe
PRC - [2009/11/21 11:43:30 | 00,472,064 | ---- | M] ( ) -- C:\Users\kate\Desktop\RootRepeal.exe
PRC - [2009/10/31 09:03:51 | 00,136,176 | ---- | M] (Google Inc.) -- C:\Users\kate\AppData\Local\Google\Update\1.2.183.13\GoogleCrashHandler.exe
PRC - [2009/09/27 17:47:00 | 00,215,656 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe
PRC - [2009/09/27 17:47:00 | 00,215,656 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe
PRC - [2009/09/21 15:36:12 | 00,305,440 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/06/10 05:33:00 | 00,232,960 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvSCPAPISvr.exe
PRC - [2009/04/23 12:42:38 | 00,801,904 | ---- | M] (The Weather Channel Interactive, Inc.) -- C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
PRC - [2009/03/02 21:16:04 | 00,247,296 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\WmiPrvSE.exe
PRC - [2009/01/15 10:53:56 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/12/09 06:08:38 | 00,495,616 | ---- | M] (Gadwin Systems, Inc) -- C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
PRC - [2008/12/08 05:40:00 | 00,234,776 | ---- | M] (EMC Corporation) -- C:\Program Files\Retrospect\Retrospect 7.6\Retrospect.exe
PRC - [2008/12/08 05:40:00 | 00,115,992 | ---- | M] (EMC Corporation) -- C:\Program Files\Retrospect\Retrospect 7.6\retrorun.exe
PRC - [2008/10/29 01:29:41 | 02,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/09/23 21:16:56 | 00,704,512 | ---- | M] (ATI Technologies Inc.) -- C:\Windows\System32\Ati2evxx.exe
PRC - [2008/09/23 21:16:56 | 00,704,512 | ---- | M] (ATI Technologies Inc.) -- C:\Windows\System32\Ati2evxx.exe
PRC - [2008/01/28 15:56:41 | 00,303,104 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciCMService.exe
PRC - [2008/01/19 02:38:38 | 01,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2008/01/19 02:33:40 | 00,142,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\WUDFHost.exe
PRC - [2008/01/19 02:33:39 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe
PRC - [2008/01/19 02:33:39 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2008/01/19 02:33:33 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe
PRC - [2008/01/19 02:33:30 | 01,233,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Sidebar\sidebar.exe
PRC - [2008/01/19 02:33:30 | 01,233,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Sidebar\sidebar.exe
PRC - [2008/01/19 02:33:09 | 00,125,952 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehtray.exe
PRC - [2008/01/19 02:33:09 | 00,037,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehmsas.exe
PRC - [2007/09/02 12:58:52 | 00,495,616 | ---- | M] () -- C:\Program Files\RocketDock\RocketDock.exe
PRC - [2007/08/31 11:01:22 | 01,037,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
PRC - [2007/08/31 10:58:52 | 00,357,800 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
PRC - [2007/05/10 12:39:08 | 05,246,976 | ---- | M] (Extensis) -- C:\Program Files\Extensis\Extensis Suitcase 11\Suitcase.exe
PRC - [2006/11/07 17:08:40 | 00,547,840 | ---- | M] () -- C:\Windows\zHotkey.exe
PRC - [2006/08/04 20:39:20 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe


========== Modules (SafeList) ==========

MOD - [2009/11/21 18:11:36 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Users\kate\Desktop\OTL.exe
MOD - [2008/01/19 02:26:34 | 01,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
MOD - [2007/09/02 12:57:36 | 00,069,632 | ---- | M] () -- C:\Program Files\RocketDock\RocketDock.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/09/27 17:47:00 | 00,215,656 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe -- (nvsvc)
SRV - [2009/09/21 15:36:02 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/06/10 05:33:00 | 00,232,960 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/05/11 08:15:25 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/04/05 10:58:49 | 00,655,624 | ---- | M] (Acresso Software Inc.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/03/30 16:28:36 | 01,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/12/08 05:40:00 | 00,128,280 | ---- | M] (EMC Corporation) -- C:\Program Files\Retrospect\Retrospect 7.6\rthlpsvc.exe -- (Retrospect Helper)
SRV - [2008/12/08 05:40:00 | 00,115,992 | ---- | M] (EMC Corporation) -- C:\Program Files\Retrospect\Retrospect 7.6\retrorun.exe -- (RetroLauncher)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/09/23 21:16:56 | 00,704,512 | ---- | M] (ATI Technologies Inc.) -- C:\Windows\System32\Ati2evxx.exe -- (Ati External Event Utility)
SRV - [2008/07/27 13:03:13 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/06/19 20:14:44 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/06/19 20:14:31 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/06/19 20:14:31 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/01/28 15:56:41 | 00,303,104 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService)
SRV - [2008/01/19 02:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/19 02:33:39 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2008/01/19 02:33:09 | 00,292,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehrecvr.exe -- (ehRecvr)
SRV - [2007/11/17 19:57:35 | 00,065,536 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2007/11/17 18:42:33 | 01,838,592 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager)
SRV - [2007/03/20 15:41:24 | 00,153,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)
SRV - [2006/11/02 07:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched)
SRV - [2006/11/02 07:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart)
SRV - [2006/10/26 17:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/08/04 20:39:20 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe -- (XAudioService)
SRV - [2005/09/30 18:22:50 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5656
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5656
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...TP&M=GT5656


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5656
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5656
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5656
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5656
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-441842238-3827488038-1711259271-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-441842238-3827488038-1711259271-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-441842238-3827488038-1711259271-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-441842238-3827488038-1711259271-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-441842238-3827488038-1711259271-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/webhp?rls=ig
IE - HKU\S-1-5-21-441842238-3827488038-1711259271-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-441842238-3827488038-1711259271-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-441842238-3827488038-1711259271-1000\S-1-5-21-441842238-3827488038-1711259271-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-441842238-3827488038-1711259271-1000\S-1-5-21-441842238-3827488038-1711259271-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-441842238-3827488038-1711259271-1000\S-1-5-21-441842238-3827488038-1711259271-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "http://wral.com/weather/"
FF - prefs.js..extensions.enabledItems: bettergmail2@ginatrapani.org:0.9.6
FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.4.5
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.11.2
FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:5.0.20090813W
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.07103010
FF - prefs.js..extensions.enabledItems: {FCAB6FDD-5585-425b-95C1-5ED856F3FD08}:1.3.1
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.8
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/20 11:03:18 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/12 09:58:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/12 09:58:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/10/22 10:18:22 | 00,000,000 | ---D | M]

[2008/09/04 10:33:51 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Mozilla\Extensions
[2008/09/04 10:33:51 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2008/09/02 20:50:38 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Mozilla\Extensions\home2@tomtom.com
[2009/11/19 19:01:47 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Mozilla\Firefox\Profiles\1ehzpvcj.default\extensions
[2009/07/27 14:48:48 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Mozilla\Firefox\Profiles\1ehzpvcj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/09/29 14:07:36 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Mozilla\Firefox\Profiles\1ehzpvcj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/11/19 19:00:52 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Mozilla\Firefox\Profiles\1ehzpvcj.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2009/11/19 19:00:52 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Mozilla\Firefox\Profiles\1ehzpvcj.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2009/11/19 19:01:44 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Mozilla\Firefox\Profiles\1ehzpvcj.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}
[2009/11/19 19:00:52 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Mozilla\Firefox\Profiles\1ehzpvcj.default\extensions\bettergmail2@ginatrapani.org
[2009/11/19 19:00:54 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Mozilla\Firefox\Profiles\1ehzpvcj.default\extensions\firebug@software.joehewitt.com
[2008/09/04 16:40:14 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Mozilla\Firefox\Profiles\1ehzpvcj.default\extensions\moveplayer@movenetworks.com
[2009/11/19 19:01:47 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/03/15 22:24:08 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
[2009/11/12 09:58:48 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/03/21 14:15:23 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2008/03/28 09:43:52 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2008/07/14 13:54:34 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/11/12 09:58:39 | 00,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/11/12 09:58:39 | 00,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2007/04/10 16:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
[2007/08/29 16:47:44 | 00,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
[2005/12/05 21:31:00 | 00,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
[2009/11/12 09:58:42 | 00,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2006/10/26 23:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
[2009/10/02 21:13:10 | 00,095,600 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2009/10/22 10:18:21 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2009/10/22 10:18:21 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2009/10/22 10:18:22 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2009/10/22 10:18:22 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2009/10/22 10:18:22 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2009/10/22 10:18:22 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2009/10/22 10:18:22 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2008/06/19 20:17:09 | 06,320,872 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npsibelius.dll
[2008/09/15 11:52:06 | 00,376,832 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
[2009/11/12 09:58:44 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/11/12 09:58:44 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/11/12 09:58:44 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/11/12 09:58:44 | 00,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/11/12 09:58:44 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/11/12 09:58:44 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/11/12 09:58:44 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (761 bytes) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (IE7Pro BHO) - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\IEPro.dll (IE7Pro.com)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)
O2 - BHO: (no name) - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll (Cooliris Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKU\S-1-5-21-441842238-3827488038-1711259271-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-441842238-3827488038-1711259271-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CHotkey] C:\Windows\zHotkey.exe ()
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-441842238-3827488038-1711259271-1000..\Run: [AdobeBridge] File not found
O4 - HKU\S-1-5-21-441842238-3827488038-1711259271-1000..\Run: [DW6] C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe (The Weather Channel Interactive, Inc.)
O4 - HKU\S-1-5-21-441842238-3827488038-1711259271-1000..\Run: [ehTray.exe] C:\Windows\ehome\ehtray.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-441842238-3827488038-1711259271-1000..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
O4 - HKU\S-1-5-21-441842238-3827488038-1711259271-1000..\Run: [Google Update] C:\Users\kate\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKU\S-1-5-21-441842238-3827488038-1711259271-1000..\Run: [RocketDock] C:\Program Files\RocketDock\RocketDock.exe ()
O4 - HKU\S-1-5-21-441842238-3827488038-1711259271-1000..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-441842238-3827488038-1711259271-1000..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-441842238-3827488038-1711259271-1000..\Run: [taxjqbgm] C:\Users\kate\AppData\Local\qugjam\wyajsysguard.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks)
O4 - Startup: C:\Users\kate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: C:\Users\kate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote Table Of Contents.onetoc2 ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-21-441842238-3827488038-1711259271-1000\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-21-441842238-3827488038-1711259271-1000_Classes\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send To &Bluetooth - Reg Error: Value error. File not found
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O9 - Extra Button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\IEPro.dll (IE7Pro.com)
O9 - Extra 'Tools' menuitem : IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\IEPro.dll (IE7Pro.com)
O9 - Extra Button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\IEPro.dll (IE7Pro.com)
O9 - Extra 'Tools' menuitem : IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\IEPro.dll (IE7Pro.com)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll (Cooliris Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O9 - Extra 'Tools' menuitem : Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-441842238-3827488038-1711259271-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2004/04/30 19:01:00 | 00,000,053 | -HS- | M] () - D:\Autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/04/20 10:26:56 | 00,000,000 | ---D | M]
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 14 Days ==========

[2009/11/21 18:13:30 | 00,529,408 | ---- | C] (OldTimer Tools) -- C:\Users\kate\Desktop\OTL.exe
[2009/11/21 13:36:16 | 00,000,000 | ---D | C] -- C:\AITEMP
[2009/11/21 11:45:03 | 00,472,064 | ---- | C] ( ) -- C:\Users\kate\Desktop\RootRepeal.exe
[2009/11/20 18:59:09 | 00,000,000 | ---D | C] -- C:\Users\kate\AppData\Roaming\Malwarebytes
[2009/11/20 18:59:05 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/11/20 18:59:05 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/11/20 15:37:30 | 00,000,000 | ---D | C] -- C:\Users\kate\AppData\Local\qugjam
[2009/11/20 12:59:11 | 00,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2009/11/20 12:59:11 | 00,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2009/11/16 14:32:24 | 00,000,000 | ---D | C] -- C:\Users\kate\Documents\LOVEolution
[2009/11/13 15:38:59 | 00,000,000 | ---D | C] -- C:\Users\kate\Desktop\Body Max 2 - Cathe Friedrich
[2009/11/13 15:28:36 | 00,000,000 | ---D | C] -- C:\Users\kate\Desktop\Hoefler Selected Collection
[2009/11/13 15:12:58 | 00,000,000 | ---D | C] -- C:\Users\kate\Desktop\Total Body Sculpting
[2009/11/13 12:00:48 | 00,000,000 | ---D | C] -- C:\Users\kate\{07e48c32-8b0d-4c4c-83e8-8729237307ed}
[2009/11/13 11:57:20 | 00,000,000 | ---D | C] -- C:\Users\kate\{8e66d967-8f73-4a29-b220-16b9bdfce6da}
[2009/11/13 11:54:56 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft

========== Files - Modified Within 14 Days ==========

[2009/11/21 20:29:26 | 06,553,600 | ---- | M] () -- C:\Users\kate\NTUSER.DAT
[2009/11/21 20:28:57 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/11/21 20:28:51 | 00,071,910 | ---- | M] () -- C:\ProgramData\nvModes.001
[2009/11/21 19:45:00 | 00,000,420 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{5DBC3CD1-11FA-433D-B5E1-2B05E5E57C8D}.job
[2009/11/21 19:08:01 | 00,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-441842238-3827488038-1711259271-1000UA.job
[2009/11/21 18:11:36 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Users\kate\Desktop\OTL.exe
[2009/11/21 13:03:11 | 00,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/11/21 13:03:11 | 00,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/11/21 12:09:09 | 00,144,278 | ---- | M] () -- C:\Users\kate\Desktop\RootRepeal.dmp
[2009/11/21 11:45:23 | 00,000,000 | ---- | M] () -- C:\Users\kate\Desktop\settings.dat
[2009/11/21 11:43:30 | 00,472,064 | ---- | M] ( ) -- C:\Users\kate\Desktop\RootRepeal.exe
[2009/11/21 11:35:52 | 00,523,776 | ---- | M] () -- C:\Users\kate\Desktop\dds.scr
[2009/11/20 19:15:00 | 00,085,128 | ---- | M] () -- C:\Users\kate\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/11/20 19:14:35 | 00,693,866 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/11/20 19:14:35 | 00,596,930 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/11/20 19:14:35 | 00,102,322 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/11/20 19:08:48 | 00,071,910 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2009/11/20 19:08:39 | 00,002,559 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Suitcase 11.0.lnk
[2009/11/20 19:08:10 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/11/20 19:08:07 | 00,187,056 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/11/20 19:08:00 | 32,196,44416 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/20 19:07:21 | 00,524,288 | -HS- | M] () -- C:\Users\kate\NTUSER.DAT{0deceef1-69d0-11dd-a311-001e9067b9ba}.TMContainer00000000000000000001.regtrans-ms
[2009/11/20 19:07:21 | 00,065,536 | -HS- | M] () -- C:\Users\kate\NTUSER.DAT{0deceef1-69d0-11dd-a311-001e9067b9ba}.TM.blf
[2009/11/20 17:36:08 | 02,501,464 | -H-- | M] () -- C:\Users\kate\AppData\Local\IconCache.db
[2009/11/20 15:54:32 | 00,001,356 | ---- | M] () -- C:\Users\kate\AppData\Local\d3d9caps.dat
[2009/11/20 10:08:00 | 00,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-441842238-3827488038-1711259271-1000Core.job

========== Files Created - No Company Name ==========

[2009/11/21 11:53:17 | 00,144,278 | ---- | C] () -- C:\Users\kate\Desktop\RootRepeal.dmp
[2009/11/21 11:45:23 | 00,000,000 | ---- | C] () -- C:\Users\kate\Desktop\settings.dat
[2009/11/21 11:38:16 | 00,523,776 | ---- | C] () -- C:\Users\kate\Desktop\dds.scr
[2009/10/15 10:12:02 | 02,268,672 | ---- | C] () -- C:\Users\kate\AppData\Local\cooliris-win-iefull-release-1.11.5.29501.en-US.msi
[2009/06/21 12:48:46 | 00,071,910 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/06/21 12:48:37 | 00,071,910 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/06/10 05:31:04 | 00,089,088 | ---- | C] () -- C:\Windows\System32\nvimage.dll
[2009/05/18 16:42:34 | 00,000,023 | ---- | C] () -- C:\Windows\SWFDecompiler.INI
[2009/04/24 10:21:15 | 00,000,032 | RHS- | C] () -- C:\Users\kate\AppData\Local\t55.dat
[2009/04/15 10:08:38 | 02,545,152 | ---- | C] () -- C:\Users\kate\AppData\Local\cooliris-win-ie-release-1.10.0.24532.en-US.msi
[2009/03/31 16:04:25 | 00,024,206 | ---- | C] () -- C:\Users\kate\AppData\Roaming\UserTile.png
[2009/03/09 11:18:14 | 02,501,464 | -H-- | C] () -- C:\Users\kate\AppData\Local\IconCache.db
[2008/12/31 16:29:11 | 02,351,616 | ---- | C] () -- C:\Users\kate\AppData\Local\cooliris-win-ie-release-1.9.1.17582.msi
[2008/11/30 17:35:38 | 02,327,552 | ---- | C] () -- C:\Users\kate\AppData\Local\cooliris-win-ie-release-1.9.0.16396.msi
[2008/10/25 17:33:51 | 00,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2008/10/25 17:33:51 | 00,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2008/10/24 09:15:16 | 02,869,760 | ---- | C] () -- C:\Users\kate\AppData\Local\cooliris-win-iemin-release-1.8.5.14750.msi
[2008/10/07 08:13:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2008/09/23 21:19:03 | 00,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2008/09/18 11:22:47 | 00,001,356 | ---- | C] () -- C:\Users\kate\AppData\Local\d3d9caps.dat
[2008/06/11 09:33:41 | 00,001,984 | ---- | C] () -- C:\Users\kate\AppData\Roaming\wklnhst.dat
[2008/06/05 07:58:26 | 00,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2008/04/20 09:18:51 | 00,368,640 | ---- | C] () -- C:\Windows\System32\msjetoledb40.dll
[2008/04/20 09:18:43 | 00,060,124 | ---- | C] () -- C:\Windows\System32\tcpmon.ini
[2008/03/17 15:44:22 | 00,000,000 | -H-- | C] () -- C:\Program Files\.BridgeLabelsAndRatings
[2008/03/11 18:02:38 | 02,463,976 | ---- | C] () -- C:\Windows\System32\NPSWF32.dll
[2008/03/11 16:31:23 | 00,000,552 | ---- | C] () -- C:\Users\kate\AppData\Local\d3d8caps.dat
[2008/03/11 14:33:46 | 00,000,025 | ---- | C] () -- C:\Windows\VSWizard.ini
[2008/03/11 14:29:39 | 00,027,648 | ---- | C] () -- C:\Users\kate\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/03/11 14:24:34 | 00,085,128 | ---- | C] () -- C:\Users\kate\AppData\Local\GDIPFONTCACHEV1.DAT
[2008/02/04 17:23:10 | 00,693,792 | ---- | C] () -- C:\Windows\System32\OGACheckControl.DLL
[2007/11/17 18:30:43 | 00,532,544 | ---- | C] () -- C:\Windows\PIC.dll
[2007/11/17 18:30:43 | 00,024,576 | ---- | C] () -- C:\Windows\HKNTDLL.dll
[2007/08/08 11:54:10 | 00,028,968 | ---- | C] () -- C:\Windows\System32\drivers\ATITool.sys
[2006/11/22 17:16:18 | 00,003,612 | ---- | C] () -- C:\Windows\ReaderString.ini
[2006/11/21 13:50:06 | 00,000,037 | ---- | C] () -- C:\Windows\sunkist.ini
[2006/11/02 07:50:50 | 00,000,174 | -HS- | C] () -- C:\Program Files\desktop.ini
[2006/11/02 07:37:35 | 00,030,808 | ---- | C] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont
[2006/11/02 07:37:35 | 00,029,779 | ---- | C] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2006/11/02 07:37:35 | 00,026,489 | ---- | C] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 07:37:35 | 00,026,040 | ---- | C] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 07:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 00,693,866 | ---- | C] () -- C:\Windows\System32\PerfStringBackup.INI
[2006/11/02 05:24:31 | 00,001,405 | ---- | C] () -- C:\Windows\msdfmap.ini
[2006/11/02 05:23:31 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini
[2006/11/02 05:23:31 | 00,000,169 | ---- | C] () -- C:\Windows\win.ini
[2006/11/02 02:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:09:45 | 00,027,097 | ---- | C] () -- C:\Windows\System32\country.sys
[2006/11/02 02:09:44 | 00,042,809 | ---- | C] () -- C:\Windows\System32\KEY01.SYS
[2006/11/02 02:09:44 | 00,042,537 | ---- | C] () -- C:\Windows\System32\KEYBOARD.SYS
[2006/11/02 02:09:42 | 00,009,029 | ---- | C] () -- C:\Windows\System32\ANSI.SYS
[2006/11/02 02:09:41 | 00,004,768 | ---- | C] () -- C:\Windows\System32\HIMEM.SYS
[2006/11/02 02:09:40 | 00,029,274 | ---- | C] () -- C:\Windows\System32\NTDOS412.SYS
[2006/11/02 02:09:38 | 00,029,370 | ---- | C] () -- C:\Windows\System32\NTDOS411.SYS
[2006/11/02 02:09:35 | 00,029,146 | ---- | C] () -- C:\Windows\System32\NTDOS404.SYS
[2006/11/02 02:09:31 | 00,029,146 | ---- | C] () -- C:\Windows\System32\NTDOS804.SYS
[2006/11/02 02:09:29 | 00,027,866 | ---- | C] () -- C:\Windows\System32\NTDOS.SYS
[2006/11/02 02:09:26 | 00,035,536 | ---- | C] () -- C:\Windows\System32\NTIO412.SYS
[2006/11/02 02:09:24 | 00,035,776 | ---- | C] () -- C:\Windows\System32\NTIO411.SYS
[2006/11/02 02:09:23 | 00,034,672 | ---- | C] () -- C:\Windows\System32\NTIO404.SYS
[2006/11/02 02:09:22 | 00,034,672 | ---- | C] () -- C:\Windows\System32\NTIO804.SYS
[2006/11/02 02:09:20 | 00,033,952 | ---- | C] () -- C:\Windows\System32\NTIO.SYS
[2006/11/02 01:25:08 | 00,013,312 | ---- | C] () -- C:\Windows\System32\win87em.dll

========== LOP Check ==========

[2006/11/02 07:37:34 | 00,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\Media Center Programs
[2006/11/02 06:18:34 | 00,000,000 | --SD | M] -- C:\Users\Default\AppData\Roaming\Microsoft
[2006/11/02 07:37:34 | 00,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\Media Center Programs
[2006/11/02 06:18:34 | 00,000,000 | --SD | M] -- C:\Users\Default User\AppData\Roaming\Microsoft
[2008/03/21 08:18:42 | 00,000,000 | ---D | M] -- C:\Users\Guest\AppData\Roaming\Adobe
[2008/03/21 08:20:20 | 00,000,000 | ---D | M] -- C:\Users\Guest\AppData\Roaming\Google
[2008/03/21 08:17:30 | 00,000,000 | ---D | M] -- C:\Users\Guest\AppData\Roaming\Identities
[2006/11/02 07:37:34 | 00,000,000 | ---D | M] -- C:\Users\Guest\AppData\Roaming\Media Center Programs
[2009/08/04 11:45:36 | 00,000,000 | --SD | M] -- C:\Users\Guest\AppData\Roaming\Microsoft
[2008/03/21 08:18:42 | 00,000,000 | ---D | M] -- C:\Users\Guest\AppData\Roaming\Spare Backup
[2008/03/21 08:17:56 | 00,000,000 | ---D | M] -- C:\Users\Guest\AppData\Roaming\Symantec
[2008/04/30 12:32:50 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\.myPANTONE palettes
[2009/11/20 15:53:04 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Adobe
[2008/05/27 14:36:08 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Allume Systems
[2009/10/27 13:44:38 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Apple Computer
[2008/09/18 11:41:01 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\ATI
[2008/10/24 12:20:37 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\avidemux
[2008/10/16 11:37:33 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\AVS4YOU
[2009/04/24 10:21:11 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Axure
[2009/11/15 13:27:30 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\BitTorrent
[2009/04/23 10:08:29 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\com.iplotz.3017F2483C962A58B145D63E3CE3CDA4A7D0B9B6.1
[2009/11/20 15:24:15 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\CoreFTP
[2008/08/17 20:54:31 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\DNA
[2009/04/05 10:51:42 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Download Manager
[2009/06/16 15:56:32 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Extensis
[2008/03/20 13:59:15 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Google
[2008/10/24 12:51:27 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\gtk-2.0
[2008/08/04 13:38:27 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Helios
[2008/03/11 14:24:11 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Identities
[2008/10/28 09:15:50 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\InstallShield
[2008/08/10 10:57:59 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\iShell
[2008/04/09 15:37:07 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Keynote Systems
[2008/03/11 17:46:22 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Macromedia
[2009/11/20 18:59:09 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Malwarebytes
[2006/11/02 07:37:34 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Media Center Programs
[2009/08/04 11:45:36 | 00,000,000 | --SD | M] -- C:\Users\kate\AppData\Roaming\Microsoft
[2009/10/22 10:28:12 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\MiniDm
[2008/04/06 18:33:10 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Motive
[2008/10/30 21:17:19 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Move Networks
[2008/09/02 20:50:38 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Mozilla
[2008/09/03 12:09:01 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\OpenOffice.org2
[2008/11/13 13:27:53 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Opera
[2009/03/31 16:04:25 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\PeerNetworking
[2008/10/27 11:31:46 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Real
[2008/04/20 10:53:50 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Roxio
[2008/03/11 14:53:32 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\SampleView
[2008/06/19 20:17:56 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Sibelius Software
[2009/07/01 17:57:30 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Skype
[2009/07/01 15:04:42 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\skypePM
[2008/11/10 14:36:27 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Snapfish
[2008/10/10 16:37:43 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Spare Backup
[2008/03/11 14:24:33 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Symantec
[2008/03/12 07:28:44 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Talkback
[2008/06/11 09:33:43 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Template
[2008/03/12 07:37:11 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\Thunderbird
[2008/09/02 20:50:38 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\TomTom
[2008/08/17 20:40:32 | 00,000,000 | ---D | M] -- C:\Users\kate\AppData\Roaming\TuneUp Software
[2009/11/20 10:08:00 | 00,000,852 | ---- | M] () -- C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-441842238-3827488038-1711259271-1000Core.job
[2009/11/21 19:08:01 | 00,000,904 | ---- | M] () -- C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-441842238-3827488038-1711259271-1000UA.job
[2009/11/20 19:08:10 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT
[2009/11/20 19:07:22 | 00,032,652 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2009/11/21 19:45:00 | 00,000,420 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{5DBC3CD1-11FA-433D-B5E1-2B05E5E57C8D}.job

========== Purity Check ==========



========== Custom Scans ==========


< %systemdrive%\*.exe >

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >
[2006/11/02 04:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/19 02:42:09 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2006/11/02 04:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/19 02:42:09 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2008/01/19 02:41:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\drivers\atapi.sys
[2008/03/11 17:54:31 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2006/11/02 04:49:36 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/01/19 02:41:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/03/11 17:54:31 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008/03/11 17:54:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys
[2008/01/19 02:41:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2006/11/02 04:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
[2006/11/02 04:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys
[2008/01/19 02:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/19 02:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >

< %SYSTEMDRIVE%\viamraid.sys /s /md5 >

< %SYSTEMDRIVE%\nvata.sys /s /md5 >

< %SYSTEMDRIVE%\tdl*.dll /s /md5 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 183 bytes -> C:\ProgramData\TEMP:0C1EFF69
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:2D6E5D55
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:D1B5B4F1
< End of report >




And here's Extras.txt:

OTL Extras logfile created on: 11/21/2009 8:29:20 PM - Run 1
OTL by OldTimer - Version 3.1.6.2 Folder = C:\Users\kate\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.57 Gb Available Physical Memory | 78.66% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 454.96 Gb Total Space | 280.59 Gb Free Space | 61.67% Space Free | Partition Type: NTFS
Drive D: | 10.80 Gb Total Space | 4.53 Gb Free Space | 41.89% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 1.88 Gb Total Space | 1.81 Gb Free Space | 96.06% Space Free | Partition Type: FAT

Computer Name: KATE-PC
Current User Name: kate
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SystemRoot%\hh.exe" %1
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-441842238-3827488038-1711259271-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SystemRoot%\hh.exe" %1 File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"AutoUpdateDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-441842238-3827488038-1711259271-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\IEPro\MiniDM.exe" = C:\Program Files\IEPro\MiniDM.exe:*:Enabled:MiniDM -- (IE7Pro.com)


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0A8D2C23-9D14-4C9A-B727-F066AB470A57}" = lport=138 | protocol=17 | dir=in | app=system |
"{16D14D47-5C23-4FCD-BB1C-116B59B89041}" = lport=2869 | protocol=6 | dir=in | app=system |
"{1CCBB196-7C3E-4841-8F69-B28F28C3BDC7}" = lport=50901 | protocol=6 | dir=in | name=adobe version cue cs3 server |
"{506F4A67-1FD9-4D2D-A172-F3BA9C957421}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{5413A204-69B0-4EB4-9243-187EDD4EAA1A}" = lport=139 | protocol=6 | dir=in | app=system |
"{557C18BD-DC8A-4F1A-97AC-A4A24041B32D}" = rport=138 | protocol=17 | dir=out | app=system |
"{56ABAFD3-1436-4AAE-AB96-60C8E28944A9}" = lport=5353 | protocol=6 | dir=in | name=adobe csi cs4 |
"{5CC3B627-231E-4F37-8CDE-1D094ED3319F}" = rport=445 | protocol=6 | dir=out | app=system |
"{67D48452-47B6-46D2-89B0-47B2A12C39F9}" = lport=3704 | protocol=6 | dir=in | name=adobe version cue cs3 server |
"{71630382-3873-464C-A9F3-A5EF49A6633F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{83BE5CAB-F2AC-4044-B033-8D5C2E93CBBE}" = lport=3703 | protocol=6 | dir=in | name=adobe version cue cs3 server |
"{8DA6AEF0-3748-40F3-8F6C-1A4028DC417E}" = rport=137 | protocol=17 | dir=out | app=system |
"{A84A4DCA-4788-43FB-B65A-7127990561FB}" = lport=137 | protocol=17 | dir=in | app=system |
"{AC408158-E50C-46C0-A80A-1099C886A3AE}" = lport=50900 | protocol=6 | dir=in | name=adobe version cue cs3 server |
"{B1330967-1034-4DCF-8359-89A7B39D070E}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{D2BAD6EF-50B0-4D24-8550-8CBA2D029D60}" = rport=139 | protocol=6 | dir=out | app=system |
"{F6EF7D9D-6187-405E-8809-D15D926AEA9F}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{F95BA33A-72F7-4EB6-83FC-90F206CB70CB}" = lport=445 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{05BC3521-5D9B-4DF8-B5F4-20E307ECBFBD}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{061DFEFC-E5F9-42AD-9BE2-029E97E87405}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{0B452511-AC83-4B5D-82F5-B46ABF8F7D46}" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{0B8252E0-0F1E-4AD9-B940-1DC2BE0891F6}" = protocol=6 | dir=in | app=c:\program files\att-nap\mccibrowser.exe |
"{0B8F0169-84EE-4A8E-98B1-D04C182D4E71}" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{0DD020AF-6C54-4F87-88CD-D158CFBD1403}" = protocol=6 | dir=out | svc=upnphost | app=c:\windows\system32\svchost.exe |
"{1623AE3C-C6AE-4A22-8BA9-0EF5831FB9BF}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{21999F80-E36F-40B5-BA8C-BC0C4ACE6CE8}" = protocol=6 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
"{28BF8863-7492-46A2-9C98-C3CAD3702778}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{30A7491E-750B-437F-BB96-7870B8DC43CC}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{364E8AE6-CB21-4CCA-8280-82524DD86458}" = protocol=6 | dir=out | app=system |
"{4B0F699C-A825-4F59-BB2B-246648A153B8}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{4E06AF8F-4A1C-4B4E-8F02-6DD254215853}" = protocol=17 | dir=in | app=c:\program files\common files\adobe\adobe version cue cs3\server\bin\versioncuecs3.exe |
"{54105FD2-D434-4453-A315-2F13179422AF}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{58BD9C6E-F394-4FF7-B3CA-A46760659BF1}" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{5F6D9D25-5D0E-49AA-9909-76BC7C287D30}" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{5F9876B4-B47D-4723-97AA-CDCEE0721FD6}" = protocol=6 | dir=in | app=c:\program files\dna\btdna.exe |
"{5FA4A2A4-553B-4E5F-8F37-67B15A5EFBCC}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{620A953F-1909-4B14-ACA8-95B5D360BCA4}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{64B17F1D-C704-41DE-8D3D-558A54B10C47}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{6DA567A6-76E8-47FF-9E4B-832EE591E1F0}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{6FADBDF0-11A0-485A-8FB7-BA36F07BD1F1}" = protocol=17 | dir=in | app=c:\program files\dna\btdna.exe |
"{73B482F2-3AF3-4B0E-B24E-1D6AE466B0BC}" = protocol=6 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"{75F08577-CEC5-40B8-A7AD-6DE97F8B6B54}" = protocol=6 | dir=in | app=c:\program files\common files\adobe\adobe version cue cs3\server\bin\versioncuecs3.exe |
"{767F3A2A-0492-41BC-A191-8223BBBB1729}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{7787488C-2FCB-41BB-B17B-A45D14BA76FA}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{79B3273D-6AB3-4A91-BF85-0A70246687AD}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{82657DA9-A1DE-4AED-BF85-E80AC46CE59A}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{83605147-4C6B-435B-B266-D3BC7E3B0C5A}" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{877372C0-C3F8-4739-A719-7DE447EAB6F1}" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{9DA583E9-777B-44AB-801B-300CADBA3860}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{B3A5AF63-CE13-48FB-BB71-60156DA8C552}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{B91415DB-719F-4802-B055-5C5B554D1674}" = protocol=17 | dir=in | app=c:\program files\att-nap\mccibrowser.exe |
"{B9D914A5-0A1C-4E6B-9758-238382EBFEA3}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{C309A0A8-6694-44E8-B4E3-580897EF328B}" = protocol=17 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
"{C6C02365-5BE6-4633-8E8E-815385DD6C39}" = protocol=17 | dir=in | app=c:\program files\windows media player\wmplayer.exe |
"{DCDDB6F2-8982-498D-8FAE-59ECD1EA51E8}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{F3B64B8D-DDDA-402C-AB9E-7EC6945124B8}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{F9E62B10-1DBF-43CE-9C69-C79F62D92FD2}" = protocol=17 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"TCP Query User{45CDC481-0EAF-4187-AFD6-ED8D377B1868}C:\windows\system32\spool\drivers\w32x86\3\sagent4.exe" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\sagent4.exe |
"TCP Query User{E81C3BCA-4151-40DF-9C30-19C1D963755E}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"UDP Query User{8ED6B335-4965-447A-8801-6F1C409F5413}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"UDP Query User{BEDD1F68-74DA-4D43-9236-6504D83769C5}C:\windows\system32\spool\drivers\w32x86\3\sagent4.exe" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\sagent4.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{15BF7AAF-846C-4A6D-80E1-5D1FC7FB461B}" = Adobe SGM CS4
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{1D58229F-C505-45CA-8223-F35F3A34B963}" = Adobe Version Cue CS3 Server {ko_KR}
"{1DCA3EAA-6EB5-4563-A970-EA14D75037BA}" = Adobe InDesign CS4
"{1E04CB54-AF4E-4AC3-B4B7-C0A160BE57F1}" = Adobe InDesign CS4 Icon Handler
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2BAF2B96-7560-48B4-87D4-10178DDBE217}" = Adobe InDesign CS4 Application Feature Set Files (Roman)
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{2F29D6D2-824E-4FEF-8AED-7013F39F642A}" = OpenOffice.org 2.3
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{34FF0741-EC67-4C05-AC2A-6D257123DF2E}" = BigFix
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 5.0
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A52555C-032A-4083-BDD9-6A85ABFB39A8}" = Adobe SING CS4
"{4BA70218-AD47-47B6-96F6-833506FA5946}" = Microsoft Expression Web SuperPreview (March 2009 Preview)
"{4EBDDD97-BC33-4F4C-8DF3-4FA4D83DF84E}" = Retrospect 7.6
"{4F94119D-1B71-400e-9F04-B4E5CEAE71F8}_is1" = Sothink Movie DVD Maker
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{57DC8980-73DA-481E-AFD4-5E2D44B7F1AD}" = StuffIt Expander 2009
"{59152D0E-DDFE-4769-A746-776457091048}" = Outlook 2007 HTML and CSS Validator
"{5C74694C-A687-E3EB-FF18-B018D4A76ECD}" = Adobe Media Player
"{5F00DF7E-418B-4CD9-8EC5-781156BCC49E}" = Microsoft Money Shared Libraries
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6A5D1A94-624A-4D20-B178-3A283B500370}" = Adobe Setup
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7451C9B5-3E10-4E59-AD37-AB7438D84288}" = Extensis Suitcase 11.0.1
"{762EBEC5-7ADC-48DC-ADDE-882616730050}" = TransType Pro
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3
"{7CC7BDD5-6F10-4724-96A1-EAC7D9F2831C}" = Adobe InDesign CS4 Common Base Files
"{7DFC1012-D346-46CE-B03E-FF79125AE029}" = Adobe Fireworks CS3
"{7F3BCF8A-8E02-4659-AF25-F9AB66BD6718}" = Gateway Recovery Center Installer
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C5FAD77-F678-4758-A296-C12F08D179E0}" = Microsoft IntelliPoint 6.2
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{900A92BA-19EF-4A34-86CF-7B6C85BDD971}" = VC_MergeModuleToMSI
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}" = Opera 9.64
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B4FEA924-630D-11D4-B78E-005004566E4D}" = ViewSonic Monitor Drivers
"{B6EC7388-E277-4A5B-8C8F-71067A41BA64}" = TextPad 5
"{B7F560B3-6EFF-4026-A982-843895A41149}" = Adobe BridgeTalk Plugin CS3
"{B83FC356-B7C0-441F-8A4D-D71E088E7974}" = NVIDIA PhysX
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BBBCAE4B-B416-4182-A6F2-438180894A81}" = Napster
"{BCDB856C-D247-4DEE-9132-89C02F4D6B8C}_is1" = Sothink SWF Decompiler
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{BE2CC4A5-2128-4EA2-941D-14F7A6A1AB61}" = Digital Media Reader
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{C347D234-93D8-4595-BDAA-C04638B23B48}" = Adobe Creative Suite 3 Web Premium
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}" = Safari
"{CA1CA5F8-7500-45C5-9D4C-47D13FBC92D2}" = Adobe Setup
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{DA0E9ED5-6B64-36C3-AE30-717496E0FBFB}" = Cooliris for Internet Explorer
"{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}" = iTunes
"{DEC0260E-680A-4E50-AE95-F2F75D95D442}" = Movica
"{E5FCED12-3E77-4C0E-A305-5AEB38A52A70}" = AdobeColorCommonSetCMYK
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{EE5EEDAF-F932-462B-A2CB-EEBDF819D5F5}" = Gateway Connect
"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}" = Microsoft WSE 2.0 SP3 Runtime
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}" = Adobe Contribute CS3
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FF262740-C85A-11D5-BBEC-00D0B740900A}" = PS2 Multimedia Keyboard Driver
"4DFDCEFC24545A9DE98551DA0E63416199352710" = Windows Driver Package - eMPIA Technology Inc, (emAudio) MEDIA (04/27/2007 5.7.0427.0)
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Acrobat 8 Professional" = Adobe Acrobat 8.1.7 Professional
"Adobe Acrobat 8 Professional_817" = Adobe Acrobat 8.1.7 - CPSID_50029
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_1710d324011afc3e7658e969025f4ba" = Adobe InDesign CS4
"Adobe_247961ef275e20c5cb073c36394ac32" = Add or Remove Adobe Creative Suite 3 Web Premium
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"All ATI Software" = ATI - Software Uninstall Utility
"Android Newsgroup Downloader_is1" = Android Newsgroup Downloader v 6.1
"Avidemux 2.4" = Avidemux 2.4
"AviSynth" = AviSynth 2.5
"CAL" = Canon Camera Access Library
"camcodec" = CamStudio Lossless Codec
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"CamStudio" = CamStudio
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F40&SUBSYS_200014F1" = Soft Data Fax Modem with SmartCP
"Colourificator" = Colourificator
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Core FTP LE 2.1" = Core FTP LE 2.1
"CSCLIB" = Canon Camera Support Core Library
"DPP" = Canon Utilities Digital Photo Professional 2.1
"EOS Utility" = Canon Utilities EOS Utility
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"ffdshow_is1" = ffdshow [rev 2583] [2009-01-05]
"Free Video Converter_is1" = Free Video Converter V 1.0
"Gadwin PrintScreen" = Gadwin PrintScreen
"Google Desktop" = Google Desktop
"HaaliMkx" = Haali Media Splitter
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"IE7Pro" = IE7Pro
"InstallShield_{BE2CC4A5-2128-4EA2-941D-14F7A6A1AB61}" = Digital Media Reader
"KeynoteConnector" = Keynote Connector
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Money2007b" = Microsoft Money Essentials
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"Mozilla Thunderbird (2.0.0.23)" = Mozilla Thunderbird (2.0.0.23)
"myPANTONE Palettes 1.5 1.5" = myPANTONE Palettes 1.5
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"PhotoStitch" = Canon Utilities PhotoStitch
"Picasa 3" = Picasa 3
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"RocketDock_is1" = RocketDock 1.3.5
"Sibelius Scorch Plugin" = Sibelius Scorch Plugin
"SuperPreview_3.0.1656.0" = Microsoft Expression Web SuperPreview (March 2009 Preview)
"SystemRequirementsLab" = System Requirements Lab
"The Weather Channel Desktop 6" = The Weather Channel Desktop 6
"TomTom HOME" = TomTom HOME
"Windows Essentials Media Codec Pack" = Windows Essentials Media Codec Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-441842238-3827488038-1711259271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Adobe ConnectNow" = Adobe ConnectNow
"BitTorrent" = BitTorrent
"BitTorrent DNA" = DNA
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/23/2009 5:12:05 PM | Computer Name = kate-pc | Source = Application Error | ID = 1000
Description = Faulting application Bridge.exe, version 2.1.1.9, time stamp 0x472fecc7,
faulting module Bridge.exe, version 2.1.1.9, time stamp 0x472fecc7, exception code
0xc0000005, fault offset 0x0036f5f3, process id 0x1090, application start time 0x01ca3afe845f4220.

Error - 9/30/2009 2:28:29 PM | Computer Name = kate-pc | Source = Application Error | ID = 1000
Description = Faulting application AcroDist.exe, version 8.1.3.187, time stamp 0x48f581e4,
faulting module AcroDistDLL.dll, version 8.1.3.187, time stamp 0x48f581d8, exception
code 0xc0000005, fault offset 0x001e1c44, process id 0x4dc, application start time
0x01ca41fbc3f2b3a0.

Error - 10/1/2009 3:12:35 PM | Computer Name = kate-pc | Source = Application Error | ID = 1000
Description = Faulting application Bridge.exe, version 2.1.1.9, time stamp 0x472fecc7,
faulting module Bridge.exe, version 2.1.1.9, time stamp 0x472fecc7, exception code
0xc0000005, fault offset 0x000dd9c7, process id 0x170c, application start time 0x01ca4136fdc620a0.

Error - 10/5/2009 4:39:28 PM | Computer Name = kate-pc | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 7.0.6001.18294 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 1890 Start Time: 01ca45c210d69230 Termination Time: 0

Error - 10/9/2009 7:14:11 PM | Computer Name = kate-pc | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6001.18294, time stamp
0x4a6199f8, faulting module Flash10c.ocx, version 10.0.32.18, time stamp 0x4a613d79,
exception code 0xc0000005, fault offset 0x0003f735, process id 0x95c, application
start time 0x01ca4779c29a7dc0.

Error - 10/12/2009 9:40:52 PM | Computer Name = kate-pc | Source = Application Error | ID = 1000
Description = Faulting application Flash.exe, version 9.0.0.494, time stamp 0x46015140,
faulting module authplay.dll, version 9.0.115.0, time stamp 0x474377c7, exception
code 0xc0000005, fault offset 0x001f9b0a, process id 0x1bd8, application start time
0x01ca48f59941bc90.

Error - 10/15/2009 11:42:51 AM | Computer Name = kate-pc | Source = Application Hang | ID = 1002
Description = The program Illustrator.exe version 13.0.128.0 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 1df0 Start Time: 01ca4dae159428c0 Termination Time: 270

Error - 10/19/2009 8:38:31 AM | Computer Name = kate-pc | Source = Windows Search Service | ID = 3079
Description =

Error - 10/19/2009 8:44:01 AM | Computer Name = kate-pc | Source = Adobe Version Cue CS3 | ID = 3
Description = AssetServicesCS3: NComm error in thread "NCHost[<class vcbridge::Delegate
0X02AD3680> - 12]"

Error - 10/19/2009 8:44:01 AM | Computer Name = kate-pc | Source = Adobe Version Cue CS3 | ID = 3
Description = AssetServicesCS3: class vcfoundation::system::VCSysError: WriteFile()
failed <232: The pipe is being closed.> Trace: (null)

[ Media Center Events ]
Error - 5/31/2008 2:20:38 PM | Computer Name = kate-pc | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 8/28/2008 10:11:59 AM | Computer Name = kate-pc | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ OSession Events ]
Error - 9/12/2008 9:27:40 AM | Computer Name = kate-pc | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6308.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 30
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/15/2008 3:22:25 PM | Computer Name = kate-pc | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6308.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 280414
seconds with 720 seconds of active time. This session ended with a crash.

Error - 9/15/2008 3:27:36 PM | Computer Name = kate-pc | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6308.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 302
seconds with 60 seconds of active time. This session ended with a crash.

Error - 9/15/2008 3:45:45 PM | Computer Name = kate-pc | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6308.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 101
seconds with 60 seconds of active time. This session ended with a crash.

Error - 9/15/2008 3:45:59 PM | Computer Name = kate-pc | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6308.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/15/2008 3:47:33 PM | Computer Name = kate-pc | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6308.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 78
seconds with 60 seconds of active time. This session ended with a crash.

Error - 9/15/2008 3:50:06 PM | Computer Name = kate-pc | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6308.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 30
seconds with 0 seconds of active time. This session ended with a crash.

Error - 10/8/2008 2:46:25 PM | Computer Name = kate-pc | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6323.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1276575
seconds with 3480 seconds of active time. This session ended with a crash.

Error - 9/12/2009 1:14:53 PM | Computer Name = kate-pc | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6504.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 79913
seconds with 0 seconds of active time. This session ended with a crash.

Error - 11/13/2009 3:25:09 PM | Computer Name = kate-pc | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 110
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 11/20/2009 5:30:35 PM | Computer Name = kate-pc | Source = Service Control Manager | ID = 7026
Description =

Error - 11/20/2009 5:31:06 PM | Computer Name = kate-pc | Source = Service Control Manager | ID = 7034
Description =

Error - 11/20/2009 6:02:14 PM | Computer Name = kate-pc | Source = DCOM | ID = 10010
Description =

Error - 11/20/2009 7:50:44 PM | Computer Name = kate-pc | Source = HTTP | ID = 15016
Description =

Error - 11/20/2009 7:51:10 PM | Computer Name = kate-pc | Source = Service Control Manager | ID = 7026
Description =

Error - 11/20/2009 7:51:34 PM | Computer Name = kate-pc | Source = Service Control Manager | ID = 7034
Description =

Error - 11/20/2009 8:08:11 PM | Computer Name = kate-pc | Source = HTTP | ID = 15016
Description =

Error - 11/20/2009 8:08:49 PM | Computer Name = kate-pc | Source = Service Control Manager | ID = 7026
Description =

Error - 11/20/2009 8:09:09 PM | Computer Name = kate-pc | Source = Service Control Manager | ID = 7034
Description =

Error - 11/20/2009 9:10:45 PM | Computer Name = kate-pc | Source = BROWSER | ID = 8032
Description =


< End of report >


Thanks for your help!

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:54 AM

Posted 22 November 2009 - 09:56 AM

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Update me on the issues that you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 KateC

KateC
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 22 November 2009 - 12:06 PM

I installed the latest Java RE and it took about 20 min to install. I restarted my comp and I still have all the same Antivirus System PRO problems as before - constant pop-ups/infection notices, security alerts, inability to use IE, and who knows what it's doing behind-the-scenes.

About Java, that was the last thing I remember doing before 'getting infected' - I had an alert to update Java and so I googled it's recommendation and then when I clicked on the 2nd search result all the ASP stuff began happening. Not sure if Java or the link I clicked in Google were related to getting ASP.

Do you know how I'm going to get rid of this virus?

Thanks for your help.

#8 KateC

KateC
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 22 November 2009 - 12:32 PM

A quick side note, (once I use the rkill.com, I can open settings, programs, etc.) So I went to my Windows Firewall Settings and noticed under the Exceptions tab, there's a program/port called 'motivebrowser.exe' listed with a check. Is this related to the virus possibly?

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:54 AM

Posted 22 November 2009 - 05:43 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 KateC

KateC
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 22 November 2009 - 10:57 PM

Thank you for your continued help Sam. Here's the log.



ComboFix 09-11-22.04 - kate 11/22/2009 22:30.1.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1725 [GMT -5:00]
Running from: c:\users\kate\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-441842238-3827488038-1711259271-500
c:\users\kate\AppData\Local\qugjam
c:\users\kate\AppData\Local\qugjam\wyajsysguard.exe
c:\windows\system32\wbem\Performance\WmiApRpl_new.h
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-23 03:37 . 2009-11-23 03:38 -------- d-----w- c:\users\kate\AppData\Local\temp
2009-11-23 03:37 . 2009-11-23 03:37 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-11-22 16:47 . 2009-11-22 16:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-21 18:36 . 2009-11-21 18:36 -------- d-----w- C:\AITEMP
2009-11-20 23:59 . 2009-11-20 23:59 -------- d-----w- c:\users\kate\AppData\Roaming\Malwarebytes
2009-11-20 23:59 . 2009-11-20 23:59 -------- d-----w- c:\programdata\Malwarebytes
2009-11-20 17:59 . 2009-11-20 17:59 -------- d-----w- c:\programdata\Kaspersky Lab
2009-11-13 17:00 . 2009-11-13 17:04 4096 d-----w- c:\users\kate\{07e48c32-8b0d-4c4c-83e8-8729237307ed}
2009-11-13 16:57 . 2009-11-13 17:00 -------- d-----w- c:\users\kate\{8e66d967-8f73-4a29-b220-16b9bdfce6da}
2009-11-13 16:54 . 2009-11-13 16:54 -------- d-----w- c:\program files\Microsoft
2009-11-13 16:52 . 2009-08-31 13:55 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-11-13 16:52 . 2009-08-31 13:55 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-11-13 16:52 . 2009-08-14 13:53 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-13 16:52 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-11-13 16:52 . 2009-09-10 15:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-13 16:52 . 2009-08-10 13:05 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-04 03:53 . 2007-03-23 08:05 29272 ----a-r- c:\windows\system32\AdobePDF.dll
2009-10-27 18:16 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-27 18:16 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-10-27 18:15 . 2009-10-27 18:15 -------- d-----w- c:\program files\iPod
2009-10-27 18:15 . 2009-10-27 18:16 4096 d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 16:59 . 2009-01-04 16:31 4096 d-----w- c:\programdata\Retrospect
2009-11-22 16:57 . 2008-03-11 19:24 85128 ----a-w- c:\users\kate\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-22 16:57 . 2009-06-21 17:48 71910 ----a-w- c:\programdata\nvModes.dat
2009-11-22 16:57 . 2007-11-18 00:37 4096 d-----w- c:\programdata\NVIDIA
2009-11-22 16:46 . 2007-11-17 23:43 4096 d-----w- c:\program files\Java
2009-11-20 20:54 . 2008-09-18 16:22 1356 ----a-w- c:\users\kate\AppData\Local\d3d9caps.dat
2009-11-20 20:24 . 2008-09-17 15:03 4096 d-----w- c:\users\kate\AppData\Roaming\CoreFTP
2009-11-20 15:00 . 2008-09-17 15:02 4096 d-----w- c:\program files\CoreFTP
2009-11-19 23:59 . 2009-05-18 21:42 4096 d-----w- c:\program files\Sothink SWF Decompiler
2009-11-15 18:27 . 2008-06-18 23:46 4096 d-----w- c:\users\kate\AppData\Roaming\BitTorrent
2009-11-13 17:07 . 2007-11-17 23:40 12288 d-----w- c:\programdata\Microsoft Help
2009-11-12 22:56 . 2008-03-11 23:19 4096 d-----w- c:\programdata\FLEXnet
2009-11-04 03:51 . 2007-11-17 23:39 8192 d-----w- c:\program files\Common Files\Adobe
2009-10-27 18:44 . 2008-03-13 17:30 4096 d-----w- c:\users\kate\AppData\Roaming\Apple Computer
2009-10-27 18:17 . 2008-03-13 17:28 -------- d-----w- c:\programdata\Apple
2009-10-27 18:15 . 2008-03-13 17:28 -------- d-----w- c:\program files\Common Files\Apple
2009-10-22 15:28 . 2009-02-06 15:51 -------- d-----w- c:\users\kate\AppData\Roaming\MiniDm
2009-10-22 15:20 . 2009-10-22 15:19 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-22 15:18 . 2008-03-11 23:00 -------- d-----w- c:\program files\Bonjour
2009-10-22 15:18 . 2008-03-11 23:05 4096 d-----w- c:\program files\QuickTime
2009-10-21 16:53 . 2009-10-15 15:12 2268672 ----a-w- c:\users\kate\AppData\Local\cooliris-win-iefull-release-1.11.5.29501.en-US.msi
2009-10-19 13:08 . 2008-11-09 15:57 4096 d-----w- c:\program files\ATITool
2009-10-19 12:58 . 2009-02-06 18:27 4096 d-----w- c:\program files\Microsoft Silverlight
2009-09-29 13:14 . 2009-02-06 14:56 4096 d-----w- c:\program files\IEPro
2009-09-27 22:47 . 2009-09-27 22:47 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-27 22:47 . 2009-09-27 22:47 92776 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-27 22:47 . 2009-09-27 22:47 805480 ----a-w- c:\windows\system32\nvsvc.dll
2009-09-27 22:47 . 2009-09-27 22:47 4033128 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-27 22:47 . 2009-09-27 22:47 3553896 ----a-w- c:\windows\system32\nvgames.dll
2009-09-27 22:47 . 2009-09-27 22:47 3172968 ----a-w- c:\windows\system32\nvwss.dll
2009-09-27 22:47 . 2009-09-27 22:47 215656 ----a-w- c:\windows\system32\nvvsvc.exe
2009-09-27 22:47 . 2009-09-27 22:47 195176 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-27 22:47 . 2009-09-27 22:47 1309288 ----a-w- c:\windows\system32\nvsvs.dll
2009-09-27 22:47 . 2009-09-27 22:47 1292904 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-27 22:46 . 2009-09-27 22:46 4942440 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-27 22:46 . 2009-09-27 22:46 13949544 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-21 21:09 . 2009-09-21 21:09 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-14 09:44 . 2009-10-19 12:48 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 17:30 . 2009-10-19 12:46 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 12:24 . 2009-10-19 12:48 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-08-28 23:42 . 2009-08-28 23:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:42 . 2009-08-28 23:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 12:39 . 2009-10-19 12:48 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-10-19 12:48 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32 . 2009-10-19 12:48 833024 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:29 . 2009-10-19 12:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 10:58 . 2009-10-19 12:48 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-05-06 18:50 . 2008-03-17 20:44 0 ---ha-w- c:\program files\.BridgeLabelsAndRatings
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-15 39408]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]
"Google Update"="c:\users\kate\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-05-21 133104]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-04-23 801904]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-22 149280]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2006-11-07 547840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-13 40072]

c:\users\kate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
OneNote Table Of Contents.onetoc2 [2008-11-21 3656]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Suitcase 11.0.lnk - c:\windows\Installer\{7451C9B5-3E10-4E59-AD37-AB7438D84288}\_01D57C9244869186542E24.exe [2009-6-16 9062]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Suitcase 11.0.lnk]
backup=c:\windows\pss\Suitcase 11.0.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^kate^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Media Player.lnk]
backup=c:\windows\pss\Adobe Media Player.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-441842238-3827488038-1711259271-1000]
"EnableNotificationsRef"=dword:00000001

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\windows\System32\nvSCPAPISvr.exe [6/10/2009 5:33 AM 232960]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE [3/30/2009 4:28 PM 1533808]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 5:25 AM 2589184]
.
Contents of the 'Scheduled Tasks' folder

2009-11-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-441842238-3827488038-1711259271-1000Core.job
- c:\users\kate\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-21 14:16]

2009-11-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-441842238-3827488038-1711259271-1000UA.job
- c:\users\kate\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-21 14:16]

2009-11-23 c:\windows\Tasks\User_Feed_Synchronization-{5DBC3CD1-11FA-433D-B5E1-2B05E5E57C8D}.job
- c:\windows\system32\msfeedssync.exe [2008-04-20 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?rls=ig
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5656
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\users\kate\AppData\Roaming\Mozilla\Firefox\Profiles\1ehzpvcj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://wral.com/weather/
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\users\kate\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-taxjqbgm - c:\users\kate\AppData\Local\qugjam\wyajsysguard.exe
HKCU-Run-AdobeBridge - (no file)
AddRemove-Colourificator - c:\program files\Colourificator\remove



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 22:37
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-441842238-3827488038-1711259271-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EA896BB1-573E-A4F5-8DE6-A13DD3740C4A}*]
"oafdgghbkgcbnionciaalbacpipcfc"=hex:6b,61,62,61,63,69,64,6c,68,6e,68,67,61,61,
6a,6e,6a,68,68,61,6e,67,00,00
"napcmcbanbchjhkglfgfpbhfnokl"=hex:6a,61,63,61,6d,62,66,6c,66,6f,61,66,66,69,
69,66,6b,69,6f,6f,00,f5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-11-22 22:40
ComboFix-quarantined-files.txt 2009-11-23 03:40

Pre-Run: 302,605,115,392 bytes free
Post-Run: 302,977,683,456 bytes free

- - End Of File - - 170FC50DE83C3AD438913A237BC5D17F

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:54 AM

Posted 23 November 2009 - 09:34 AM

Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Give me an update on how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 KateC

KateC
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 23 November 2009 - 11:02 AM

Well I think this may have removed the virus!! I haven't run into any symptoms since rebooting. Many many many thanks!

I'll paste the log just in case though.

Do you recommend any antivirus software that could have prevented this from happening in the first place?



Malwarebytes' Anti-Malware 1.41
Database version: 3217
Windows 6.0.6001 Service Pack 1

11/23/2009 10:46:56 AM
mbam-log-2009-11-23 (10-46-56).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 382131
Time elapsed: 50 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Users\kate\AppData\Local\qugjam\wyajsysguard.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:54 AM

Posted 23 November 2009 - 06:46 PM

As fast as the variants of these infections are coming out I don't think there's an antivirus out there that can provide 100% protection. There's a few that I can recommend as being better than others, in my opinion. Check out Avast, Nod32, or Kaspersky.


We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 KateC

KateC
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 24 November 2009 - 10:10 AM

Hi Sam, one last question, I hope. I'm trying to use your directions to uninstall ComboFix, but the program opens and asks if I want to update it and then starts running a scan (I believe). While doing so it also closes the browser and changes some other settings on my comp.

Is there another way I can uninstall it, or do I need to just let it go through (what appears to be a) scan again?

Thanks for all the info about keeping my comp secure and clean!

You should have received a donation from carboneauj/yahoo.com or justin carboneau.

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:54 AM

Posted 24 November 2009 - 05:15 PM

Try this instead..
  • Make sure you have an Internet Connection.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTL to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


Thank you very much for the donation. It is greatly appreciated! :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users