Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Broswer keeps getting redirected even after spyware/virus scans


  • This topic is locked This topic is locked
9 replies to this topic

#1 kpmatthe

kpmatthe

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 05 December 2009 - 02:47 PM

I'd greatly appreciate it if someone could diagnose the source of my redirection problems. It has been going on for several weeks now and I'm desperate for help. Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:05 PM, on 12/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\csrss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS1\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\WINDOWS1\Explorer.EXE
C:\WINDOWS1\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS1\system32\igfxtray.exe
C:\WINDOWS1\system32\hkcmd.exe
C:\WINDOWS1\system32\svchost.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS1\system32\ctfmon.exe
C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS1\system32\wbem\wmiprvse.exe
C:\WINDOWS1\System32\alg.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS1\system32\wuauclt.exe
C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS1\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS1\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS1\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS1\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS1\system32\hkcmd.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS1\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS1\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM ® - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS1\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS1\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} (Cisco NAC Web Agent Control) - https://klink.coastal.edu/auth/taweb.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://netcam1.monmouth.edu/activex/AMC.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Filter hijack: text/html - {f88d9377-6909-4a64-9a38-0ef7ff934684} - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS1\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8597 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:03 AM

Posted 05 December 2009 - 03:35 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 kpmatthe

kpmatthe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 06 December 2009 - 11:27 AM

.

Edited by kpmatthe, 07 December 2009 - 10:38 AM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:03 AM

Posted 06 December 2009 - 11:52 PM

Please do not attach log files unless specifically requested to do. Just copy the text in the log and then paste it directly into your reply.
It makes it much easier for me to review the information if I can see it all in one place.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 kpmatthe

kpmatthe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 07 December 2009 - 10:35 AM

Sorry. The first three log files (OTL.txt, Etras.txt, and GMER.txt) would not all fit in one text box so I thought I could just attach. I will post the OTL.txt, Extras.txt, and TDSSKILLER.txt in one text box. My GMER log file is too large to fit inside a text box so I can not post it.

Here is OTL.txt and Extras.txt and TDSSKILLER.txt

OTL logfile created on: 12/6/2009 11:32:03 AM - Run 1
OTL by OldTimer - Version 3.1.11.7 Folder = C:\Documents and Settings\Kevin\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

246.42 Mb Total Physical Memory | 68.19 Mb Available Physical Memory | 27.67% Memory free
888.97 Mb Paging File | 151.53 Mb Available in Paging File | 17.05% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS1 | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 20.89 Gb Free Space | 37.38% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC-AA68DEB3E1B1
Current User Name: Kevin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/06 11:29:10 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin\Desktop\OTL.exe
PRC - [2009/11/18 15:47:15 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/11/18 15:47:12 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/11/18 15:47:11 | 00,502,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/11/18 15:47:09 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/11/18 15:46:59 | 02,020,120 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2009/11/18 15:46:48 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/11/01 20:18:53 | 00,136,176 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/07/22 22:44:50 | 01,181,064 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsTray.exe
PRC - [2009/07/22 22:44:48 | 01,097,096 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe
PRC - [2009/03/26 14:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/01/07 12:40:56 | 00,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/08/14 17:11:48 | 00,565,008 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS1\explorer.exe
PRC - [2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2005/04/11 15:21:02 | 00,794,624 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
PRC - [2005/03/04 12:16:18 | 00,098,304 | R--- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HPQ\shared\hpqwmi.exe
PRC - [2004/12/13 09:43:26 | 00,155,648 | R--- | M] (Intel Corporation) -- C:\WINDOWS1\system32\igfxtray.exe
PRC - [2004/12/13 09:38:52 | 00,126,976 | R--- | M] (Intel Corporation) -- C:\WINDOWS1\system32\hkcmd.exe
PRC - [2004/12/03 13:24:20 | 00,290,816 | ---- | M] (Hewlett-Packard ) -- C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
PRC - [2004/07/27 13:48:04 | 01,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2002/09/20 15:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2009/12/06 11:29:10 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin\Desktop\OTL.exe
MOD - [2009/02/13 14:16:54 | 00,140,680 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\PCTGMhk.dll
MOD - [2009/02/13 14:11:44 | 00,100,864 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\klg.dat
MOD - [2008/11/13 14:19:40 | 00,148,944 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\smum32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/18 15:46:48 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/07/22 22:44:48 | 01,097,096 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/04/02 15:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/03/26 14:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/01/07 12:40:56 | 00,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/03/04 12:16:18 | 00,098,304 | R--- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HPQ\shared\hpqwmi.exe -- (hpqwmi)
SRV - [2004/07/15 01:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS1\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)
SRV - [2002/09/20 15:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1715567821-789336058-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1715567821-789336058-682003330-1004\S-1-5-21-1715567821-789336058-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2009/03/22 18:07:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin\Application Data\Mozilla\Extensions
[2009/03/22 18:07:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2008/09/30 16:17:07 | 00,000,601 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\fast.src

O1 HOSTS File: (36 bytes) - C:\WINDOWS1\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1715567821-789336058-682003330-1004\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\S-1-5-21-1715567821-789336058-682003330-1004\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-1715567821-789336058-682003330-1004\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS1\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS1\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS1\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [ISTray] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS1\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS1\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-1715567821-789336058-682003330-1004..\Run: [Aim6] File not found
O4 - HKU\S-1-5-21-1715567821-789336058-682003330-1004..\Run: [Google Update] C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1715567821-789336058-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: AIM ® - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (America Online, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1715567821-789336058-682003330-1004\..Trusted Domains: 11 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} http://dl.tvunetworks.com/TVUAx.cab (CTVUAxCtrl Object)
O16 - DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} https://klink.coastal.edu/auth/taweb.cab (Cisco NAC Web Agent Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} http://netcam1.monmouth.edu/activex/AMC.cab (AxisMediaControlEmb Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS1\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS1\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS1\System32\igfxsrvc.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/21 17:42:56 | 00,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS1\system32\ias [2009/03/21 17:07:14 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS1\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 14 Days ==========

[2015/11/04 22:26:26 | 00,000,000 | ---D | C] -- C:\Program Files\Rapidown
[2009/12/06 11:29:23 | 00,536,576 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kevin\Desktop\OTL.exe
[2009/12/05 00:32:23 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/12/04 01:38:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Application Data\DivX
[2009/12/01 13:42:32 | 00,311,296 | ---- | C] (Koyote Soft - http://www.koyotesoft.com) -- C:\WINDOWS1\System32\TubeFinder.exe
[2009/12/01 13:42:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Application Data\FreeFLVConverter
[2009/12/01 13:42:22 | 00,000,000 | ---D | C] -- C:\Program Files\Free FLV Converter
[2009/12/01 12:30:29 | 00,000,000 | ---D | C] -- C:\WINDOWS1\System32\drivers\UMDF
[2009/11/30 20:07:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Application Data\AVG9
[2009/11/30 13:07:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Desktop\backups
[2009/11/30 12:46:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\Google
[2009/11/29 23:31:23 | 00,159,600 | ---- | C] (PC Tools) -- C:\WINDOWS1\System32\drivers\pctgntdi.sys
[2009/11/29 23:30:45 | 00,206,256 | ---- | C] (PC Tools) -- C:\WINDOWS1\System32\drivers\PCTCore.sys
[2009/11/29 23:30:45 | 00,073,840 | ---- | C] (PC Tools) -- C:\WINDOWS1\System32\drivers\PCTAppEvent.sys
[2009/11/29 23:30:04 | 00,064,392 | ---- | C] (PC Tools) -- C:\WINDOWS1\System32\drivers\pctplsg.sys
[2009/11/29 16:27:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\My Documents\My eBooks
[2009/11/29 15:31:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\My Documents\Management Resources 2009
[2009/11/28 16:50:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\Lavasoft
[2009/11/23 10:42:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Local Settings\Application Data\AIM
[2009/11/23 10:42:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\AIM
[2009/11/23 10:41:28 | 00,000,000 | ---D | C] -- C:\Program Files\AIM
[2009/11/23 10:40:44 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility
[2009/11/22 11:44:55 | 00,000,000 | ---D | C] -- C:\Program Files\CleanMyPC
[6 C:\WINDOWS1\*.tmp files -> C:\WINDOWS1\*.tmp -> ]
[3 C:\WINDOWS1\System32\*.tmp files -> C:\WINDOWS1\System32\*.tmp -> ]
[1 C:\Documents and Settings\Kevin\Desktop\*.tmp files -> C:\Documents and Settings\Kevin\Desktop\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2015/11/04 22:27:37 | 00,000,424 | -H-- | M] () -- C:\WINDOWS1\tasks\User_Feed_Synchronization-{5C8DDB62-2222-4945-A1D4-1F1B6FC481C3}.job
[2009/12/06 11:29:10 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin\Desktop\OTL.exe
[2009/12/06 11:24:48 | 00,000,978 | ---- | M] () -- C:\WINDOWS1\tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-789336058-682003330-1004UA.job
[2009/12/06 11:14:51 | 46,273,602 | ---- | M] () -- C:\WINDOWS1\System32\drivers\Avg\incavi.avm
[2009/12/06 11:08:13 | 00,112,836 | ---- | M] () -- C:\WINDOWS1\System32\drivers\Avg\microavi.avg
[2009/12/06 11:00:18 | 00,000,006 | -H-- | M] () -- C:\WINDOWS1\tasks\SA.DAT
[2009/12/06 10:59:58 | 00,002,048 | --S- | M] () -- C:\WINDOWS1\bootstat.dat
[2009/12/06 10:59:53 | 25,846,1696 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/05 15:34:05 | 03,932,160 | ---- | M] () -- C:\Documents and Settings\Kevin\NTUSER.DAT
[2009/12/05 14:28:46 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Kevin\ntuser.ini
[2009/12/05 00:40:59 | 00,000,036 | ---- | M] () -- C:\WINDOWS1\System32\drivers\etc\hosts
[2009/12/05 00:32:28 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\HijackThis.lnk
[2009/12/05 00:18:32 | 00,002,206 | ---- | M] () -- C:\WINDOWS1\System32\wpa.dbl
[2009/12/05 00:01:09 | 00,000,323 | -HS- | M] () -- C:\boot.ini
[2009/12/05 00:01:07 | 00,000,582 | ---- | M] () -- C:\WINDOWS1\win.ini
[2009/12/05 00:01:07 | 00,000,227 | ---- | M] () -- C:\WINDOWS1\system.ini
[2009/12/04 20:24:59 | 00,000,926 | ---- | M] () -- C:\WINDOWS1\tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-789336058-682003330-1004Core.job
[2009/12/04 18:00:41 | 00,000,444 | ---- | M] () -- C:\WINDOWS1\tasks\ParetoLogic Registration.job
[2009/12/04 15:03:05 | 00,052,224 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\kevin Matthews Business Plan.doc
[2009/12/04 13:39:16 | 00,025,589 | ---- | M] () -- C:\Documents and Settings\Kevin\My Documents\whtpaper graded.docx
[2009/12/04 12:59:17 | 00,040,960 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\Business Plan Template_12_02_09.doc
[2009/12/04 01:36:03 | 00,000,795 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS1\Desktop\DivX Player.lnk
[2009/12/04 01:34:24 | 00,000,831 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS1\Desktop\DivX Converter.lnk
[2009/12/03 00:34:10 | 00,000,416 | ---- | M] () -- C:\WINDOWS1\tasks\ParetoLogic Update Version2.job
[2009/12/02 22:10:49 | 00,000,284 | ---- | M] () -- C:\WINDOWS1\tasks\AppleSoftwareUpdate.job
[2009/12/02 13:55:15 | 00,000,162 | -H-- | M] () -- C:\Documents and Settings\Kevin\Desktop\~$nroe final draft.docx
[2009/12/02 13:53:28 | 00,000,162 | -H-- | M] () -- C:\Documents and Settings\Kevin\Desktop\~$nroe final draft 12.3.docx
[2009/12/02 10:32:48 | 00,000,162 | -H-- | M] () -- C:\Documents and Settings\Kevin\Desktop\~$alyzing the Apple and coca-cola companies12_01 newest.docx
[2009/12/02 00:42:11 | 00,001,374 | ---- | M] () -- C:\WINDOWS1\imsins.BAK
[2009/12/01 17:40:33 | 00,021,794 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS1\Documents\Analyzing the Apple and coca-cola companies12.01.docx
[2009/12/01 17:36:42 | 00,002,517 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\Microsoft Office Word 2007.lnk
[2009/12/01 13:23:56 | 00,013,824 | ---- | M] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/01 12:40:37 | 00,023,392 | ---- | M] () -- C:\WINDOWS1\System32\nscompat.tlb
[2009/12/01 12:40:37 | 00,016,832 | ---- | M] () -- C:\WINDOWS1\System32\amcompat.tlb
[2009/12/01 12:30:48 | 00,000,000 | -H-- | M] () -- C:\WINDOWS1\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2009/11/30 11:34:28 | 07,854,384 | ---- | M] () -- C:\Documents and Settings\Kevin\My Documents\REGISTRY BACKUP 11.30.cab
[2009/11/30 10:41:15 | 00,206,256 | ---- | M] (PC Tools) -- C:\WINDOWS1\System32\drivers\PCTCore.sys
[2009/11/30 10:41:14 | 00,007,396 | ---- | M] () -- C:\WINDOWS1\System32\drivers\pctcore.cat
[2009/11/29 23:30:21 | 00,001,637 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS1\Desktop\Spyware Doctor.lnk
[2009/11/29 15:29:14 | 00,013,424 | ---- | M] () -- C:\Documents and Settings\Kevin\My Documents\KevinMatthewsResume11.30.09.docx
[2009/11/28 14:10:40 | 00,019,178 | ---- | M] () -- C:\Documents and Settings\Kevin\My Documents\Analyzing the Apple and Toyota Corporations.docx
[2009/11/24 00:33:19 | 00,101,472 | ---- | M] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/11/23 17:19:57 | 00,000,125 | ---- | M] () -- C:\Documents and Settings\Kevin\webct_upload_applet.properties
[2009/11/23 10:42:22 | 00,001,087 | -H-- | M] () -- C:\IPH.PH
[2009/11/23 10:41:58 | 00,001,576 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS1\Desktop\AIM.lnk
[2009/11/22 12:08:31 | 00,353,768 | ---- | M] () -- C:\WINDOWS1\System32\FNTCACHE.DAT
[2009/11/22 12:02:22 | 07,581,663 | ---- | M] () -- C:\Documents and Settings\Kevin\My Documents\REGISTRY BACKUP.cab
[6 C:\WINDOWS1\*.tmp files -> C:\WINDOWS1\*.tmp -> ]
[3 C:\WINDOWS1\System32\*.tmp files -> C:\WINDOWS1\System32\*.tmp -> ]
[1 C:\Documents and Settings\Kevin\Desktop\*.tmp files -> C:\Documents and Settings\Kevin\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/05 00:32:27 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\HijackThis.lnk
[2009/12/04 13:39:15 | 00,025,589 | ---- | C] () -- C:\Documents and Settings\Kevin\My Documents\whtpaper graded.docx
[2009/12/04 12:59:59 | 00,052,224 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\kevin Matthews Business Plan.doc
[2009/12/04 12:55:26 | 00,040,960 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\Business Plan Template_12_02_09.doc
[2009/12/04 01:36:03 | 00,000,795 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS1\Desktop\DivX Player.lnk
[2009/12/04 01:34:24 | 00,000,831 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS1\Desktop\DivX Converter.lnk
[2009/12/02 13:55:15 | 00,000,162 | -H-- | C] () -- C:\Documents and Settings\Kevin\Desktop\~$nroe final draft.docx
[2009/12/02 13:53:28 | 00,000,162 | -H-- | C] () -- C:\Documents and Settings\Kevin\Desktop\~$nroe final draft 12.3.docx
[2009/12/02 10:32:48 | 00,000,162 | -H-- | C] () -- C:\Documents and Settings\Kevin\Desktop\~$alyzing the Apple and coca-cola companies12_01 newest.docx
[2009/12/01 17:40:27 | 00,021,794 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS1\Documents\Analyzing the Apple and coca-cola companies12.01.docx
[2009/12/01 13:42:29 | 00,364,544 | ---- | C] () -- C:\WINDOWS1\System32\PropertyGrid.ocx
[2009/12/01 13:42:29 | 00,208,500 | ---- | C] () -- C:\WINDOWS1\System32\ReyXpBasics.tlb
[2009/12/01 13:42:25 | 00,024,576 | ---- | C] () -- C:\WINDOWS1\System32\ControlSubX.ocx
[2009/12/01 12:30:48 | 00,000,000 | -H-- | C] () -- C:\WINDOWS1\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2009/11/30 11:34:27 | 07,854,384 | ---- | C] () -- C:\Documents and Settings\Kevin\My Documents\REGISTRY BACKUP 11.30.cab
[2009/11/30 10:41:14 | 00,007,396 | ---- | C] () -- C:\WINDOWS1\System32\drivers\pctcore.cat
[2009/11/29 23:30:21 | 00,001,637 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS1\Desktop\Spyware Doctor.lnk
[2009/11/29 15:28:09 | 00,013,424 | ---- | C] () -- C:\Documents and Settings\Kevin\My Documents\KevinMatthewsResume11.30.09.docx
[2009/11/25 14:16:45 | 00,019,178 | ---- | C] () -- C:\Documents and Settings\Kevin\My Documents\Analyzing the Apple and Toyota Corporations.docx
[2009/11/23 10:41:58 | 00,001,576 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS1\Desktop\AIM.lnk
[2009/11/22 12:02:21 | 07,581,663 | ---- | C] () -- C:\Documents and Settings\Kevin\My Documents\REGISTRY BACKUP.cab
[2009/06/10 14:14:14 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\fusioncache.dat
[2009/05/04 14:03:00 | 00,059,904 | ---- | C] () -- C:\WINDOWS1\System32\zlib1.dll
[2009/05/04 13:53:28 | 00,286,720 | ---- | C] () -- C:\WINDOWS1\System32\libcurl.dll
[2009/05/04 13:53:10 | 00,143,360 | ---- | C] () -- C:\WINDOWS1\System32\libexpatw.dll
[2009/04/22 19:01:38 | 00,013,824 | ---- | C] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/14 23:07:25 | 00,066,482 | R--- | C] () -- C:\WINDOWS1\System32\lvcoinst.ini
[2009/03/21 17:41:44 | 00,015,669 | ---- | C] () -- C:\WINDOWS1\System32\oeminfo.ini
[2009/03/21 17:38:21 | 00,204,800 | ---- | C] () -- C:\WINDOWS1\System32\IVIresizeW7.dll
[2009/03/21 17:38:21 | 00,200,704 | ---- | C] () -- C:\WINDOWS1\System32\IVIresizeA6.dll
[2009/03/21 17:38:21 | 00,192,512 | ---- | C] () -- C:\WINDOWS1\System32\IVIresizeP6.dll
[2009/03/21 17:38:21 | 00,192,512 | ---- | C] () -- C:\WINDOWS1\System32\IVIresizeM6.dll
[2009/03/21 17:38:21 | 00,188,416 | ---- | C] () -- C:\WINDOWS1\System32\IVIresizePX.dll
[2009/03/21 17:38:21 | 00,020,480 | ---- | C] () -- C:\WINDOWS1\System32\IVIresize.dll
[2008/07/26 07:25:02 | 00,025,624 | ---- | C] () -- C:\WINDOWS1\System32\drivers\LVPr2Mon.sys
[2005/02/12 03:33:06 | 00,000,000 | ---- | C] () -- C:\WINDOWS1\System32\px.ini

========== LOP Check ==========

[2008/08/04 22:16:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2008/06/15 13:31:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HotSync
[2007/12/29 17:38:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
[2009/01/13 14:53:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OrbNetworks
[2009/03/16 19:51:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/08/04 22:17:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/03/16 20:03:59 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
[2009/03/22 15:34:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\acccore
[2009/11/23 10:42:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\AIM
[2009/12/05 14:33:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\avg9
[2009/08/04 00:53:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\Cached Installations
[2009/03/24 21:08:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\HotSync
[2009/03/21 17:42:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\muvee Technologies
[2009/08/04 00:54:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\ParetoLogic
[2009/12/06 11:06:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\TEMP
[2009/09/15 19:43:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\Viewpoint
[2009/05/08 10:33:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/03/22 15:54:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin\Application Data\acccore
[2009/09/18 17:26:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin\Application Data\Aim
[2009/11/30 20:07:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin\Application Data\AVG9
[2009/12/01 13:50:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin\Application Data\FreeFLVConverter
[2009/03/24 21:08:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin\Application Data\HotSync
[2009/03/22 22:41:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin\Application Data\InterVideo
[2009/11/11 14:00:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin\Application Data\KompoZer
[2009/04/14 22:15:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin\Application Data\Leadertech
[2009/11/19 12:18:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin\Application Data\LimeWire
[2009/10/19 09:32:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin\Application Data\Unity
[2009/05/18 23:03:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin\Application Data\Viewpoint
[2009/10/03 19:10:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin\Application Data\WinBatch
[2009/12/04 18:00:41 | 00,000,444 | ---- | M] () -- C:\WINDOWS1\Tasks\ParetoLogic Registration.job
[2009/12/03 00:34:10 | 00,000,416 | ---- | M] () -- C:\WINDOWS1\Tasks\ParetoLogic Update Version2.job
[2015/11/04 22:27:37 | 00,000,424 | -H-- | M] () -- C:\WINDOWS1\Tasks\User_Feed_Synchronization-{5C8DDB62-2222-4945-A1D4-1F1B6FC481C3}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2006/04/14 22:05:02 | 00,009,952 | ---- | M] () -- C:\regxpcom.exe


< MD5 for: AGP440.SYS >
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS1\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS1\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS1\ServicePackFiles\i386\atapi.sys
[2004/08/04 07:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS1\$NtServicePackUninstall$\atapi.sys
[2004/08/04 07:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS1\system32\ReinstallBackups\0012\DriverFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS1\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS1\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS1\system32\eventlog.dll
[2004/08/04 07:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 07:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS1\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS1\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS1\system32\netlogon.dll
[2004/08/04 07:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 07:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS1\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 07:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2004/08/04 07:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS1\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS1\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS1\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 184 bytes -> C:\Documents and Settings\All Users.WINDOWS1\Application Data\TEMP:ECF54A0E
@Alternate Data Stream - 169 bytes -> C:\Documents and Settings\All Users.WINDOWS1\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

OTL Extras logfile created on: 12/6/2009 11:32:04 AM - Run 1
OTL by OldTimer - Version 3.1.11.7 Folder = C:\Documents and Settings\Kevin\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

246.42 Mb Total Physical Memory | 68.19 Mb Available Physical Memory | 27.67% Memory free
888.97 Mb Paging File | 151.53 Mb Available in Paging File | 17.05% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS1 | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 20.89 Gb Free Space | 37.38% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC-AA68DEB3E1B1
Current User Name: Kevin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1715567821-789336058-682003330-1004\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger -- (Logitech Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- File not found
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- File not found
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger -- (Logitech Inc.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" = C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe:*:Enabled:Google Chrome -- (Google Inc.)
"C:\Program Files\AIM95\aim.exe" = C:\Program Files\AIM95\aim.exe:*:Enabled:AOL Instant Messenger (SM) -- (America Online, Inc.)
"C:\Program Files\BitLord\BitLord.exe" = C:\Program Files\BitLord\BitLord.exe:*:Enabled:BitLord -- (www.BitLord.com)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 17
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3AF8FCCD-F51A-4014-9002-F195E1CBC876}" = Logitech QuickCam
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 1.01 A3
"{534AA552-E1F1-4965-B2AA-FBDEB0730D60}" = muvee autoProducer 4.0 - SE
"{53735ECE-E461-4FD0-B742-23A352436D3A}" = Logitech Updater
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}" = iTunes
"{612DC38A-B36A-4699-88EB-12C7394DE2FC}" = TIxx21
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio Module
"{AC76BA86-7AD7-1033-7B44-A00000000001}" = Adobe Reader 6.0.1
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{AFA20D47-69C3-4030-8DF8-D37466E70F13}" = Apple Mobile Device Support
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B1C2398C-6FAB-46D1-806C-5942F0829994}" = ParetoLogic Data Recovery
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CEB326EC-8F40-47B2-BA22-BB092565D66F}" = Quick Launch Buttons 5.10 A2
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FD6034A3-655C-49F0-B496-D4CBFD74D7A7}" = Palm Desktop by ACCESS
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_7" = AIM 7
"AOL® Instant Messenger™" = AOL® Instant Messenger™
"AVG9Uninstall" = AVG Free 9.0
"AXIS Media Control Embedded" = AXIS Media Control Embedded
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"CleanMyPC - Registry Cleaner_is1" = CleanMyPC - Registry Cleaner
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Free FLV Converter_is1" = Free FLV Converter V 6.7.4
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"InstallShield_{612DC38A-B36A-4699-88EB-12C7394DE2FC}" = Texas Instruments PCIxx21/x515 drivers.
"lvdrivers_11.80" = Logitech QuickCam Driver Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PROR" = Microsoft Office Professional 2007
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Spyware Doctor" = Spyware Doctor 6.1
"UnityWebPlayer" = Unity Web Player
"ViewpointMediaPlayer" = Viewpoint Media Player (Remove Only)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1715567821-789336058-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/1/2009 3:12:25 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Application Error | ID = 1000
Description = Faulting application flvtox.exe, version 2.0.0.22, faulting module
unknown, version 0.0.0.0, fault address 0x003dc3c1.

Error - 12/1/2009 3:16:57 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Application Error | ID = 1000
Description = Faulting application flvtox.exe, version 2.0.0.22, faulting module
unknown, version 0.0.0.0, fault address 0x003dc3c1.

Error - 12/1/2009 3:43:43 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Userenv | ID = 1512
Description = Windows cannot unload your registry file. The memory used by the registry
has not been freed. This is often caused by services running as a user account,
try configuring the services to run in either the LocalService or NetworkService
account. If this problem persists, contact your administrator. DETAIL - Insufficient
system resources exist to complete the requested service.

Error - 12/2/2009 1:14:13 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Application Hang | ID = 1002
Description = Hanging application chrome.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/2/2009 1:17:39 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Application Error | ID = 1000
Description = Faulting application avgnsx.exe, version 9.0.0.705, faulting module
avgcfgx.dll, version 9.0.0.663, fault address 0x0001f00e.

Error - 12/2/2009 9:56:54 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 12/3/2009 12:30:07 AM | Computer Name = PC-AA68DEB3E1B1 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module , version 0.0.0.0, fault address 0x00000000.

Error - 12/3/2009 2:28:25 AM | Computer Name = PC-AA68DEB3E1B1 | Source = Google Update | ID = 20
Description =

Error - 12/4/2009 9:09:09 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
chrome.dll, version 3.0.195.33, fault address 0x0033facc.

Error - 12/4/2009 9:48:24 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Application Error | ID = 1000
Description = Faulting application avgnsx.exe, version 9.0.0.705, faulting module
kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

[ System Events ]
Error - 12/5/2009 3:34:40 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the PC Tools Security Service
service to connect.

Error - 12/5/2009 3:34:40 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Service Control Manager | ID = 7000
Description = The PC Tools Security Service service failed to start due to the following
error: %%1053

Error - 12/5/2009 3:36:05 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the PC Tools Security Service
service to connect.

Error - 12/5/2009 3:36:05 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Service Control Manager | ID = 7000
Description = The PC Tools Security Service service failed to start due to the following
error: %%1053

Error - 12/6/2009 12:00:24 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/6/2009 12:00:24 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/6/2009 12:04:03 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the PC Tools Security Service
service to connect.

Error - 12/6/2009 12:04:03 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Service Control Manager | ID = 7000
Description = The PC Tools Security Service service failed to start due to the following
error: %%1053

Error - 12/6/2009 12:05:44 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the PC Tools Security Service
service to connect.

Error - 12/6/2009 12:05:44 PM | Computer Name = PC-AA68DEB3E1B1 | Source = Service Control Manager | ID = 7000
Description = The PC Tools Security Service service failed to start due to the following
error: %%1053


< End of report >

TDSSKILLER.txt

10:43:41:875 3448 ForceUnloadDriver: NtUnloadDriver error 2
10:43:41:875 3448 ForceUnloadDriver: NtUnloadDriver error 2
10:43:41:875 3448 ForceUnloadDriver: NtUnloadDriver error 2
10:43:41:875 3448 main: Driver KLMD successfully dropped
10:43:41:921 3448 main: Driver KLMD successfully loaded
10:43:41:921 3448
Scanning Registry ...
10:43:41:921 3448 ScanServices: Searching service UACd.sys
10:43:41:921 3448 ScanServices: Open/Create key error 2
10:43:41:921 3448 ScanServices: Searching service TDSSserv.sys
10:43:41:921 3448 ScanServices: Open/Create key error 2
10:43:41:921 3448 ScanServices: Searching service gaopdxserv.sys
10:43:41:921 3448 ScanServices: Open/Create key error 2
10:43:41:921 3448 ScanServices: Searching service gxvxcserv.sys
10:43:41:921 3448 ScanServices: Open/Create key error 2
10:43:41:921 3448 ScanServices: Searching service MSIVXserv.sys
10:43:41:921 3448 ScanServices: Open/Create key error 2
10:43:41:921 3448 UnhookRegistry: Kernel module file name: C:\windows1\system32\ntkrnlpa.exe, base addr: 804D7000
10:43:41:921 3448 UnhookRegistry: Kernel local addr: 1390000
10:43:41:921 3448 UnhookRegistry: KeServiceDescriptorTable addr: 140C020
10:43:41:921 3448 UnhookRegistry: KiServiceTable addr: 13BAB9C
10:43:41:921 3448 UnhookRegistry: NtEnumerateKey service number (local): 47
10:43:41:921 3448 UnhookRegistry: NtEnumerateKey local addr: 14D3B72
10:43:41:937 3448 KLMD_OpenDevice: Trying to open KLMD device
10:43:41:937 3448 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
10:43:41:937 3448 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
10:43:41:937 3448 KLMD_ReadMem: Trying to ReadMemory 0x804FE335[0x4]
10:43:41:937 3448 UnhookRegistry: NtEnumerateKey service number (kernel): 47
10:43:41:937 3448 KLMD_ReadMem: Trying to ReadMemory 0x80501CB8[0x4]
10:43:41:937 3448 UnhookRegistry: NtEnumerateKey real addr: 8061AB72
10:43:41:937 3448 UnhookRegistry: NtEnumerateKey calc addr: 8061AB72
10:43:41:937 3448 UnhookRegistry: No SDT hooks found on NtEnumerateKey
10:43:41:937 3448 KLMD_ReadMem: Trying to ReadMemory 0x8061AB72[0xA]
10:43:41:937 3448 UnhookRegistry: No splicing found on NtEnumerateKey
10:43:41:937 3448
Scanning Kernel memory ...
10:43:41:937 3448 KLMD_OpenDevice: Trying to open KLMD device
10:43:41:937 3448 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
10:43:41:937 3448 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
10:43:41:937 3448 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 81B4BF38
10:43:41:937 3448 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
10:43:41:937 3448 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 81B0C030
10:43:41:937 3448 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81B0C030
10:43:41:937 3448 KLMD_ReadMem: Trying to ReadMemory 0x81B0C030[0x38]
10:43:41:937 3448 DetectCureTDL3: DRIVER_OBJECT addr: 81B4BF38
10:43:41:937 3448 KLMD_ReadMem: Trying to ReadMemory 0x81B4BF38[0xA8]
10:43:41:937 3448 KLMD_ReadMem: Trying to ReadMemory 0xE16A9850[0x208]
10:43:41:937 3448 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:43:41:937 3448 DetectCureTDL3: IrpHandler (0) addr: F9595BB0
10:43:41:937 3448 DetectCureTDL3: IrpHandler (1) addr: 804F355A
10:43:41:937 3448 DetectCureTDL3: IrpHandler (2) addr: F9595BB0
10:43:41:937 3448 DetectCureTDL3: IrpHandler (3) addr: F958FD1F
10:43:41:937 3448 DetectCureTDL3: IrpHandler (4) addr: F958FD1F
10:43:41:937 3448 DetectCureTDL3: IrpHandler (5) addr: 804F355A
10:43:41:937 3448 DetectCureTDL3: IrpHandler (6) addr: 804F355A
10:43:41:937 3448 DetectCureTDL3: IrpHandler (7) addr: 804F355A
10:43:41:937 3448 DetectCureTDL3: IrpHandler (8) addr: 804F355A
10:43:41:937 3448 DetectCureTDL3: IrpHandler (9) addr: F95902E2
10:43:41:937 3448 DetectCureTDL3: IrpHandler (10) addr: 804F355A
10:43:41:937 3448 DetectCureTDL3: IrpHandler (11) addr: 804F355A
10:43:41:937 3448 DetectCureTDL3: IrpHandler (12) addr: 804F355A
10:43:41:937 3448 DetectCureTDL3: IrpHandler (13) addr: 804F355A
10:43:41:937 3448 DetectCureTDL3: IrpHandler (14) addr: F95903BB
10:43:41:937 3448 DetectCureTDL3: IrpHandler (15) addr: F9593F28
10:43:41:937 3448 DetectCureTDL3: IrpHandler (16) addr: F95902E2
10:43:41:937 3448 DetectCureTDL3: IrpHandler (17) addr: 804F355A
10:43:41:937 3448 DetectCureTDL3: IrpHandler (18) addr: 804F355A
10:43:41:937 3448 DetectCureTDL3: IrpHandler (19) addr: 804F355A
10:43:41:937 3448 DetectCureTDL3: IrpHandler (20) addr: 804F355A
10:43:41:937 3448 DetectCureTDL3: IrpHandler (21) addr: 804F355A
10:43:41:937 3448 DetectCureTDL3: IrpHandler (22) addr: F9591C82
10:43:41:937 3448 DetectCureTDL3: IrpHandler (23) addr: F959699E
10:43:41:937 3448 DetectCureTDL3: IrpHandler (24) addr: 804F355A
10:43:41:937 3448 DetectCureTDL3: IrpHandler (25) addr: 804F355A
10:43:41:937 3448 DetectCureTDL3: IrpHandler (26) addr: 804F355A
10:43:41:937 3448 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
10:43:41:937 3448 KLMD_ReadMem: DeviceIoControl error 1
10:43:41:937 3448 TDL3_StartIoHookDetect: Unable to get StartIo handler code
10:43:41:937 3448 TDL3_FileDetect: Processing driver: Disk
10:43:41:937 3448 TDL3_FileDetect: Parameters: C:\WINDOWS1\system32\drivers\disk.sys, C:\WINDOWS1\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
10:43:41:937 3448 TDL3_FileDetect: Processing driver file: C:\WINDOWS1\system32\drivers\disk.sys
10:43:41:937 3448 KLMD_CreateFileW: Trying to open file C:\WINDOWS1\system32\drivers\disk.sys
10:43:41:984 3448 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 81B4A030
10:43:41:984 3448 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81B4A030
10:43:41:984 3448 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 81B13D80
10:43:41:984 3448 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81B13D80
10:43:41:984 3448 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 81B8E3D8
10:43:41:984 3448 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81B8E3D8
10:43:41:984 3448 KLMD_ReadMem: Trying to ReadMemory 0x81B8E3D8[0x38]
10:43:41:984 3448 DetectCureTDL3: DRIVER_OBJECT addr: 81AECF38
10:43:41:984 3448 KLMD_ReadMem: Trying to ReadMemory 0x81AECF38[0xA8]
10:43:41:984 3448 KLMD_ReadMem: Trying to ReadMemory 0x81B14030[0x38]
10:43:41:984 3448 KLMD_ReadMem: Trying to ReadMemory 0x81B8ED20[0xA8]
10:43:41:984 3448 KLMD_ReadMem: Trying to ReadMemory 0xE16C14B0[0x208]
10:43:41:984 3448 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
10:43:41:984 3448 DetectCureTDL3: IrpHandler (0) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (1) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (2) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (3) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (4) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (5) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (6) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (7) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (8) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (9) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (10) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (11) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (12) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (13) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (14) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (15) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (16) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (17) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (18) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (19) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (20) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (21) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (22) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (23) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (24) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (25) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: IrpHandler (26) addr: 81B28170
10:43:41:984 3448 DetectCureTDL3: All IRP handlers pointed to one addr: 81B28170
10:43:41:984 3448 KLMD_ReadMem: Trying to ReadMemory 0x81B28170[0x400]
10:43:41:984 3448 TDL3_IrpHookDetect: TDL3 is already cured
10:43:41:984 3448 KLMD_ReadMem: Trying to ReadMemory 0xF93C1864[0x400]
10:43:41:984 3448 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0
10:43:41:984 3448 TDL3_FileDetect: Processing driver: atapi
10:43:41:984 3448 TDL3_FileDetect: Parameters: C:\WINDOWS1\system32\drivers\tsk_atapi.sys, C:\WINDOWS1\system32\Drivers\tsk_tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_tsk_atapi.sys
10:43:41:984 3448 TDL3_FileDetect: Processing driver file: C:\WINDOWS1\system32\drivers\tsk_atapi.sys
10:43:41:984 3448 KLMD_CreateFileW: Trying to open file C:\WINDOWS1\system32\drivers\tsk_atapi.sys
10:43:42:62 3448
Completed

Results:
10:43:42:62 3448 Infected objects in memory: 0
10:43:42:62 3448 Cured objects in memory: 0
10:43:42:62 3448 Infected objects on disk: 0
10:43:42:62 3448 Objects on disk cured on reboot: 0
10:43:42:62 3448 Objects on disk deleted on reboot: 0
10:43:42:62 3448 Registry nodes deleted on reboot: 0
10:43:42:62 3448

Edited by kpmatthe, 07 December 2009 - 10:54 AM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:03 AM

Posted 07 December 2009 - 07:02 PM

Please disable your antivirus program.
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

    Files to move:
    C:\WINDOWS1\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\System32\Drivers\atapi.sys
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt). Please copy and paste this log into your next reply.

Let me know how your computer is behaving after running Avenger.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 kpmatthe

kpmatthe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 08 December 2009 - 01:56 AM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS1\ServicePackFiles\i386\atapi.sys|C:\WINDOWS\System32\Drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:03 AM

Posted 08 December 2009 - 09:48 AM

Let me know how your computer is behaving after running Avenger.


How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 kpmatthe

kpmatthe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 08 December 2009 - 10:44 AM

It appears that my browser is no longer being redirected! I appreciate all your help! If this happens again in the future, should I run Avenger again? Thanks again!

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:03 AM

Posted 09 December 2009 - 08:20 AM

No! You should never run Avenger on your own. It's a very powerful program and should not be used without proper knowledge and/or guidance.

It's time to clean up.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users