Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware attack on my computer


  • This topic is locked This topic is locked
9 replies to this topic

#1 willj

willj

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 04 December 2009 - 01:52 AM

Hi, I could really do with some help. Last Saturday night my relatively new computer was hit with a virus or malware or something of that kind. It closed down my internet browsers and removed my favourites. When I restarted my computer it was incredibly slower than before. Now when I click on the Mozilla icon, whilst my favourites had returned, it takes about two minutes to execute the application and open up. Even clicking folders within my computer noticably lags when opening them. This was all an instantaneous consequence of after being hit last Saturday night. My computer was running fine, now it is terribly terribly slow.

I use Windows XP, I've gone into SAFE Mode and tried to remove the viruses then, however it doesn't seem to keep them away. I am sorry that I cannot be more specific, one of the threats pops up with my antivirus (AVG) as:

FILE NAME: C:\WINDOWS\System32\drivers\atapi.sys
THREAT NAME: Trojan horse Packed.Protector.C

If anyone could help me I would greatly appreciate it. I have attached the HIJACK THIS LOG performed moments ago.

Many thanks in advance, I hope I have followed the correct procedure here.
Will

I wasn't sure if you are meant to attach the HIJACK THIS file or copy/paste it. If the latter is appropriate, please see below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:36:00 PM, on 12/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lemonde.fr/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08dd -f video -m logitech -d 10.5.1.2023 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08dd -f video -m logitech -d 10.5.1.2023 (User 'Default user')
O4 - S-1-5-18 Startup: algqeh32.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: algqeh32.exe (User 'Default user')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: algqeh32.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 13265 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:43 AM

Posted 04 December 2009 - 08:18 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5
    %SYSTEMDRIVE%\nvatabus.sys /s /md5
    %SYSTEMDRIVE%\viamraid.sys /s /md5
    %SYSTEMDRIVE%\nvata.sys /s /md5
    CREATERESTOREPOINT



  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 willj

willj
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 04 December 2009 - 08:25 PM

Thankyou so much Sam! The general problem with my computer is that after my computer almost died last Saturday night when I tried to download a free book file, it has been incredibly slow since. At 6pm on Saturday night it would boot up within 30-40 seconds and shutdown in 5 seconds. 5 minutes later, after I was hit by the viru attack, it took minutes to do both, and has done since.

Since then, whenever I double click on folders such as My Computer, etc, they are very sluggish to open. Mozilla literally takes minutes to open and even when I do the internet itself has a huge lag. Even whilst typing this to you, characters will not show up on the screen immediately after I type them. Often, Mozilla will just freeze/not respond, and I am forced to turn off my computer by holding down the power button. I uninstalled, and reinstalled, Mozilla, but this did not fix the problem, so it is not isolated to this one program. For instance, when I open Microsoft Word, it takes about 2 minutes to open whereas before last Saturday night it took about 10 seconds.

I also keep getting this virus/threat warning from my AVG Antivius software:

FILE NAME: C:\WINDOWS\System32\drivers\atapi.sys
THREAT NAME: Trojan horse Packed.Protector.C

Thankyou so much again Sam for attempting to help me. I really really appreciate it. I have followed your instructions, please find the 3 logs below. (I have also attached the logs as 3 text files)

---------------------------------------------------------
HERE ARE THE 3 LOGS THAT YOU REQUESTED.
1. OTL LOG
2. OTL EXTRAS LOG
3. GMER LOG
---------------------------------------------------------
OTL LOG:
----------------------------------------------------------------------------------------------------------------------------------------------

OTL logfile created on: 12/5/2009 11:16:52 AM - Run 1
OTL by OldTimer - Version 3.1.11.6 Folder = C:\Documents and Settings\ad1\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.42 Mb Total Physical Memory | 447.10 Mb Available Physical Memory | 44.07% Memory free
2.44 Gb Paging File | 1.93 Gb Available in Paging File | 79.30% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.27 Gb Total Space | 17.18 Gb Free Space | 51.63% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IBM-FD24CDDA532
Current User Name: ad1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/05 11:15:13 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ad1\Desktop\OTL.exe
PRC - [2009/11/26 08:52:26 | 02,029,336 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/11/11 10:57:36 | 01,451,520 | ---- | M] (Nokia) -- C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
PRC - [2009/11/07 08:50:48 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/11/07 08:50:48 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/11/02 19:23:08 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/28 20:21:26 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/10/27 09:26:36 | 00,657,408 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
PRC - [2009/10/27 09:15:44 | 00,132,608 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
PRC - [2009/10/27 09:15:02 | 00,120,832 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
PRC - [2009/10/27 09:13:44 | 00,090,112 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe
PRC - [2009/09/01 21:43:39 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/09/01 21:43:39 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/09/01 21:43:26 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/11/09 12:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/10/25 11:44:34 | 00,031,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/06 16:43:26 | 00,252,704 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
PRC - [2006/11/03 18:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2005/06/30 17:50:14 | 00,053,248 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) -- C:\Program Files\Digidesign\Drivers\MMERefresh.exe
PRC - [2005/05/04 10:48:16 | 00,126,976 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2005/04/27 10:09:46 | 00,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
PRC - [2005/04/27 08:53:08 | 00,090,112 | ---- | M] (IBM Corp.) -- C:\IBMTOOLS\utils\ibmprc.exe
PRC - [2005/04/05 14:14:34 | 00,106,496 | ---- | M] (IBM Corp.) -- C:\WINDOWS\system32\TpShocks.exe
PRC - [2005/04/04 11:43:32 | 00,094,208 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
PRC - [2005/03/24 15:20:34 | 00,086,016 | ---- | M] (IBM Corporation) -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
PRC - [2005/03/23 01:11:00 | 00,217,088 | ---- | M] (IBM Corp.) -- C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
PRC - [2005/03/18 02:07:00 | 00,745,472 | ---- | M] (IBM Corp.) -- C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
PRC - [2005/03/18 02:07:00 | 00,086,016 | ---- | M] (IBM Corp.) -- C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
PRC - [2005/03/18 02:07:00 | 00,077,824 | ---- | M] (IBM Corp.) -- C:\WINDOWS\system32\QCONSVC.EXE
PRC - [2005/02/18 06:05:30 | 00,360,521 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2005/02/18 06:03:38 | 00,086,016 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2005/02/18 06:02:24 | 00,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2004/12/14 03:44:06 | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
PRC - [2004/11/08 10:17:56 | 00,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2004/11/08 10:17:22 | 00,512,000 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2004/11/05 00:30:00 | 00,057,344 | ---- | M] () -- C:\WINDOWS\system32\ibmpmsvc.exe
PRC - [2004/10/14 08:11:10 | 01,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2004/09/06 15:03:52 | 00,077,824 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
PRC - [2004/09/02 00:05:00 | 00,127,035 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfswctrl.exe
PRC - [2004/08/06 01:10:00 | 00,442,368 | ---- | M] (IBM) -- C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
PRC - [2004/05/24 09:25:04 | 00,077,824 | ---- | M] (IBM Corporation) -- C:\WINDOWS\system32\TPHDEXLG.exe
PRC - [2003/10/29 02:06:00 | 00,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2003/07/11 17:19:22 | 00,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
PRC - [2003/06/30 21:00:24 | 00,065,536 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Video\LogiTray.exe
PRC - [2002/09/20 13:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2009/12/05 11:15:13 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ad1\Desktop\OTL.exe
MOD - [2004/11/08 10:17:50 | 00,065,536 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll


========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (Symantec RemoteAssist)
SRV - [2009/11/07 08:50:48 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/27 09:26:36 | 00,657,408 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/09/01 21:43:26 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/09 12:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/25 11:44:08 | 00,065,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008/07/25 08:44:46 | 00,032,256 | ---- | M] () -- C:\WINDOWS\system32\drivers\psasrv.exe -- (PsaSrv)
SRV - [2008/04/13 16:11:55 | 00,028,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\irmon.dll -- (Irmon)
SRV - [2007/02/06 16:47:12 | 00,105,248 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
SRV - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2005/06/30 17:50:14 | 00,053,248 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) -- C:\Program Files\Digidesign\Drivers\MMERefresh.exe -- (DigiRefresh)
SRV - [2005/04/27 10:09:46 | 00,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe -- (IBM Rapid Restore Ultra Service)
SRV - [2005/03/18 02:07:00 | 00,077,824 | ---- | M] (IBM Corp.) -- C:\WINDOWS\system32\QCONSVC.EXE -- (QCONSVC)
SRV - [2005/02/18 06:05:30 | 00,360,521 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor)
SRV - [2005/02/18 06:03:38 | 00,086,016 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng)
SRV - [2005/02/18 06:02:24 | 00,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc)
SRV - [2004/11/05 00:30:00 | 00,057,344 | ---- | M] () -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/05/24 09:25:04 | 00,077,824 | ---- | M] (IBM Corporation) -- C:\WINDOWS\system32\TPHDEXLG.exe -- (TPHDEXLGSVC)
SRV - [2003/07/11 17:19:22 | 00,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)
SRV - [2002/09/20 13:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-327593422-1216937290-874579748-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.lemonde.fr/
IE - HKU\S-1-5-21-327593422-1216937290-874579748-1005\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-327593422-1216937290-874579748-1005\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-327593422-1216937290-874579748-1005\S-1-5-21-327593422-1216937290-874579748-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-327593422-1216937290-874579748-1005\S-1-5-21-327593422-1216937290-874579748-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.424
FF - prefs.js..extensions.enabledItems: avg@igeared:2.609.002.003
FF - prefs.js..extensions.enabledItems: {ca0849e8-2c76-42ae-9abe-34e14d337acf}:1.91
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: bkmrksync@nokia.com:1.0.0.723
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971
FF - prefs.js..keyword.URL: "http://au.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_au&p="


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/11/03 07:29:41 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2009/11/04 07:00:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2009/11/14 09:44:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/29 19:13:23 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/29 19:12:33 | 00,000,000 | ---D | M]

[2009/11/29 19:13:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ad1\Application Data\Mozilla\Extensions
[2009/12/04 07:33:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ad1\Application Data\Mozilla\Firefox\Profiles\j0cskoak.default\extensions
[2009/12/01 23:00:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ad1\Application Data\Mozilla\Firefox\Profiles\j0cskoak.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/11/29 20:59:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ad1\Application Data\Mozilla\Firefox\Profiles\j0cskoak.default\extensions\{ca0849e8-2c76-42ae-9abe-34e14d337acf}
[2009/12/05 10:42:42 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (325921 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 11154 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-327593422-1216937290-874579748-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-327593422-1216937290-874579748-1005\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL ()
O4 - HKLM..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe (Digidesign, A Division of Avid Technology, Inc.)
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
O4 - HKLM..\Run: [EZEJMNAP] C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE (IBM Corp.)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe ()
O4 - HKLM..\Run: [IBMPRC] C:\IBMTOOLS\utils\ibmprc.exe (IBM Corp.)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe (Logitech Inc.)
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe (Logitech Inc.)
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (IBM Corp.)
O4 - HKLM..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE (IBM Corp.)
O4 - HKLM..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (IBM Corp.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [Regedit32] C:\WINDOWS\System32\regedit.exe File not found
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TP4EX] C:\WINDOWS\System32\TP4EX.exe (IBM Corporation)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (IBM Corp.)
O4 - HKLM..\Run: [TpShocks] C:\WINDOWS\System32\TpShocks.exe (IBM Corp.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-327593422-1216937290-874579748-1005..\Run: [IBM RecordNow!] File not found
O4 - HKU\S-1-5-21-327593422-1216937290-874579748-1005..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe (IBM)
O4 - HKU\S-1-5-21-327593422-1216937290-874579748-1005..\Run: [PC Suite Tray] C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe (Nokia)
O4 - HKU\S-1-5-21-327593422-1216937290-874579748-1005..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe File not found
O4 - HKU\.DEFAULT..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08dd -f video -m logitech -d 10.5.1.2023 File not found
O4 - HKU\S-1-5-18..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08dd -f video -m logitech -d 10.5.1.2023 File not found
O4 - Startup: C:\Documents and Settings\ad1\Start Menu\Programs\Startup\algqeh32.exe ()
O4 - Startup: C:\Documents and Settings\ad1\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe (Logitech)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-327593422-1216937290-874579748-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-327593422-1216937290-874579748-1005\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.2/...all-142-win.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 61.9.195.193 61.9.194.49
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\QConGina: DllName - QConGina.dll - C:\WINDOWS\System32\QConGina.dll (IBM Corp.)
O20 - Winlogon\Notify\tphotkey: DllName - tphklock.dll - C:\WINDOWS\System32\tphklock.dll ()
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/05 07:26:19 | 00,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/09 09:40:04 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - C:\WINDOWS\system32\irmon.dll (Microsoft Corporation)
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891947461378048)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/05 11:14:43 | 00,536,064 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\ad1\Desktop\OTL.exe
[2009/12/04 17:32:11 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/12/01 23:03:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ad1\Local Settings\Application Data\Yahoo
[2009/12/01 23:01:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ad1\Local Settings\Application Data\Yahoo!
[2009/12/01 22:59:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2009/12/01 22:58:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ad1\Application Data\Yahoo!
[2009/12/01 22:56:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2009/12/01 21:11:49 | 00,000,000 | ---D | C] -- C:\Program Files\Yahoo!
[2009/12/01 21:01:07 | 00,000,000 | ---D | C] -- C:\Program Files\directx
[2009/12/01 21:00:41 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Logitech
[2009/12/01 20:59:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ad1\Application Data\FotoWire
[2009/12/01 20:59:44 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\FotoWire
[2009/12/01 20:58:44 | 00,000,000 | ---D | C] -- C:\SXS
[2009/12/01 20:58:14 | 00,000,000 | ---D | C] -- C:\Program Files\Logitech
[2009/12/01 10:08:53 | 00,000,000 | ---D | C] -- C:\1edf560556bd8bd8adbcc762c1d3da
[2009/11/29 19:13:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ad1\Application Data\Mozilla
[2009/11/23 20:25:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ad1\Application Data\InterVideo
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/05 11:15:13 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ad1\Desktop\OTL.exe
[2009/12/05 11:13:51 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/12/05 11:11:39 | 00,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2009/12/05 11:11:25 | 00,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/05 11:10:49 | 00,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2009/12/05 11:10:47 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/05 11:10:42 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/05 09:25:26 | 00,112,018 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/12/05 09:25:25 | 46,173,632 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/12/05 08:21:51 | 06,029,312 | -H-- | M] () -- C:\Documents and Settings\ad1\NTUSER.DAT
[2009/12/05 08:21:51 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\ad1\ntuser.ini
[2009/12/05 08:17:57 | 00,148,768 | ---- | M] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2009/12/05 00:14:50 | 00,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2009/12/02 08:05:41 | 00,069,296 | ---- | M] () -- C:\Documents and Settings\ad1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/12/02 08:04:31 | 00,268,600 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/02 03:09:53 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/02 00:24:50 | 00,000,633 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/01 22:56:44 | 00,000,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Yahoo!7 Messenger.lnk
[2009/12/01 22:31:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/12/01 21:01:10 | 00,001,657 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Logitech QuickCam.lnk
[2009/12/01 21:00:39 | 00,000,252 | ---- | M] () -- C:\WINDOWS\_delis32.ini
[2009/12/01 20:59:29 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2009/12/01 20:58:25 | 00,001,896 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
[2009/12/01 20:58:19 | 00,081,920 | R--- | M] () -- C:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
[2009/12/01 12:31:52 | 00,503,510 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/01 12:31:52 | 00,442,568 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/01 12:31:52 | 00,071,980 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/29 20:15:16 | 00,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2009/11/29 20:13:11 | 00,002,515 | ---- | M] () -- C:\Documents and Settings\ad1\Desktop\Microsoft Word.lnk
[2009/11/29 19:12:53 | 00,001,613 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/11/28 21:57:31 | 00,000,004 | ---- | M] () -- C:\Documents and Settings\ad1\Application Data\avdrn.dat
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/01 22:56:44 | 00,000,813 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Yahoo!7 Messenger.lnk
[2009/12/01 21:01:10 | 00,001,657 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Logitech QuickCam.lnk
[2009/12/01 21:00:39 | 00,000,252 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2009/12/01 20:59:54 | 00,036,864 | R--- | C] () -- C:\WINDOWS\System32\AthUnIns.exe
[2009/12/01 20:58:25 | 00,001,896 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
[2009/12/01 20:58:20 | 00,081,920 | R--- | C] () -- C:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
[2009/11/29 20:15:16 | 00,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2009/11/29 19:12:53 | 00,001,613 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/11/28 21:57:31 | 00,000,004 | ---- | C] () -- C:\Documents and Settings\ad1\Application Data\avdrn.dat
[2009/08/31 15:26:22 | 00,000,133 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2009/08/31 14:20:03 | 00,050,127 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/06/19 14:05:53 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\ad1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/12 06:33:57 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/12/11 20:37:34 | 00,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\DRM
[2008/12/11 18:22:05 | 00,217,088 | ---- | C] () -- C:\WINDOWS\System32\qtmlClient.dll
[2008/10/05 07:26:10 | 00,000,126 | ---- | C] () -- C:\Documents and Settings\ad1\Local Settings\Application Data\fusioncache.dat
[2008/07/25 08:51:09 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/07/25 08:50:24 | 00,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2008/07/25 08:47:06 | 00,002,432 | ---- | C] () -- C:\WINDOWS\System32\drivers\IBMBLDID.SYS
[2008/07/25 08:40:37 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/07/25 08:40:37 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/07/25 08:40:37 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/07/25 08:40:37 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/07/25 08:40:37 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/07/25 08:40:37 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/07/25 08:38:44 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/07/25 08:30:41 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\FPCALL.dll
[2008/07/25 08:30:25 | 00,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSMAPIP.SYS
[2008/07/25 08:26:54 | 00,009,340 | ---- | C] () -- C:\WINDOWS\System32\drivers\TDSMAPI.SYS
[2008/07/25 08:16:10 | 00,002,481 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/07/25 07:57:12 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\tphklock.dll
[2007/02/06 16:42:40 | 01,691,808 | ---- | C] () -- C:\WINDOWS\System32\drivers\Lvckap.sys
[2005/05/04 13:32:42 | 00,090,112 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2005/05/04 13:32:42 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2005/04/27 08:53:10 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\pwdmon.dll
[2005/04/27 08:53:10 | 00,019,853 | ---- | C] () -- C:\WINDOWS\ibmprc.ini
[2004/11/08 16:12:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/09 10:03:43 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/03 21:59:44 | 00,148,768 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2004/01/09 05:10:32 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\AIBMRUNL.dll
[2003/04/10 15:04:00 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2003/02/26 15:47:14 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\MimicICM.dll
[1999/01/27 13:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[1979/12/31 23:00:00 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[1979/12/31 23:00:00 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\tpinspm.dll

========== LOP Check ==========

[2008/12/18 18:54:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ad1\Application Data\Digidesign
[2009/12/01 20:59:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ad1\Application Data\FotoWire
[2008/12/11 11:47:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ad1\Application Data\IBM
[2009/11/23 20:25:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ad1\Application Data\InterVideo
[2009/08/31 15:25:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ad1\Application Data\LearnLift
[2009/11/06 14:03:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ad1\Application Data\Mobipocket
[2009/11/06 08:06:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ad1\Application Data\Mobipocket Reader
[2009/11/13 13:37:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ad1\Application Data\Nokia
[2008/12/11 20:37:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ad1\Application Data\PACE Anti-Piracy
[2009/11/13 13:37:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ad1\Application Data\PC Suite
[2009/11/04 22:38:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ad1\Application Data\PeaZip
[2009/04/17 08:36:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ad1\Application Data\uTorrent
[2008/07/25 08:37:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\IBM
[2009/11/21 11:13:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2008/07/25 08:40:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ibm
[2009/11/13 13:34:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2008/12/11 20:37:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy
[2009/11/03 16:02:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2009/11/13 13:54:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/09/01 19:25:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
[2008/07/25 08:37:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\IBM
[2009/12/01 22:31:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2009/12/05 11:13:51 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2009/12/05 11:10:49 | 00,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job
[2009/12/05 11:11:39 | 00,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2004/08/04 04:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2004/08/04 04:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2004/08/04 04:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2009/02/06 10:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e\SP2QFE\netlogon.dll
[2009/02/06 10:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\SP2QFE\netlogon.dll
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2004/08/03 21:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2009/12/05 08:17:57 | 00,148,768 | ---- | M] () MD5=054CC21832F277167D6432353585992E -- C:\WINDOWS\system32\drivers\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2004/08/03 22:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >

< %SYSTEMDRIVE%\viamraid.sys /s /md5 >

< %SYSTEMDRIVE%\nvata.sys /s /md5 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 978 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:7se1UvPrV3Xiuw2ywQiwaE
@Alternate Data Stream - 907 bytes -> C:\Documents and Settings\All Users\Application Data\DRM:z4k3RxLcW58Fny44mtqPjO7X35O
@Alternate Data Stream - 898 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:FHdBG0hTTHjiXLSajZK34
@Alternate Data Stream - 889 bytes -> C:\Program Files\WindowsUpdate:shbcEH961cs4UsCHezd0YaM
< End of report >



----------------------------------------------------------------------------------------------------------------------------------------------
OTL EXTRAS LOG
----------------------------------------------------------------------------------------------------------------------------------------------

OTL Extras logfile created on: 12/5/2009 11:16:52 AM - Run 1
OTL by OldTimer - Version 3.1.11.6 Folder = C:\Documents and Settings\ad1\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.42 Mb Total Physical Memory | 447.10 Mb Available Physical Memory | 44.07% Memory free
2.44 Gb Paging File | 1.93 Gb Available in Paging File | 79.30% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.27 Gb Total Space | 17.18 Gb Free Space | 51.63% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IBM-FD24CDDA532
Current User Name: ad1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-327593422-1216937290-874579748-1005\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [+ Add to separate archive(s)] -- "C:\Program Files\PeaZip\PEAZIP.EXE" "-add2archive" "%1" (Giorgio Tani)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\LearnLift\MemoryLifter2\MLifter.exe" = C:\Program Files\LearnLift\MemoryLifter2\MLifter.exe:*:Enabled:MemoryLifter -- (LearnLift)
"C:\WINDOWS\LMI57.tmp\lmi_rescue.exe" = C:\WINDOWS\LMI57.tmp\lmi_rescue.exe:*:Enabled:LogMeIn Rescue -- File not found
"C:\Documents and Settings\ad1\Local Settings\Temp\7zS5A.tmp\SymNRT.exe" = C:\Documents and Settings\ad1\Local Settings\Temp\7zS5A.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool -- File not found
"C:\Documents and Settings\ad1\Local Settings\Temp\7zS5D.tmp\SymNRT.exe" = C:\Documents and Settings\ad1\Local Settings\Temp\7zS5D.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool -- File not found
"C:\WINDOWS\LMI3B.tmp\lmi_rescue.exe" = C:\WINDOWS\LMI3B.tmp\lmi_rescue.exe:*:Disabled:LogMeIn Rescue -- File not found
"C:\Documents and Settings\ad1\Local Settings\Temp\7zS3C.tmp\SymNRT.exe" = C:\Documents and Settings\ad1\Local Settings\Temp\7zS3C.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool -- File not found
"C:\Documents and Settings\ad1\Local Settings\Temp\7zS3E.tmp\SymNRT.exe" = C:\Documents and Settings\ad1\Local Settings\Temp\7zS3E.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool -- File not found
"C:\Documents and Settings\ad1\Local Settings\Temp\7zS40.tmp\SymNRT.exe" = C:\Documents and Settings\ad1\Local Settings\Temp\7zS40.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool -- File not found
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager -- (Skype Technologies)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0873B1A3-00A9-40D6-BACE-3DB4BC5DA840}" = IBM SATA Power Management Driver
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0D1C39F9-BB06-4044-B282-A710E84C042F}" = Digidesign Pro Tools® LE 6.8.1
"{1007F41F-7D69-468E-8017-3849A5A973C2}" = IBM ThinkVantage Technologies Welcome Message
"{11783F13-C3A9-44A8-929B-21A476F65272}" = IBM Rescue and Recovery with Rapid Restore
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = IBM DLA
"{1297C681-92D7-40EF-93BF-03F66EC5105C}" = IBM ThinkPad EasyEject Utility
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{20C53FA2-4307-4671-A93F-9463B29DFCF1}" = Symantec Technical Support Web Controls
"{2111B23F-7FDA-4A41-8309-E5A1663CA296}" = IBM ThinkPad Keyboard Customizer Utility
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{22B71A00-4DED-11D4-A5E5-0004AC564F43}" = IBM Access Connections
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{26AA53D5-1307-48F9-A80F-A4D25F5849D4}" = Logitech QuickCam
"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver
"{28F58CDE-6241-4B11-8232-6A5D4FB06E8B}" = PACE System Files
"{339E4BB3-6AE8-4C56-B20C-9F34C429781F}" = MemoryLifter
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35725FBC-A136-4A46-9F29-091759D9BB93}" = MVision
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{5A2BC38A-406C-4A5B-BF45-6991F9A05325}_is1" = PeaZip 2.7.1
"{6869591A-7DD8-46D2-837F-57CBF7358955}" = Nokia Connectivity Cable Driver
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6CE96A14-61E2-48CC-837E-22710A953ADE}" = IBM Themes
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{6E0352EE-6F0D-4FBC-B1B8-4FF032C78BE0}" = PC Connectivity Solution
"{72806716-7088-41B2-8FA6-717A2A164DAB}" = IBM Active Protection System
"{787DAC3C-A935-4843-B7CA-565C08E9BC96}" = Digidesign Mbox 2 Factory
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}" = IBM ThinkPad UltraNav Wizard
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8F55B163-7B42-42A3-9307-C7FCB9655225}" = PC-Doctor for Windows
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}" = Nokia PC Suite
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = IBM RecordNow!
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}" = IBM ThinkPad Power Manager
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{AFE499B5-FCC4-45E6-A1A5-3C51AE0E539B}" = Mobipocket Creator 4.2
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{BEF726DD-4037-4214-8C6A-E625C02D2870}" = Logitech Audio Echo Cancellation Component
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{DBCD674C-1751-4548-9005-980F03083187}" = Digidesign Shared Plug-Ins
"{DF5AEA57-D8A6-467F-AA50-2ABD5537C758}" = Digidesign 002 Factory
"{e7394a0f-3f80-45b1-87fc-abcd51893246}" = Python 2.6.4
"{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2
"{EA516024-D84D-41F1-814F-83175A6188F2}" = Logitech Video Enumerator
"{EA664480-3844-11D5-8C25-444553540000}" = IBM TrackPoint Accessibility Features
"{EC6AF20D-4376-4070-BEE4-D3A0DFF7E140}" = Access IBM
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{ED386A62-2BA2-4544-A723-5DFFDC283F6A}" = Mobipocket Reader 6.0
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F386C340-DF4B-4BBA-9503-420FB7EDB395}" = Wallpapers
"{F413B3A4-EE5D-457C-BAE5-6E58D9589ED5}" = Access IBM Message Center
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FC081D4D-DF1B-4CF1-B530-027E4118D846}" = IBM ThinkPad Configuration
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"05B59228C7E1C21DFBE89260F879BD95880548D8" = Windows Driver Package - Nokia Modem (10/05/2009 4.2)
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"8CDCFB95BB84DD9C0F88F22266A0CA86035E55BA" = Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Athena" = WebCam for MSN Messenger
"AVG8Uninstall" = AVG Free 8.5
"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_05591014" = IBM Integrated 56K Modem
"ENTERPRISE" = Microsoft Office Enterprise 2007
"HijackThis" = HijackThis 2.0.2
"InstallShield_{8F55B163-7B42-42A3-9307-C7FCB9655225}" = PC-Doctor for Windows
"InstallShield_{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2
"IrfanView" = IrfanView (remove only)
"Logitech Print Service" = Logitech Print Service
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nokia PC Suite" = Nokia PC Suite
"Power Management Driver" = IBM ThinkPad Power Management Driver
"Presentation Director" = IBM ThinkPad Presentation Director
"ProInst" = Intel® PROSet/Wireless Software
"QcDrv" = Logitech® Camera Driver
"SPT-667 Phrase Trainer_is1" = SPT-667 Phrase Trainer 1
"SynTPDeinstKey" = IBM ThinkPad UltraNav Driver
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"ThinkPadSoftwareInstaller" = Software Installer
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WIC" = Windows Imaging Component
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"wxPython2.8-unicode-py26_is1" = wxPython 2.8.10.1 (unicode) for Python 2.6
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Software Update" = Yahoo! Software Update
"Yahoo!7 Messenger" = Yahoo!7 Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-327593422-1216937290-874579748-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/30/2009 9:48:03 PM | Computer Name = IBM-FD24CDDA532 | Source = Application Hang | ID = 1002
Description = Hanging application avgtray.exe, version 8.5.0.426, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/1/2009 2:12:07 AM | Computer Name = IBM-FD24CDDA532 | Source = Application Hang | ID = 1002
Description = Hanging application avgtray.exe, version 8.5.0.426, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/1/2009 11:52:08 AM | Computer Name = IBM-FD24CDDA532 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80240016, P2 begininstall, P3 install, P4
1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 NIL,
P10 NIL.

Error - 12/1/2009 9:55:37 PM | Computer Name = IBM-FD24CDDA532 | Source = Application Hang | ID = 1002
Description = Hanging application avgtray.exe, version 8.5.0.426, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/2/2009 12:28:53 AM | Computer Name = IBM-FD24CDDA532 | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/2/2009 2:08:49 AM | Computer Name = IBM-FD24CDDA532 | Source = Application Hang | ID = 1002
Description = Hanging application ymsgr_suite_setup.exe, version 2009.11.16.1, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/2/2009 2:08:53 AM | Computer Name = IBM-FD24CDDA532 | Source = Application Hang | ID = 1002
Description = Hanging application ymsgr_suite_setup.exe, version 2009.11.16.1, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 12/5/2009 4:51:17 AM | Computer Name = IBM-FD24CDDA532 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070003: Update for Windows XP (KB898461).


< End of report >

----------------------------------------------------------------------------------------------------------------------------------------------
GMER LOG
----------------------------------------------------------------------------------------------------------------------------------------------

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-05 12:26:17
Windows 5.1.2600 Service Pack 3
Running: 7tkpkghy.exe; Driver: C:\DOCUME~1\ad1\LOCALS~1\Temp\kfgcqfoc.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1888] ntdll.dll!NtQueryDirectoryFile + 6 7C90D774 4 Bytes [90, 61, D9, 02] {NOP ; POPA ; FLD DWORD [EDX]}

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 TPInput.sys (IBM SATA Power Management Driver/IBM Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 TPInput.sys (IBM SATA Power Management Driver/IBM Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [83CDB6F2] atapi.sys[.reloc]
Device \Driver\atapi \Device\Ide\IdePort0 [83CDB6F2] atapi.sys[.reloc]
Device \Driver\atapi \Device\Ide\IdePort1 [83CDB6F2] atapi.sys[.reloc]
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [83CDB6F2] atapi.sys[.reloc]

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat A8D5AD20

AttachedDevice \FileSystem\Fastfat \Fat DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.15 ----

File C:\RRUbackups\Documents and Settings 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3898458135-2172885111-2270712544-500 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3898458135-2172885111-2270712544-500\d897df9c-5cad-4f16-a250-2c77c3ed2392 388 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3898458135-2172885111-2270712544-500\Preferred 24 bytes
File C:\RRUbackups\Documents and Settings\Default User 0 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data 0 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft 0 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3898458135-2172885111-2270712544-500 0 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3898458135-2172885111-2270712544-500\d897df9c-5cad-4f16-a250-2c77c3ed2392 388 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3898458135-2172885111-2270712544-500\Preferred 24 bytes
File C:\RRUbackups\hints.dat 8192 bytes
File C:\RRUbackups\pu.dat 224 bytes
File C:\RRUbackups\SAM 262144 bytes
File C:\RRUbackups\system 4980736 bytes
File C:\RRUbackups\system.dat 12288 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:43 AM

Posted 05 December 2009 - 08:24 AM

Let's try this new tool first and see where it gets us.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 willj

willj
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 05 December 2009 - 04:29 PM

Thanks Sam.

The message "Hidden Service detected" did not come up. Have followed your instructions and here is the log:


Host Name: IBM-FD24CDDA532
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner: ad1
Registered Organization:
Product ID: 76487-OEM-0011903-00107
Original Install Date: 10/5/2008, 8:25:58 AM
System Up Time: 0 Days, 0 Hours, 13 Minutes, 15 Seconds
System Manufacturer: IBM
System Model: 18724AM
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 13 Stepping 8 GenuineIntel ~1862 Mhz
BIOS Version: IBM - 1010
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada); Tijuana
Total Physical Memory: 1,014 MB
Available Physical Memory: 425 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use: 40 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\IBM-FD24CDDA532
Hotfix(s): 88 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: Q147222
[41]: M953297 - Update
[42]: S867460 - Update
[43]: Q954430
[44]: KB923723 - Update
[45]: KB968816_WM9
[46]: KB941569
[47]: MSCompPackV1 - Update
[48]: KB936929 - Service Pack
[49]: KB923561 - Update
[50]: KB946648 - Update
[51]: KB950762 - Update
[52]: KB950974 - Update
[53]: KB951376-v2 - Update
[54]: KB951748 - Update
[55]: KB952004 - Update
[56]: KB952287 - Update
[57]: KB952954 - Update
[58]: KB954550-v5 - Update
[59]: KB955069 - Update
[60]: KB956572 - Update
[61]: KB956803 - Update
[62]: KB956844 - Update
[63]: KB957097 - Update
[64]: KB958644 - Update
[65]: KB960803 - Update
[66]: KB960859 - Update
[67]: KB961371-v2 - Update
[68]: KB961501 - Update
[69]: KB961503 - Update
[70]: KB967715 - Update
[71]: KB968389 - Update
[72]: KB968537 - Update
[73]: KB969059 - Update
[74]: KB970238 - Update
[75]: KB971486 - Update
[76]: KB971557 - Update
[77]: KB971633 - Update
[78]: KB971657 - Update
[79]: KB973507 - Update
[80]: KB973525 - Update
[81]: KB973815 - Update
[82]: KB973869 - Update
[83]: KB974112 - Update
[84]: KB974455 - Update
[85]: KB975025 - Update
[86]: KB975467 - Update
[87]: KB976749 - Update
[88]: XpsEPSC
NetWork Card(s): 2 NIC(s) Installed.
[01]: Broadcom NetXtreme Gigabit Ethernet
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 172.18.49.149
IP address(es)
[01]: 121.210.48.94
[02]: Intel® PRO/Wireless 2200BG Network Connection
Connection Name: Wireless Network Connection
8:28:52:937 3988 ForceUnloadDriver: NtUnloadDriver error 2
8:28:52:937 3988 ForceUnloadDriver: NtUnloadDriver error 2
8:28:52:937 3988 ForceUnloadDriver: NtUnloadDriver error 2
8:28:52:937 3988 main: Driver KLMD successfully dropped
8:28:53:31 3988 main: Driver KLMD successfully loaded
8:28:53:31 3988
Scanning Registry ...
8:28:53:62 3988 ScanServices: Searching service UACd.sys
8:28:53:62 3988 ScanServices: Open/Create key error 2
8:28:53:62 3988 ScanServices: Searching service TDSSserv.sys
8:28:53:62 3988 ScanServices: Open/Create key error 2
8:28:53:62 3988 ScanServices: Searching service gaopdxserv.sys
8:28:53:62 3988 ScanServices: Open/Create key error 2
8:28:53:62 3988 ScanServices: Searching service gxvxcserv.sys
8:28:53:62 3988 ScanServices: Open/Create key error 2
8:28:53:62 3988 ScanServices: Searching service MSIVXserv.sys
8:28:53:62 3988 ScanServices: Open/Create key error 2
8:28:53:62 3988 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
8:28:53:62 3988 UnhookRegistry: Kernel local addr: A30000
8:28:53:156 3988 UnhookRegistry: KeServiceDescriptorTable addr: AAC020
8:28:53:250 3988 UnhookRegistry: KiServiceTable addr: A5AB9C
8:28:53:250 3988 UnhookRegistry: NtEnumerateKey service number (local): 47
8:28:53:250 3988 UnhookRegistry: NtEnumerateKey local addr: B73B72
8:28:53:250 3988 KLMD_OpenDevice: Trying to open KLMD device
8:28:53:250 3988 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
8:28:53:250 3988 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
8:28:53:250 3988 KLMD_ReadMem: Trying to ReadMemory 0x804FE335[0x4]
8:28:53:250 3988 UnhookRegistry: NtEnumerateKey service number (kernel): 47
8:28:53:250 3988 KLMD_ReadMem: Trying to ReadMemory 0x80501CB8[0x4]
8:28:53:250 3988 UnhookRegistry: NtEnumerateKey real addr: 8061AB72
8:28:53:250 3988 UnhookRegistry: NtEnumerateKey calc addr: 8061AB72
8:28:53:250 3988 UnhookRegistry: No SDT hooks found on NtEnumerateKey
8:28:53:250 3988 KLMD_ReadMem: Trying to ReadMemory 0x8061AB72[0xA]
8:28:53:250 3988 UnhookRegistry: No splicing found on NtEnumerateKey
8:28:53:250 3988
Scanning Kernel memory ...
8:28:53:250 3988 KLMD_OpenDevice: Trying to open KLMD device
8:28:53:250 3988 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
8:28:53:250 3988 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
8:28:53:250 3988 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 83D0F910
8:28:53:250 3988 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
8:28:53:250 3988 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 83D55030
8:28:53:250 3988 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83D55030
8:28:53:250 3988 KLMD_ReadMem: Trying to ReadMemory 0x83D55030[0x38]
8:28:53:250 3988 DetectCureTDL3: DRIVER_OBJECT addr: 83D0F910
8:28:53:250 3988 KLMD_ReadMem: Trying to ReadMemory 0x83D0F910[0xA8]
8:28:53:250 3988 KLMD_ReadMem: Trying to ReadMemory 0xE1004ED8[0x208]
8:28:53:250 3988 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
8:28:53:250 3988 DetectCureTDL3: IrpHandler (0) addr: F7606BB0
8:28:53:250 3988 DetectCureTDL3: IrpHandler (1) addr: 804F355A
8:28:53:250 3988 DetectCureTDL3: IrpHandler (2) addr: F7606BB0
8:28:53:250 3988 DetectCureTDL3: IrpHandler (3) addr: F7600D1F
8:28:53:250 3988 DetectCureTDL3: IrpHandler (4) addr: F7600D1F
8:28:53:250 3988 DetectCureTDL3: IrpHandler (5) addr: 804F355A
8:28:53:250 3988 DetectCureTDL3: IrpHandler (6) addr: 804F355A
8:28:53:250 3988 DetectCureTDL3: IrpHandler (7) addr: 804F355A
8:28:53:250 3988 DetectCureTDL3: IrpHandler (8) addr: 804F355A
8:28:53:250 3988 DetectCureTDL3: IrpHandler (9) addr: F76012E2
8:28:53:250 3988 DetectCureTDL3: IrpHandler (10) addr: 804F355A
8:28:53:250 3988 DetectCureTDL3: IrpHandler (11) addr: 804F355A
8:28:53:250 3988 DetectCureTDL3: IrpHandler (12) addr: 804F355A
8:28:53:250 3988 DetectCureTDL3: IrpHandler (13) addr: 804F355A
8:28:53:250 3988 DetectCureTDL3: IrpHandler (14) addr: F76013BB
8:28:53:250 3988 DetectCureTDL3: IrpHandler (15) addr: F7604F28
8:28:53:250 3988 DetectCureTDL3: IrpHandler (16) addr: F76012E2
8:28:53:250 3988 DetectCureTDL3: IrpHandler (17) addr: 804F355A
8:28:53:250 3988 DetectCureTDL3: IrpHandler (18) addr: 804F355A
8:28:53:250 3988 DetectCureTDL3: IrpHandler (19) addr: 804F355A
8:28:53:250 3988 DetectCureTDL3: IrpHandler (20) addr: 804F355A
8:28:53:250 3988 DetectCureTDL3: IrpHandler (21) addr: 804F355A
8:28:53:250 3988 DetectCureTDL3: IrpHandler (22) addr: F7602C82
8:28:53:250 3988 DetectCureTDL3: IrpHandler (23) addr: F760799E
8:28:53:250 3988 DetectCureTDL3: IrpHandler (24) addr: 804F355A
8:28:53:250 3988 DetectCureTDL3: IrpHandler (25) addr: 804F355A
8:28:53:250 3988 DetectCureTDL3: IrpHandler (26) addr: 804F355A
8:28:53:250 3988 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
8:28:53:250 3988 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
8:28:53:265 3988 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 83D453A0
8:28:53:265 3988 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83D453A0
8:28:53:265 3988 KLMD_ReadMem: Trying to ReadMemory 0x83D453A0[0x38]
8:28:53:265 3988 DetectCureTDL3: DRIVER_OBJECT addr: 83D0F910
8:28:53:265 3988 KLMD_ReadMem: Trying to ReadMemory 0x83D0F910[0xA8]
8:28:53:265 3988 KLMD_ReadMem: Trying to ReadMemory 0xE1004ED8[0x208]
8:28:53:265 3988 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
8:28:53:265 3988 DetectCureTDL3: IrpHandler (0) addr: F7606BB0
8:28:53:265 3988 DetectCureTDL3: IrpHandler (1) addr: 804F355A
8:28:53:265 3988 DetectCureTDL3: IrpHandler (2) addr: F7606BB0
8:28:53:265 3988 DetectCureTDL3: IrpHandler (3) addr: F7600D1F
8:28:53:265 3988 DetectCureTDL3: IrpHandler (4) addr: F7600D1F
8:28:53:265 3988 DetectCureTDL3: IrpHandler (5) addr: 804F355A
8:28:53:265 3988 DetectCureTDL3: IrpHandler (6) addr: 804F355A
8:28:53:265 3988 DetectCureTDL3: IrpHandler (7) addr: 804F355A
8:28:53:265 3988 DetectCureTDL3: IrpHandler (8) addr: 804F355A
8:28:53:265 3988 DetectCureTDL3: IrpHandler (9) addr: F76012E2
8:28:53:265 3988 DetectCureTDL3: IrpHandler (10) addr: 804F355A
8:28:53:265 3988 DetectCureTDL3: IrpHandler (11) addr: 804F355A
8:28:53:265 3988 DetectCureTDL3: IrpHandler (12) addr: 804F355A
8:28:53:265 3988 DetectCureTDL3: IrpHandler (13) addr: 804F355A
8:28:53:265 3988 DetectCureTDL3: IrpHandler (14) addr: F76013BB
8:28:53:265 3988 DetectCureTDL3: IrpHandler (15) addr: F7604F28
8:28:53:265 3988 DetectCureTDL3: IrpHandler (16) addr: F76012E2
8:28:53:265 3988 DetectCureTDL3: IrpHandler (17) addr: 804F355A
8:28:53:265 3988 DetectCureTDL3: IrpHandler (18) addr: 804F355A
8:28:53:265 3988 DetectCureTDL3: IrpHandler (19) addr: 804F355A
8:28:53:265 3988 DetectCureTDL3: IrpHandler (20) addr: 804F355A
8:28:53:265 3988 DetectCureTDL3: IrpHandler (21) addr: 804F355A
8:28:53:265 3988 DetectCureTDL3: IrpHandler (22) addr: F7602C82
8:28:53:265 3988 DetectCureTDL3: IrpHandler (23) addr: F760799E
8:28:53:265 3988 DetectCureTDL3: IrpHandler (24) addr: 804F355A
8:28:53:265 3988 DetectCureTDL3: IrpHandler (25) addr: 804F355A
8:28:53:265 3988 DetectCureTDL3: IrpHandler (26) addr: 804F355A
8:28:53:265 3988 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
8:28:53:265 3988 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
8:28:53:281 3988 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 83D54AB8
8:28:53:281 3988 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83D54AB8
8:28:53:281 3988 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 83D559E8
8:28:53:281 3988 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83D559E8
8:28:53:281 3988 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 83D1DD98
8:28:53:281 3988 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83D1DD98
8:28:53:281 3988 KLMD_ReadMem: Trying to ReadMemory 0x83D1DD98[0x38]
8:28:53:281 3988 DetectCureTDL3: DRIVER_OBJECT addr: 83D09D20
8:28:53:281 3988 KLMD_ReadMem: Trying to ReadMemory 0x83D09D20[0xA8]
8:28:53:281 3988 KLMD_ReadMem: Trying to ReadMemory 0xE1A5A740[0x208]
8:28:53:281 3988 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
8:28:53:281 3988 DetectCureTDL3: IrpHandler (0) addr: 83CDB6F2
8:28:53:281 3988 DetectCureTDL3: IrpHandler (1) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (2) addr: 83CDB6F2
8:28:53:281 3988 DetectCureTDL3: IrpHandler (3) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (4) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (5) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (6) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (7) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (8) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (9) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (10) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (11) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (12) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (13) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (14) addr: 83CDB712
8:28:53:281 3988 DetectCureTDL3: IrpHandler (15) addr: 83CD7852
8:28:53:281 3988 DetectCureTDL3: IrpHandler (16) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (17) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (18) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (19) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (20) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (21) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (22) addr: 83CDB73C
8:28:53:281 3988 DetectCureTDL3: IrpHandler (23) addr: 83CE2336
8:28:53:281 3988 DetectCureTDL3: IrpHandler (24) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (25) addr: 804F355A
8:28:53:281 3988 DetectCureTDL3: IrpHandler (26) addr: 804F355A
8:28:53:281 3988 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\atapi.sys
8:28:53:281 3988 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\atapi.sys
8:28:53:296 3988
Completed

Results:
8:28:53:296 3988 Infected / Cured drivers in memory: 0 / 0
8:28:53:296 3988 Infected / Cured drivers on disk: 0 / 0
8:28:53:296 3988 Files deleted on next reboot: 0
8:28:53:296 3988 Registry nodes deleted on next reboot: 0
8:28:53:296 3988

Attached Files



#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:43 AM

Posted 06 December 2009 - 09:43 AM

Please disable your antivirus program.
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

    Files to move:
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\System32\Drivers\atapi.sys
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt). Please copy and paste this log into your next reply.

Let me know how your computer is behaving after running this step.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 willj

willj
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 07 December 2009 - 01:48 AM

Thanks Sam. I disabled the antivirus before running the avenger. Please see the log below.

Since restarting my computer Mozilla is opening at normal speeds. My folders also seem to be opening at normal speeds. Crucially, the antivirus warning has not reappeared about that file.

Does this mean that the problem has been rectified? I owe you many thanks if so/a donation via the paypal thing.



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\ServicePackFiles\i386\atapi.sys|C:\WINDOWS\System32\Drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:43 AM

Posted 07 December 2009 - 08:17 AM

Yep! That was it. :(
If everything still seems to be working properly here are some final steps and recommendations.


It's time to clean up.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 willj

willj
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 09 December 2009 - 02:42 AM

Thanks so much Sam. Am configuring the Spybot and Spyware thing now. I take it won't be too demanding on the speed of my system to leave them permanently running along with my anti-virus?

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:43 AM

Posted 09 December 2009 - 08:39 AM

Spywareblaster doesn't need to be running in the background in order to work. Just update it, enable all protection, then close the program. With Spybot it varies. Some people notice a slow down when using Teatimer from Spybot. If you do, just don't use Teatimer. You can still use Spybot just by running scans manually one per week or so.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users