Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google and Yahoo search results hijacked


  • This topic is locked This topic is locked
16 replies to this topic

#1 samlotan

samlotan

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 14 December 2009 - 03:11 AM

The search results from google and yahoo on Firefox or Internet explorer started would bring you to other sites than the results. Any help in resolving this would be appreciated.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Sam at 1:15:04.00 on Mon 12/14/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2535 [GMT -6:00]

AV: avast! antivirus 4.8.1368 [VPS 091213-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Garmin\gStart.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sam\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [gStart] c:\garmin\gStart.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [Airlink101 WLAN Monitor] c:\program files\airlink101\airlink101 wlan monitor\WLANmon.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [System Files Updater] c:\windows\flyakiteosx\tools\System Files Updater.exe /S
mRun: [SetDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://mygmgw.gm.com/http://usabhembma04.mail.gm.com/iNotes6W.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sam\applic~1\mozilla\firefox\profiles\3c022rmn.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?_bc=1
FF - plugin: c:\documents and settings\sam\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-16 114768]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-5-26 13696]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [2009-5-26 8192]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-16 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-16 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-16 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-16 352920]
S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys --> c:\windows\system32\drivers\AmdTools.sys [?]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [2009-2-21 25728]
S3 AODService;AODService;c:\program files\amd\overdrive\aodassist --> c:\program files\amd\overdrive\AODAssist [?]
S3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;c:\windows\system32\drivers\N5SG.sys [2006-11-3 467040]

=============== Created Last 30 ================

2009-12-11 20:57:51 0 d-----w- c:\program files\iPod
2009-12-11 20:57:48 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-04 13:42:13 0 d-----w- C:\2e11cd110d260ff173fddfc221cfc3

==================== Find3M ====================

2009-12-03 22:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-02-26 16:51:01 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-02-26 16:51:01 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-02-26 16:51:01 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 1:16:23.43 ===============

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:29 AM

Posted 14 December 2009 - 08:47 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 samlotan

samlotan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 14 December 2009 - 02:36 PM

Thank you for your attention. The following is the OTL, Extras, and GMER results.

OTL logfile created on: 12/14/2009 10:58:55 AM - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Sam\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.51 Gb Total Space | 734.57 Gb Free Space | 78.86% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DESKTOP
Current User Name: Sam
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/14 10:57:41 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
PRC - [2009/12/04 10:22:35 | 02,752,560 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\Setup\avast.setup
PRC - [2009/11/24 17:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 17:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 17:51:21 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 17:48:48 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 17:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/11/12 16:33:10 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/11/07 20:42:14 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/02/25 15:27:41 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2008/12/18 13:32:52 | 00,049,152 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/08/13 14:34:08 | 01,891,416 | ---- | M] (GARMIN Corp.) -- C:\Garmin\gStart.exe
PRC - [2008/05/01 22:15:46 | 00,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2008/04/13 22:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/24 11:36:22 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2007/10/30 19:51:44 | 00,492,720 | ---- | M] () -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
PRC - [2007/10/30 19:11:48 | 00,909,208 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
PRC - [2007/10/30 19:07:40 | 00,140,568 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2007/10/30 19:07:38 | 00,427,288 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2007/10/30 19:06:42 | 02,595,616 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2007/10/16 20:04:12 | 01,094,936 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2007/04/10 14:28:44 | 16,126,464 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2006/11/13 12:39:54 | 04,270,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
PRC - [2006/11/13 12:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/11/13 12:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2006/10/12 21:38:04 | 00,958,464 | ---- | M] () -- C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WlanMon.exe
PRC - [2006/06/29 19:34:20 | 00,049,152 | ---- | M] (Alpha Networks Inc.) -- C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
PRC - [2004/07/20 08:34:28 | 00,851,968 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\ControlCenter2\brctrcen.exe
PRC - [2004/06/14 20:09:06 | 00,073,728 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
PRC - [2004/04/14 16:46:50 | 00,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
PRC - [2004/03/26 18:30:12 | 00,819,200 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
PRC - [2003/07/14 22:45:18 | 00,196,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\outlook.exe
PRC - [2003/05/05 18:30:22 | 00,065,536 | ---- | M] (Brother Industries, Ltd.) -- C:\WINDOWS\system32\Brmfrmps.exe
PRC - [2002/04/12 02:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe
PRC - [2001/12/13 02:01:00 | 00,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe


========== Modules (SafeList) ==========

MOD - [2009/12/14 10:57:41 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
MOD - [2008/05/01 22:15:35 | 00,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (NMIndexingService)
SRV - [2009/11/24 17:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 17:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 17:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 17:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/03 21:19:41 | 00,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/02/25 15:27:41 | 00,602,112 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2009/02/25 14:15:00 | 00,593,920 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/10/10 04:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/08/04 06:53:06 | 00,065,536 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AMD\OverDrive\AODAssist.exe -- (AODService)
SRV - [2008/01/24 11:36:22 | 00,073,728 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2007/10/30 19:51:44 | 00,492,720 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe -- (TryAndDecideService)
SRV - [2007/10/30 19:07:38 | 00,427,288 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2007/10/16 20:04:12 | 01,094,936 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2006/07/03 17:22:58 | 00,049,152 | ---- | M] (Alpha Networks Inc.) [Auto | Stopped] -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe -- (ANIWZCSdService)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/05/05 18:30:22 | 00,065,536 | ---- | M] (Brother Industries, Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Brmfrmps.exe -- (brmfrmps)
SRV - [2002/04/12 02:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) [Auto | Running] -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-299502267-583907252-1606980848-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKU\S-1-5-21-299502267-583907252-1606980848-1003\S-1-5-21-299502267-583907252-1606980848-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 7171
FF - prefs.js..network.proxy.type: 1

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/11 14:55:26 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/11 14:55:25 | 00,000,000 | ---D | M]

[2009/02/14 16:31:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Extensions
[2009/02/15 23:24:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rm1n.Default\extensions
[2009/02/15 23:22:36 | 00,000,000 | ---D | M] (macbird) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rm1n.Default\extensions\{2564ae73-58ac-4aab-9a32-b531c778b549}
[2009/02/15 23:15:03 | 00,000,000 | ---D | M] (macfoxIIgraphite) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rm1n.Default\extensions\{a883dc70-3e3e-11db-a98b-0800200c9a66}
[2009/12/13 22:43:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions
[2009/10/18 07:43:27 | 00,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2009/07/08 04:26:08 | 00,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/08/09 00:30:11 | 00,000,000 | ---D | M] (jDownFF) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions\{a3b24d40-bac4-11dc-95ff-0800200c9a66}
[2009/07/09 17:56:09 | 00,000,000 | ---D | M] (iFox Smooth) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions\{d3d70bca-2d54-425e-b02c-b7e2f4b07688}
[2009/02/14 16:31:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\iqs3nny1.default\extensions
[2009/02/15 17:51:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\lwvafais.default\extensions
[2009/12/13 22:43:46 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (796 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O1 - Hosts: 127.0.0.1 activate.adobe.com
O3 - HKU\S-1-5-21-299502267-583907252-1606980848-1003\..\Toolbar\WebBrowser: (ZoneAlarm Spy Blocker Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll File not found
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Airlink101 WLAN Monitor] C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WlanMon.exe ()
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Alpha Networks Inc.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe (Brother Industories, Ltd.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe ()
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKU\S-1-5-21-299502267-583907252-1606980848-1003..\Run: [gStart] C:\Garmin\gStart.exe (GARMIN Corp.)
O4 - HKU\S-1-5-21-299502267-583907252-1606980848-1003..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-299502267-583907252-1606980848-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} https://mygmgw.gm.com/http://usabhembma04.m...om/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.238.96.12 68.238.64.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/14 16:25:33 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/02/14 16:24:46 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (53202219457052672)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/14 10:57:40 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
[2009/12/14 01:20:27 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Sam\Desktop\RootRepeal.exe
[2009/12/11 14:57:51 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/12/11 14:57:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/12/11 14:54:56 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/12/11 14:50:31 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/12/06 23:33:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\Local Settings\Application Data\Deployment
[2009/12/04 07:42:13 | 00,000,000 | ---D | C] -- C:\2e11cd110d260ff173fddfc221cfc3
[2009/05/29 19:05:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Acronis
[2009/02/26 10:51:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/21 17:25:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/02/14 16:30:51 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/02/14 16:30:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/02/14 16:30:43 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/02/14 16:30:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/14 10:58:10 | 00,636,354 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/14 10:58:10 | 00,164,604 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/14 10:58:10 | 00,072,794 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/14 10:57:41 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
[2009/12/14 10:57:06 | 06,291,456 | -H-- | M] () -- C:\Documents and Settings\Sam\NTUSER.DAT
[2009/12/14 10:56:39 | 00,000,007 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME
[2009/12/14 03:09:44 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/14 03:09:38 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/14 02:27:07 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Sam\ntuser.ini
[2009/12/14 01:20:28 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Sam\Desktop\RootRepeal.exe
[2009/12/14 01:14:45 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\dds.scr
[2009/12/13 20:53:38 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/12 21:43:47 | 00,002,497 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\Microsoft Office Word 2003.lnk
[2009/12/11 14:59:53 | 00,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/12/11 14:55:16 | 00,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/12/11 14:45:08 | 00,001,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2009/12/04 10:40:07 | 02,097,352 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/04 10:23:15 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/12/04 07:44:21 | 00,049,784 | ---- | M] () -- C:\Documents and Settings\Sam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/12/04 07:36:01 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/14 01:14:44 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\dds.scr
[2009/12/11 14:59:53 | 00,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/12/11 14:55:16 | 00,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/08/05 21:39:13 | 00,270,848 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/07/22 12:31:23 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2009/06/29 12:13:38 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2009/06/03 11:23:33 | 00,000,040 | ---- | C] () -- C:\WINDOWS\opt_2460.ini
[2009/05/18 04:55:30 | 00,000,229 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/05/12 21:11:07 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2009/05/12 21:11:07 | 00,012,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2009/05/12 21:08:55 | 00,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2009/05/12 21:07:11 | 00,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2009/05/12 20:31:50 | 00,005,810 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/04/21 19:31:35 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2009/03/08 13:44:47 | 00,000,054 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2009/03/03 20:30:35 | 00,000,123 | ---- | C] () -- C:\Documents and Settings\Sam\Application Data\default.rss
[2009/02/28 08:00:47 | 00,002,528 | ---- | C] () -- C:\Documents and Settings\Sam\Application Data\$_hpcst$.hpc
[2009/02/18 18:23:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\WB.ini
[2009/02/14 17:43:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2009/02/14 17:42:44 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\JJAKEn.dll
[2009/02/14 17:41:46 | 00,005,120 | ---- | C] () -- C:\Documents and Settings\Sam\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/14 17:40:02 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/14 17:36:57 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2009/02/14 17:35:02 | 00,000,777 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2009/02/14 17:35:02 | 00,000,459 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2009/02/14 17:35:02 | 00,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2009/02/14 17:35:02 | 00,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/02/14 17:28:11 | 00,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2009/02/14 16:42:33 | 00,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2009/02/14 16:42:33 | 00,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2009/02/14 16:42:31 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Wininit.ini
[2009/02/14 16:42:26 | 00,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
[2009/02/14 16:00:26 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\SSGK2PNP.DLL
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/04 12:16:34 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll

========== LOP Check ==========

[2009/05/29 19:02:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2009/02/15 21:11:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
[2009/10/18 07:18:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2009/03/08 15:51:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2009/05/28 20:43:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PassMark
[2009/02/14 17:27:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/12/11 14:58:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/05/17 15:44:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/07/06 17:49:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Greg\Application Data\ScanSoft
[2009/05/29 19:05:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Acronis
[2009/12/12 19:15:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Desktopicon
[2009/10/18 22:34:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\GARMIN
[2009/05/30 00:25:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\MSNInstaller
[2009/03/08 13:44:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\ScanSoft
[2009/12/12 21:16:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\uTorrent

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: ATAPI.SYS >
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 02:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 22:41:54 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/13 22:41:54 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 22:42:02 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/13 22:42:02 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATA.SYS >
[2005/05/17 16:45:08 | 00,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\system32\drivers\nvata.sys

< MD5 for: SCECLI.DLL >
[2008/04/13 22:42:06 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/13 22:42:06 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >


OTL Extras logfile created on: 12/14/2009 10:58:55 AM - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Sam\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.51 Gb Total Space | 734.57 Gb Free Space | 78.86% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DESKTOP
Current User Name: Sam
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = SafariHTML] -- C:\Program Files\Safari\Safari.exe (Apple Inc.)

[HKEY_USERS\S-1-5-21-299502267-583907252-1606980848-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Safari\Safari.exe" -url "%1" (Apple Inc.)
https [open] -- "C:\Program Files\Safari\Safari.exe" -url "%1" (Apple Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"E:\Installation\Setupx.exe" = E:\Installation\Setupx.exe:*:Enabled:Nero ProductSetup -- File not found
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{068E5E60-C039-4706-AB3D-F9589B8BACA2}" = WolfQuest
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}" = HP USB Disk Storage Format Tool
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 17
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{3248F0A8-6813-11D6-A77B-00B0D0150010}" = J2SE Runtime Environment 5.0 Update 1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3F60AFEB-B35F-44DD-B6DB-9ECF2F80E41E}" = T Utility Over Clock III
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{402613C2-6CA5-48E5-8B9C-0BED1D502A19}" = AMD OverDrive
"{40A6C96D-808E-41DD-8716-617AB6B0F1F1}" = Brother MFL-Pro Suite
"{4324BC93-C82F-ED16-BA86-5E34B9E05303}" = ccc-core-static
"{47759129-8649-47D1-9EA5-4BB84D86DB97}" = WLAN Monitor
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4C590030-7469-453E-8589-D15DA9D03F52}" = ANIWZCS2 Service
"{4ED118EE-785C-CC18-5D2E-D5CA4BAA03F0}" = Catalyst Control Center Graphics Full New
"{539475B7-44B7-8B0A-134C-F01B9C8B7569}" = ccc-core-preinstall
"{53C239F5-7E23-493D-8FB6-F8EEEA5C2154}" = Garmin Training Center
"{548EAC70-EE00-11DD-908C-005056806466}" = Google Earth
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5AC7AE54-55DF-1126-076C-623F008D40B6}" = Catalyst Control Center Graphics Full Existing
"{633A06C3-B709-479A-AAB3-5EE94AD9EE4B}" = Acronis True Image Home
"{6351D217-3EE3-1967-29BE-6A77635FE485}" = Skins
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{67A48ED5-0B6A-470A-995C-B8F1942E8AB9}" = Diskeeper 2008 Pro Premier
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6AB9CD3A-F91F-233B-923B-6C59BA63524D}" = Catalyst Control Center HydraVision Full
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}" = ANIO Service
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{85A91C22-C369-FCFB-5F1F-D59EB21AD0E1}" = CCC Help English
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime
"{A17EABB6-D0C6-44E5-820C-72DC7F495064}" = PaperPort
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6D0140F-E62F-9D1E-2408-9CFF91FF6FC8}" = ccc-utility
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C44A7422-E380-44BE-79FE-1C032D8A03A7}" = Catalyst Control Center Core Implementation
"{C4D26D60-7B43-4CE9-AE19-A380D9DF126B}" = Garmin MapSource
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEA20FED-A903-46A2-B197-789B4456B508}" = HW Monitor
"{CF8C077A-B467-4C43-8DB5-3A9B94FF9681}" = LightScribe System Software 1.12.29.2
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{E5D24929-91A4-B0A1-DE00-AFC453921EF7}" = Catalyst Control Center Graphics Light
"{E6C09BFB-BA75-15C7-5B18-A2CE31C4F42B}" = Catalyst Control Center Graphics Previews Common
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{EA1A669B-302B-4E6E-BD23-FA5572A7A85C}" = AMD Power Monitor
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F43C7DE1-CB20-11DD-8D77-005056806466}" = Google Earth Plugin
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
"53F13DB4D9611FD63BE580F06F0729BF236ABE68" = Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"avast!" = avast! Antivirus
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"FlyakiteOSX" = FlyakiteOSX
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{47759129-8649-47D1-9EA5-4BB84D86DB97}" = WLAN Monitor
"LimeWire" = LimeWire 4.8.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Maui_Wowee_1.0" = Ancient Sudoku
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mighty Math Carnival Countdown" = Mighty Math Carnival Countdown
"Mighty Math Zoo Zillions" = Mighty Math Zoo Zillions
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MVApplication1" = SureThing CD Labeler 4 SE
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"NeroVision!UninstallKey" = NeroVision Express 3
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"OSM-PH Garmin maps" = OSM-PH Garmin maps 20090912
"PerformanceTest 7_is1" = PerformanceTest v7.0
"Samsung ML-4500 Series" = Samsung ML-4500 Series Driver
"SOUNDmeter" = SOUNDmeter (remove only)
"TurboTax 2008" = TurboTax 2008
"Unlocker" = Unlocker 1.8.7
"WBFS Manager 3.0" = WBFS Manager 3.0
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinRAR archiver" = WinRAR archiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-299502267-583907252-1606980848-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{373B1718-8CC5-4567-8EE2-9033AD08A680}" = Roblox for Sam
"d38eed663557f41f" = G6 Save Converter v0.33
"Move Media Player" = Move Media Player
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 8/6/2009 1:54:35 AM | Computer Name = DESKTOP | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
G:\Recycled\Dg2.poi failed, 00000570.

Error - 8/30/2009 1:21:48 PM | Computer Name = DESKTOP | Source = avast! | ID = 33554522
Description = AAVM - scanning error: DriverScanListenThread: DeviceIoControl [IOCTL_AAVM_START_REQUEST_AND_SET_RESULTS/2]
failed, 000005AA.

Error - 11/7/2009 4:22:49 PM | Computer Name = DESKTOP | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://cn2.kaboodle.com/ht/scripts/related...?v=r0_56_0_89-1 failed, 0000A413.


Error - 11/8/2009 11:54:49 AM | Computer Name = DESKTOP | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://www.officemax.com/js/lightbox.js failed, 0000A413.

Error - 11/9/2009 3:14:52 PM | Computer Name = DESKTOP | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
G:\abram par 20.doc failed, 0000001E.

[ Application Events ]
Error - 12/14/2009 1:33:42 AM | Computer Name = DESKTOP | Source = LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. BaseIndex value from Performance
registry
is the first DWORD in Data section, LastCounter value is the second DWORD in Data
section, and LastHelp value is the third DWORD in Data section.

Error - 12/14/2009 1:33:42 AM | Computer Name = DESKTOP | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 12/14/2009 1:53:28 AM | Computer Name = DESKTOP | Source = LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. BaseIndex value from Performance
registry
is the first DWORD in Data section, LastCounter value is the second DWORD in Data
section, and LastHelp value is the third DWORD in Data section.

Error - 12/14/2009 1:53:28 AM | Computer Name = DESKTOP | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 12/14/2009 1:59:56 AM | Computer Name = DESKTOP | Source = LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. BaseIndex value from Performance
registry
is the first DWORD in Data section, LastCounter value is the second DWORD in Data
section, and LastHelp value is the third DWORD in Data section.

Error - 12/14/2009 1:59:56 AM | Computer Name = DESKTOP | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 12/14/2009 5:14:45 AM | Computer Name = DESKTOP | Source = LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. BaseIndex value from Performance
registry
is the first DWORD in Data section, LastCounter value is the second DWORD in Data
section, and LastHelp value is the third DWORD in Data section.

Error - 12/14/2009 5:14:45 AM | Computer Name = DESKTOP | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 12/14/2009 12:58:07 PM | Computer Name = DESKTOP | Source = LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. BaseIndex value from Performance
registry
is the first DWORD in Data section, LastCounter value is the second DWORD in Data
section, and LastHelp value is the third DWORD in Data section.

Error - 12/14/2009 12:58:07 PM | Computer Name = DESKTOP | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

[ System Events ]
Error - 12/14/2009 1:29:39 AM | Computer Name = DESKTOP | Source = Service Control Manager | ID = 7000
Description = The Intuit Update Service service failed to start due to the following
error: %%1053

Error - 12/14/2009 1:48:48 AM | Computer Name = DESKTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/14/2009 1:48:48 AM | Computer Name = DESKTOP | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/14/2009 1:49:17 AM | Computer Name = DESKTOP | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Intuit Update Service
service to connect.

Error - 12/14/2009 1:49:17 AM | Computer Name = DESKTOP | Source = Service Control Manager | ID = 7000
Description = The Intuit Update Service service failed to start due to the following
error: %%1053

Error - 12/14/2009 3:15:07 AM | Computer Name = DESKTOP | Source = Service Control Manager | ID = 7016
Description = The BrSplService service has reported an invalid current state 0.

Error - 12/14/2009 5:10:04 AM | Computer Name = DESKTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/14/2009 5:10:04 AM | Computer Name = DESKTOP | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/14/2009 5:10:29 AM | Computer Name = DESKTOP | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Intuit Update Service
service to connect.

Error - 12/14/2009 5:10:29 AM | Computer Name = DESKTOP | Source = Service Control Manager | ID = 7000
Description = The Intuit Update Service service failed to start due to the following
error: %%1053


< End of report >


GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-14 13:35:19
Windows 5.1.2600 Service Pack 3
Running: z27pck4r.exe; Driver: C:\DOCUME~1\Sam\LOCALS~1\Temp\fxddapoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0x97A776B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0x97A77574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0x97A77A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x97A7714C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0x97A7764E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0x97A7708C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x97A770F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0x97A7776E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0x97A7772E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0x97A778AE]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB44F1000, 0x1C5D58, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1036] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll
.text C:\WINDOWS\system32\svchost.exe[1660] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 026F000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[1444] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003A0002
IAT C:\WINDOWS\system32\services.exe[1444] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003A0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usb_rndisx \Device\{E28A93D9-6DF9-4EF5-95EE-26DAD9146F77} RNDISMPX.SYS (Remote NDIS Miniport/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 8ADC1618

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Sam\ntload.dll 29696 bytes executable
File C:\Documents and Settings\Sam\Start Menu\Programs\Startup\scandisk.dll 29696 bytes executable
File C:\Documents and Settings\Sam\Start Menu\Programs\Startup\scandisk.lnk 645 bytes
File C:\acad.exe 8704 bytes executable
File C:\dens.exe 19968 bytes executable
File C:\enhs.exe 52736 bytes executable
File C:\WINDOWS\system32\notepad.dll 29696 bytes executable
File C:\WINDOWS\system32\config\systemprofile\ntload.dll 29696 bytes executable
File C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll 29696 bytes executable
File C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk 651 bytes
File C:\WINDOWS\Temp\ntload.dll 29696 bytes executable
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#4 samlotan

samlotan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 14 December 2009 - 05:24 PM

Buckeye Sam

Some additional information. While GMER was scanning, avast detected win32:malware-gen in 4 files. After GMER finished scanning I copied the reults and attached above. I then disconnected the computer from the network. I restarted the computer and ran avast then i got sign of rootkit: hidden file found 4 files.
c:\windows\system32\config\systemprofile\ntload.dll,
c:\windows\system32\config\sc:\windows\system32\config\systemprofile\startmenu\programs\startup\scandisk.dll,
c:\windows\system32\notepad.dll,
c:\windows\temp\ntload.dll

Avast suggested to delete the files then after hitting delete it came up with virus found in memory run boot scan before deleting so I hit the reboot to run bootscan. The bootscan completed and now I have a warning the computer is infected.

I tried running avast again but the whole process repeated again finding the 4 files above try to delete virus in memory warning.

Hope this info helps. Seems like it is getting worse. The computer is disconnected. Your help is greatly appreciated.

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:29 AM

Posted 14 December 2009 - 09:19 PM

Yeah, you've got a real mess on your hands here. I see two very serious infections and the tool that we would normally use is currently unavailable.
We're going to have to work around that issue and use some alternate methods.

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\Documents and Settings\Sam\ntload.dll 
C:\Documents and Settings\Sam\Start Menu\Programs\Startup\scandisk.dll 
C:\Documents and Settings\Sam\Start Menu\Programs\Startup\scandisk.lnk 
C:\acad.exe 
C:\dens.exe 
C:\enhs.exe 
C:\WINDOWS\system32\notepad.dll 
C:\WINDOWS\system32\config\systemprofile\ntload.dll 
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll 
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk 
C:\WINDOWS\Temp\ntload.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.



=====================

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • If prompted to reboot, please do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 samlotan

samlotan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 15 December 2009 - 08:44 AM

Buckeye Sam

Listed below are the logs of Avenger and TDSSkiller. Unfortunately, I mistakenly hit the TDSSkiller icon before copying the command onrun so am not sure if that affected the log.

Also, while running TDSSkiller avast antivirus started finding viruses so after completing tdsskiller, a bootscan was performed with avast and this time it found 19 files infected by viruses. Should the avast antivirus be off when running the programs you are suggesting? I hope it is not messing things up. Let me know if you want avast off.

Lastly, when the computer boots up now the wallpaper is a green background with a box in the middle telling you that the computer is infected and in the lower right corner there is an red circle with an x that every so often a balloon pops up and says click here to remove malware etc. I tried to go into task manager but it says locked by administrator. Also tried to change the wallpaper and clicking on other choices doesn't do anything.

Appreciate your help.

Sam

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Documents and Settings\Sam\ntload.dll" deleted successfully.
File "C:\Documents and Settings\Sam\Start Menu\Programs\Startup\scandisk.dll" deleted successfully.
File "C:\Documents and Settings\Sam\Start Menu\Programs\Startup\scandisk.lnk" deleted successfully.
File "C:\acad.exe" deleted successfully.
File "C:\dens.exe" deleted successfully.
File "C:\enhs.exe" deleted successfully.
File "C:\WINDOWS\system32\notepad.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\config\systemprofile\ntload.dll" not found!
Deletion of file "C:\WINDOWS\system32\config\systemprofile\ntload.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll" not found!
Deletion of file "C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk" deleted successfully.
File "C:\WINDOWS\Temp\ntload.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Host Name: DESKTOP
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Samuel Tan
Registered Organization:
Product ID: 55274-640-8365391-23250
Original Install Date: 2/14/2009, 4:29:36 PM
System Up Time: 0 Days, 0 Hours, 18 Minutes, 41 Seconds
System Manufacturer: BIOSTAR Group
System Model: TA790GXB A2+
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 16 Model 4 Stepping 2 AuthenticAMD ~1596 Mhz
BIOS Version: 011309 - 20090113
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-06:00) Central Time (US & Canada)
Total Physical Memory: 3,327 MB
Available Physical Memory: 2,714 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,002 MB
Virtual Memory: In Use: 46 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\DESKTOP
Hotfix(s): 165 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: Q147222
[79]: Q954430
[80]: Q973688
[81]: IDNMitigationAPIs - Update
[82]: NLSDownlevelMapping - Update
[83]: KB952069_WM9
[84]: KB954155_WM9
[85]: KB968816_WM9
[86]: KB973540_WM9
[87]: KB923689
[88]: KB941569
[89]: KB938127-v2-IE7 - Update
[90]: KB956390-IE7 - Update
[91]: KB961260-IE7 - Update
[92]: KB963027-IE7 - Update
[93]: KB969897-IE8 - Update
[94]: KB971180-IE8 - Update
[95]: KB971961-IE8 - Update
[96]: KB972260-IE8 - Update
[97]: KB974455-IE8 - Update
[98]: KB976749-IE8 - Update
[99]: KB898461 - Update
[100]: KB923561 - Update
[101]: KB938464 - Update
[102]: KB946648 - Update
[103]: KB950760 - Update
[104]: KB950762 - Update
[105]: KB950974 - Update
[106]: KB951066 - Update
[107]: KB951376-v2 - Update
[108]: KB951698 - Update
[109]: KB951748 - Update
[110]: KB951978 - Update
[111]: KB952004 - Update
[112]: KB952287 - Update
[113]: KB952954 - Update
[114]: KB954211 - Update
[115]: KB954459 - Update
[116]: KB954550-v5 - Update
[117]: KB954600 - Update
[118]: KB955069 - Update
[119]: KB955839 - Update
[120]: KB956572 - Update
[121]: KB956744 - Update
[122]: KB956802 - Update
[123]: KB956803 - Update
[124]: KB956841 - Update
[125]: KB956844 - Update
[126]: KB957097 - Update
[127]: KB958215 - Update
[128]: KB958644 - Update
[129]: KB958687 - Update
[130]: KB958690 - Update
[131]: KB958869 - Update
[132]: KB959426 - Update
[133]: KB960225 - Update
[134]: KB960714 - Update
[135]: KB960715 - Update
[136]: KB960803 - Update
[137]: KB960859 - Update
[138]: KB961118 - Update
[139]: KB961371 - Update
[140]: KB961373 - Update
[141]: KB961501 - Update
[142]: KB967715 - Update
[143]: KB968389 - Update
[144]: KB968537 - Update
[145]: KB969059 - Update
[146]: KB969898 - Update
[147]: KB969947 - Update
[148]: KB970238 - Update
[149]: KB970653-v3 - Update
[150]: KB971486 - Update
[151]: KB971557 - Update
[152]: KB971633 - Update
[153]: KB971657 - Update
[154]: KB973346 - Update
[155]: KB973354 - Update
[156]: KB973507 - Update
[157]: KB973525 - Update
[158]: KB973687 - Update
[159]: KB973815 - Update
[160]: KB973869 - Update
[161]: KB974112 - Update
[162]: KB974571 - Update
[163]: KB975025 - Update
[164]: KB975467 - Update
[165]: KB976098-v2 - Update
NetWork Card(s): 3 NIC(s) Installed.
[01]: 1394 Net Adapter
Connection Name: 1394 Connection
DHCP Enabled: Yes
DHCP Server: N/A
IP address(es)
[02]: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC
Connection Name: Local Area Connection 6
DHCP Enabled: Yes
DHCP Server: 192.168.0.1
IP address(es)
[01]: 192.168.0.103
[03]: Airlink101 SuperG Wireless Cardbus Adapter
Connection Name: Wireless Network Connection 3
7:29:58:312 956 ForceUnloadDriver: NtUnloadDriver error 2
7:29:58:312 956 ForceUnloadDriver: NtUnloadDriver error 2
7:29:58:312 956 ForceUnloadDriver: NtUnloadDriver error 2
7:29:58:312 956 main: Driver KLMD successfully dropped
7:29:58:312 956 main: Driver KLMD successfully loaded
7:29:58:312 956
Scanning Registry ...
7:29:58:312 956 ScanServices: Searching service UACd.sys
7:29:58:312 956 ScanServices: Open/Create key error 2
7:29:58:312 956 ScanServices: Searching service TDSSserv.sys
7:29:58:312 956 ScanServices: Open/Create key error 2
7:29:58:312 956 ScanServices: Searching service gaopdxserv.sys
7:29:58:312 956 ScanServices: Open/Create key error 2
7:29:58:312 956 ScanServices: Searching service gxvxcserv.sys
7:29:58:312 956 ScanServices: Open/Create key error 2
7:29:58:312 956 ScanServices: Searching service MSIVXserv.sys
7:29:58:312 956 ScanServices: Open/Create key error 2
7:29:58:312 956 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
7:29:58:312 956 UnhookRegistry: Kernel local addr: E40000
7:29:58:312 956 UnhookRegistry: KeServiceDescriptorTable addr: EC5700
7:29:58:328 956 UnhookRegistry: KiServiceTable addr: E6D460
7:29:58:328 956 UnhookRegistry: NtEnumerateKey service number (local): 47
7:29:58:328 956 UnhookRegistry: NtEnumerateKey local addr: F8CFF2
7:29:58:328 956 KLMD_OpenDevice: Trying to open KLMD device
7:29:58:328 956 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
7:29:58:328 956 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
7:29:58:328 956 KLMD_ReadMem: Trying to ReadMemory 0x805002C9[0x4]
7:29:58:328 956 UnhookRegistry: NtEnumerateKey service number (kernel): 47
7:29:58:328 956 KLMD_ReadMem: Trying to ReadMemory 0x8050457C[0x4]
7:29:58:328 956 UnhookRegistry: NtEnumerateKey real addr: 80623FF2
7:29:58:328 956 UnhookRegistry: NtEnumerateKey calc addr: 80623FF2
7:29:58:328 956 UnhookRegistry: No SDT hooks found on NtEnumerateKey
7:29:58:328 956 KLMD_ReadMem: Trying to ReadMemory 0x80623FF2[0xA]
7:29:58:328 956 UnhookRegistry: No splicing found on NtEnumerateKey
7:29:58:328 956
Scanning Kernel memory ...
7:29:58:328 956 KLMD_OpenDevice: Trying to open KLMD device
7:29:58:328 956 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
7:29:58:328 956 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
7:29:58:328 956 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8B40F8F0
7:29:58:328 956 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
7:29:58:328 956 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8AFDBC68
7:29:58:328 956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AFDBC68
7:29:58:328 956 KLMD_ReadMem: Trying to ReadMemory 0x8AFDBC68[0x38]
7:29:58:328 956 DetectCureTDL3: DRIVER_OBJECT addr: 8B40F8F0
7:29:58:328 956 KLMD_ReadMem: Trying to ReadMemory 0x8B40F8F0[0xA8]
7:29:58:328 956 KLMD_ReadMem: Trying to ReadMemory 0xE10148A8[0x208]
7:29:58:328 956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
7:29:58:328 956 DetectCureTDL3: IrpHandler (0) addr: BA11EBB0
7:29:58:328 956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
7:29:58:328 956 DetectCureTDL3: IrpHandler (2) addr: BA11EBB0
7:29:58:328 956 DetectCureTDL3: IrpHandler (3) addr: BA118D1F
7:29:58:328 956 DetectCureTDL3: IrpHandler (4) addr: BA118D1F
7:29:58:328 956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
7:29:58:328 956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
7:29:58:328 956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
7:29:58:328 956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
7:29:58:328 956 DetectCureTDL3: IrpHandler (9) addr: BA1192E2
7:29:58:328 956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
7:29:58:328 956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
7:29:58:328 956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
7:29:58:328 956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
7:29:58:328 956 DetectCureTDL3: IrpHandler (14) addr: BA1193BB
7:29:58:328 956 DetectCureTDL3: IrpHandler (15) addr: BA11CF28
7:29:58:328 956 DetectCureTDL3: IrpHandler (16) addr: BA1192E2
7:29:58:328 956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
7:29:58:328 956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
7:29:58:328 956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
7:29:58:328 956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
7:29:58:328 956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
7:29:58:328 956 DetectCureTDL3: IrpHandler (22) addr: BA11AC82
7:29:58:328 956 DetectCureTDL3: IrpHandler (23) addr: BA11F99E
7:29:58:328 956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
7:29:58:328 956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
7:29:58:328 956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
7:29:58:328 956 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
7:29:58:328 956 KLMD_ReadMem: DeviceIoControl error 1
7:29:58:328 956 TDL3_StartIoHookDetect: Unable to get StartIo handler code
7:29:58:328 956 TDL3_FileDetect: Processing driver: Disk
7:29:58:328 956 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
7:29:58:328 956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
7:29:58:328 956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
7:29:58:343 956 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8A729408
7:29:58:343 956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A729408
7:29:58:343 956 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8B04EEA0
7:29:58:343 956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B04EEA0
7:29:58:343 956 KLMD_ReadMem: Trying to ReadMemory 0x8B04EEA0[0x38]
7:29:58:343 956 DetectCureTDL3: DRIVER_OBJECT addr: 8B16D2B0
7:29:58:343 956 KLMD_ReadMem: Trying to ReadMemory 0x8B16D2B0[0xA8]
7:29:58:343 956 KLMD_ReadMem: Trying to ReadMemory 0xE10034C0[0x208]
7:29:58:343 956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
7:29:58:343 956 DetectCureTDL3: IrpHandler (0) addr: B3913218
7:29:58:343 956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (2) addr: B3913218
7:29:58:343 956 DetectCureTDL3: IrpHandler (3) addr: B391323C
7:29:58:343 956 DetectCureTDL3: IrpHandler (4) addr: B391323C
7:29:58:343 956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (9) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (14) addr: B3913180
7:29:58:343 956 DetectCureTDL3: IrpHandler (15) addr: B390E9E6
7:29:58:343 956 DetectCureTDL3: IrpHandler (16) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (22) addr: B39125F0
7:29:58:343 956 DetectCureTDL3: IrpHandler (23) addr: B3910A6E
7:29:58:343 956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
7:29:58:343 956 KLMD_ReadMem: Trying to ReadMemory 0xB390FF26[0x400]
7:29:58:343 956 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0
7:29:58:343 956 TDL3_FileDetect: Processing driver: USBSTOR
7:29:58:343 956 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\tsk_usbstor.sys, SYSTEM\CurrentControlSet\Services\USBSTOR, system32\Drivers\tsk_usbstor.sys
7:29:58:343 956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys
7:29:58:343 956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys
7:29:58:343 956 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8B3319F0
7:29:58:343 956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B3319F0
7:29:58:343 956 KLMD_ReadMem: Trying to ReadMemory 0x8B3319F0[0x38]
7:29:58:343 956 DetectCureTDL3: DRIVER_OBJECT addr: 8B40F8F0
7:29:58:343 956 KLMD_ReadMem: Trying to ReadMemory 0x8B40F8F0[0xA8]
7:29:58:343 956 KLMD_ReadMem: Trying to ReadMemory 0xE10148A8[0x208]
7:29:58:343 956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
7:29:58:343 956 DetectCureTDL3: IrpHandler (0) addr: BA11EBB0
7:29:58:343 956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (2) addr: BA11EBB0
7:29:58:343 956 DetectCureTDL3: IrpHandler (3) addr: BA118D1F
7:29:58:343 956 DetectCureTDL3: IrpHandler (4) addr: BA118D1F
7:29:58:343 956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (9) addr: BA1192E2
7:29:58:343 956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (14) addr: BA1193BB
7:29:58:343 956 DetectCureTDL3: IrpHandler (15) addr: BA11CF28
7:29:58:343 956 DetectCureTDL3: IrpHandler (16) addr: BA1192E2
7:29:58:343 956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
7:29:58:343 956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
7:29:58:359 956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
7:29:58:359 956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
7:29:58:359 956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
7:29:58:359 956 DetectCureTDL3: IrpHandler (22) addr: BA11AC82
7:29:58:359 956 DetectCureTDL3: IrpHandler (23) addr: BA11F99E
7:29:58:359 956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
7:29:58:359 956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
7:29:58:359 956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
7:29:58:359 956 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
7:29:58:359 956 KLMD_ReadMem: DeviceIoControl error 1
7:29:58:359 956 TDL3_StartIoHookDetect: Unable to get StartIo handler code
7:29:58:359 956 TDL3_FileDetect: Processing driver: Disk
7:29:58:359 956 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
7:29:58:359 956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
7:29:58:359 956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
7:29:58:359 956 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8B334AB8
7:29:58:359 956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B334AB8
7:29:58:359 956 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8B33C3B8
7:29:58:359 956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B33C3B8
7:29:58:359 956 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8B380940
7:29:58:359 956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B380940
7:29:58:359 956 KLMD_ReadMem: Trying to ReadMemory 0x8B380940[0x38]
7:29:58:359 956 DetectCureTDL3: DRIVER_OBJECT addr: 8B3FFE18
7:29:58:359 956 KLMD_ReadMem: Trying to ReadMemory 0x8B3FFE18[0xA8]
7:29:58:359 956 KLMD_ReadMem: Trying to ReadMemory 0x8B33D030[0x38]
7:29:58:359 956 KLMD_ReadMem: Trying to ReadMemory 0x8B3F98D0[0xA8]
7:29:58:359 956 KLMD_ReadMem: Trying to ReadMemory 0xE1B6AD58[0x208]
7:29:58:359 956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
7:29:58:359 956 DetectCureTDL3: IrpHandler (0) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (1) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (2) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (3) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (4) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (5) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (6) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (7) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (8) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (9) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (10) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (11) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (12) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (13) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (14) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (15) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (16) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (17) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (18) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (19) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (20) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (21) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (22) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (23) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (24) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (25) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: IrpHandler (26) addr: 8B341618
7:29:58:359 956 DetectCureTDL3: All IRP handlers pointed to one addr: 8B341618
7:29:58:359 956 KLMD_ReadMem: Trying to ReadMemory 0x8B341618[0x400]
7:29:58:359 956 TDL3_IrpHookDetect: TDL3 is already cured
7:29:58:359 956 KLMD_ReadMem: Trying to ReadMemory 0x8B3414BF[0x400]
7:29:58:359 956 TDL3_StartIoHookDetect: CheckParameters: 7, FFDF0308, 334, 0
7:29:58:359 956 TDL3_FileDetect: Processing driver: atapi
7:29:58:359 956 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\tsk_atapi.sys, C:\WINDOWS\system32\Drivers\tsk_tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_tsk_atapi.sys
7:29:58:359 956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tsk_atapi.sys
7:29:58:359 956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tsk_atapi.sys
7:29:58:375 956
Completed

Results:
7:29:58:375 956 Infected objects in memory: 0
7:29:58:375 956 Cured objects in memory: 0
7:29:58:375 956 Infected objects on disk: 0
7:29:58:375 956 Objects on disk cured on reboot: 0
7:29:58:375 956 Objects on disk deleted on reboot: 0
7:29:58:375 956 Registry nodes deleted on reboot: 0
7:29:58:375 956

Edited by samlotan, 15 December 2009 - 02:52 PM.


#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:29 AM

Posted 15 December 2009 - 05:16 PM

I'd say at this point let Avast remove whatever it detects.
Are you still being redirected on your searches?

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


Also run OTL and post a new log for me.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 samlotan

samlotan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 16 December 2009 - 03:58 PM

Buckeye Sam

Google is still getting hijacked. The signs of the other virus stuff such as the wallpaper with the spyware warning disappeared. However, when I tested the google search results the browser was sent to a malicious site avast came on with warning etc., task manager got locked again (it was working before the virus warning)and the red circle icon reappeared again. The results of the scans attached were before testing google search and new virus attack.

Malwarebytes' Anti-Malware 1.42
Database version: 3373
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/16/2009 12:43:51 PM
mbam-log-2009-12-16 (12-43-51).txt

Scan type: Quick Scan
Objects scanned: 156673
Time elapsed: 4 hour(s), 58 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 10
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yekimolow (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e1144258-7084-482b-a1c3-3fa952da3a5d}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1,68.238.96.12 68.238.64.12 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e28a93d9-6df9-4ef5-95ee-26dad9146f77}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\nadejafi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\trz1A.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AVR10.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper86.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.


OTL logfile created on: 12/16/2009 1:05:16 PM - Run 2
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Sam\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.51 Gb Total Space | 738.04 Gb Free Space | 79.23% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DESKTOP
Current User Name: Sam
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/14 10:57:41 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
PRC - [2009/11/24 17:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 17:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 17:51:21 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 17:48:48 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 17:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/11/12 16:33:10 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/02/25 15:27:41 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2008/12/18 13:32:52 | 00,049,152 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PRC - [2008/12/18 12:19:44 | 00,049,152 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/10/10 04:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/08/13 14:34:08 | 01,891,416 | ---- | M] (GARMIN Corp.) -- C:\Garmin\gStart.exe
PRC - [2008/05/01 22:15:46 | 00,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2008/04/13 22:42:42 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/04/13 22:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/24 11:36:22 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2007/10/30 19:51:44 | 00,492,720 | ---- | M] () -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
PRC - [2007/10/30 19:11:48 | 00,909,208 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
PRC - [2007/10/30 19:07:40 | 00,140,568 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2007/10/30 19:07:38 | 00,427,288 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2007/10/30 19:06:42 | 02,595,616 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2007/10/16 20:04:12 | 01,094,936 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2007/04/10 14:28:44 | 16,126,464 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2006/11/13 12:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/11/13 12:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2006/10/12 21:38:04 | 00,958,464 | ---- | M] () -- C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WlanMon.exe
PRC - [2006/06/29 19:34:20 | 00,049,152 | ---- | M] (Alpha Networks Inc.) -- C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
PRC - [2004/07/20 08:34:28 | 00,851,968 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\ControlCenter2\brctrcen.exe
PRC - [2004/04/14 16:46:50 | 00,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
PRC - [2004/03/26 18:30:12 | 00,819,200 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
PRC - [2003/05/05 18:30:22 | 00,065,536 | ---- | M] (Brother Industries, Ltd.) -- C:\WINDOWS\system32\Brmfrmps.exe
PRC - [2002/04/12 02:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe
PRC - [2001/12/13 02:01:00 | 00,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe


========== Modules (SafeList) ==========

MOD - [2009/12/14 10:57:41 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
MOD - [2008/05/01 22:15:35 | 00,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (NMIndexingService)
SRV - [2009/11/24 17:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 17:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 17:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 17:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/03 21:19:41 | 00,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/02/25 15:27:41 | 00,602,112 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2009/02/25 14:15:00 | 00,593,920 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/10/10 04:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/08/04 06:53:06 | 00,065,536 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AMD\OverDrive\AODAssist.exe -- (AODService)
SRV - [2008/01/24 11:36:22 | 00,073,728 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2007/10/30 19:51:44 | 00,492,720 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe -- (TryAndDecideService)
SRV - [2007/10/30 19:07:38 | 00,427,288 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2007/10/16 20:04:12 | 01,094,936 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2006/07/03 17:22:58 | 00,049,152 | ---- | M] (Alpha Networks Inc.) [Auto | Stopped] -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe -- (ANIWZCSdService)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/05/05 18:30:22 | 00,065,536 | ---- | M] (Brother Industries, Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Brmfrmps.exe -- (brmfrmps)
SRV - [2002/04/12 02:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) [Auto | Running] -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service)


========== Driver Services (SafeList) ==========

DRV - [2009/12/15 07:28:26 | 00,096,512 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\tsk_atapi.sys -- (atapi)
DRV - [2009/11/24 17:50:59 | 00,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/24 17:50:12 | 00,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/24 17:50:00 | 00,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/24 17:49:07 | 00,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/24 17:48:57 | 00,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 17:47:54 | 00,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/05/29 19:02:18 | 00,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009/05/29 19:02:18 | 00,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/05/29 19:01:54 | 00,129,248 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2009/05/29 19:01:35 | 00,368,544 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpman.sys -- (tdrpman)
DRV - [2009/05/18 14:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/02/25 16:58:57 | 03,565,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/10/19 23:00:06 | 00,025,728 | ---- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\androidusb.sys -- (androidusb)
DRV - [2008/08/14 06:57:42 | 00,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2008/04/14 00:26:50 | 00,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usb8023x.sys -- (usb_rndisx)
DRV - [2008/04/13 23:15:30 | 00,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 16:04:32 | 01,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/04/13 15:09:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 15:06:06 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/27 18:30:00 | 03,688,640 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtHDMI.sys -- (RTHDMIAzAudService)
DRV - [2008/01/03 08:10:16 | 00,105,856 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/12/17 16:14:06 | 00,012,400 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2007/12/06 08:51:00 | 00,285,952 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2007/10/11 19:40:12 | 00,009,096 | R--- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdide.sys -- (amdide)
DRV - [2007/06/29 13:47:34 | 00,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2007/04/16 15:46:34 | 00,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2007/04/10 18:04:40 | 04,397,568 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/11/06 18:04:56 | 00,028,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wceusbsh.sys -- (wceusbsh)
DRV - [2006/11/03 17:30:44 | 00,467,040 | ---- | M] (Atheros Communications, Inc. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\N5SG.sys -- (N5SG)
DRV - [2006/07/01 21:39:40 | 00,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/04/13 13:33:28 | 00,008,192 | ---- | M] (BIOSTAR Group) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BS_I2cIo.sys -- (BS_I2cIo)
DRV - [2005/12/11 13:55:38 | 00,028,195 | ---- | M] (Alpha Networks Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\ANIO.sys -- (ANIO)
DRV - [2005/06/20 21:08:44 | 02,324,480 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/05/17 16:45:08 | 00,092,800 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2005/04/06 02:22:30 | 00,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/04/06 02:22:28 | 00,033,536 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/03/16 00:23:54 | 00,013,696 | R--- | M] (BIOSTAR Group) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BIOS.sys -- (BIOS)
DRV - [2004/08/14 01:56:20 | 00,005,810 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/06/12 07:27:18 | 00,051,712 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrSerIf.sys -- (BrSerIf)
DRV - [2004/03/03 20:30:54 | 00,125,184 | ---- | M] (Ahead Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\imagesrv.sys -- (imagesrv)
DRV - [2004/03/03 20:30:54 | 00,005,504 | ---- | M] (Ahead Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\imagedrv.sys -- (imagedrv)
DRV - [2004/01/10 06:28:18 | 00,011,648 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2003/12/19 23:15:50 | 00,015,263 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
DRV - [2003/03/19 15:51:00 | 00,018,688 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2002/11/27 06:52:00 | 00,080,896 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET)
DRV - [2001/08/23 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/17 13:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [2001/08/17 12:53:32 | 00,006,784 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\serscan.sys -- (StillCam)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 7171
FF - prefs.js..network.proxy.type: 1

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/16 07:22:01 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/11 14:55:25 | 00,000,000 | ---D | M]

[2009/02/14 16:31:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Extensions
[2009/02/15 23:24:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rm1n.Default\extensions
[2009/02/15 23:22:36 | 00,000,000 | ---D | M] (macbird) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rm1n.Default\extensions\{2564ae73-58ac-4aab-9a32-b531c778b549}
[2009/02/15 23:15:03 | 00,000,000 | ---D | M] (macfoxIIgraphite) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rm1n.Default\extensions\{a883dc70-3e3e-11db-a98b-0800200c9a66}
[2009/12/16 07:32:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions
[2009/10/18 07:43:27 | 00,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2009/07/08 04:26:08 | 00,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/08/09 00:30:11 | 00,000,000 | ---D | M] (jDownFF) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions\{a3b24d40-bac4-11dc-95ff-0800200c9a66}
[2009/07/09 17:56:09 | 00,000,000 | ---D | M] (iFox Smooth) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions\{d3d70bca-2d54-425e-b02c-b7e2f4b07688}
[2009/02/14 16:31:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\iqs3nny1.default\extensions
[2009/02/15 17:51:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\lwvafais.default\extensions
[2009/12/16 07:32:12 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (796 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O1 - Hosts: 127.0.0.1 activate.adobe.com
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Spy Blocker Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll File not found
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Airlink101 WLAN Monitor] C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WlanMon.exe ()
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Alpha Networks Inc.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe (Brother Industories, Ltd.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe ()
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKCU..\Run: [gStart] C:\Garmin\gStart.exe (GARMIN Corp.)
O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} https://mygmgw.gm.com/http://usabhembma04.m...om/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.238.96.12 68.238.64.12
O20 - AppInit_DLLs: (jiweyiyi.dll) - File not found
O20 - AppInit_DLLs: (c:\windows\system32\tenogapa.dll) - C:\WINDOWS\System32\tenogapa.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O21 - SSODL: jazalovag - {3bb4a5f7-a211-4af8-985b-abc6d697af72} - C:\WINDOWS\System32\tenogapa.dll File not found
O22 - SharedTaskScheduler: {3bb4a5f7-a211-4af8-985b-abc6d697af72} - tokatiluy - C:\WINDOWS\System32\tenogapa.dll File not found
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/14 16:25:33 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/16 07:24:27 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/16 07:24:24 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/16 07:24:23 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/16 07:23:51 | 04,844,296 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sam\Desktop\mbam-setup.exe
[2009/12/15 07:28:18 | 00,134,408 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Sam\Desktop\TDSSKiller.exe
[2009/12/14 10:57:40 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
[2009/12/14 01:20:27 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Sam\Desktop\RootRepeal.exe
[2009/12/11 14:57:51 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/12/11 14:57:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/12/11 14:54:56 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/12/11 14:50:31 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/12/06 23:33:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\Local Settings\Application Data\Deployment
[2009/12/04 07:42:13 | 00,000,000 | ---D | C] -- C:\2e11cd110d260ff173fddfc221cfc3
[2009/11/23 11:07:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\My Documents\iphone
[2009/11/21 11:55:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\Local Settings\Application Data\Roblox
[2009/11/21 11:55:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\Local Settings\Application Data\RobloxDownloads
[2009/11/21 11:55:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\Local Settings\Application Data\RobloxVersions
[2009/05/29 19:05:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Acronis
[2009/02/26 10:51:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/21 17:25:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/02/14 16:30:51 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/02/14 16:30:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/02/14 16:30:43 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/02/14 16:30:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/16 13:04:03 | 00,643,372 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/16 13:04:03 | 00,168,124 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/16 13:04:03 | 00,072,794 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/16 13:01:49 | 00,000,007 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME
[2009/12/16 13:00:00 | 00,000,296 | ---- | M] () -- C:\WINDOWS\tasks\ufnghvdw.job
[2009/12/16 12:48:00 | 00,000,306 | -HS- | M] () -- C:\WINDOWS\tasks\Lpbuhpd.job
[2009/12/16 12:48:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/16 12:47:57 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/16 12:47:08 | 06,291,456 | -H-- | M] () -- C:\Documents and Settings\Sam\NTUSER.DAT
[2009/12/16 12:47:08 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Sam\ntuser.ini
[2009/12/16 07:24:30 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/16 07:23:53 | 04,844,296 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sam\Desktop\mbam-setup.exe
[2009/12/15 07:38:48 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\jugitive
[2009/12/15 07:28:26 | 00,096,512 | ---- | M] () -- C:\WINDOWS\System32\drivers\tsk_atapi.sys
[2009/12/15 07:27:06 | 00,117,293 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\tdsskiller.zip
[2009/12/15 07:02:44 | 00,724,952 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\avenger.zip
[2009/12/14 11:19:53 | 00,068,096 | RHS- | M] () -- C:\WINDOWS\System32\mqperfl.dll
[2009/12/14 11:10:35 | 00,292,864 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\z27pck4r.exe
[2009/12/14 10:57:41 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
[2009/12/14 01:20:28 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Sam\Desktop\RootRepeal.exe
[2009/12/14 01:14:45 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\dds.scr
[2009/12/13 20:53:38 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/12 21:43:47 | 00,002,497 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\Microsoft Office Word 2003.lnk
[2009/12/11 14:59:53 | 00,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/12/11 14:55:16 | 00,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/12/11 14:45:08 | 00,001,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2009/12/05 17:37:40 | 00,134,408 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Sam\Desktop\TDSSKiller.exe
[2009/12/04 10:40:07 | 02,097,352 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/04 10:23:15 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/12/04 07:44:21 | 00,049,784 | ---- | M] () -- C:\Documents and Settings\Sam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/12/04 07:36:01 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/24 17:54:29 | 01,280,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/11/24 17:51:09 | 00,093,424 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/11/24 17:50:59 | 00,094,160 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/11/24 17:50:12 | 00,114,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/11/24 17:50:00 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/11/24 17:49:07 | 00,048,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/11/24 17:48:57 | 00,023,120 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/11/24 17:47:54 | 00,027,408 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/11/24 17:47:28 | 00,097,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/16 07:24:30 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/15 07:28:26 | 00,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\tsk_atapi.sys
[2009/12/15 07:27:05 | 00,117,293 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\tdsskiller.zip
[2009/12/15 07:26:04 | 00,000,296 | ---- | C] () -- C:\WINDOWS\tasks\ufnghvdw.job
[2009/12/15 07:07:53 | 00,731,136 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\avenger.exe
[2009/12/15 07:02:44 | 00,724,952 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\avenger.zip
[2009/12/14 11:19:54 | 00,000,306 | -HS- | C] () -- C:\WINDOWS\tasks\Lpbuhpd.job
[2009/12/14 11:19:53 | 00,068,096 | RHS- | C] () -- C:\WINDOWS\System32\mqperfl.dll
[2009/12/14 11:10:35 | 00,292,864 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\z27pck4r.exe
[2009/12/14 01:14:44 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\dds.scr
[2009/12/11 14:59:53 | 00,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/12/11 14:55:16 | 00,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/08/05 21:39:13 | 00,270,848 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/07/22 12:31:23 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2009/06/29 12:13:38 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2009/06/03 11:23:33 | 00,000,040 | ---- | C] () -- C:\WINDOWS\opt_2460.ini
[2009/05/18 04:55:30 | 00,000,229 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/05/12 21:11:07 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2009/05/12 21:11:07 | 00,012,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2009/05/12 21:08:55 | 00,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2009/05/12 21:07:11 | 00,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2009/05/12 20:31:50 | 00,005,810 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/04/21 19:31:35 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2009/03/08 13:44:47 | 00,000,054 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2009/03/03 20:30:35 | 00,000,123 | ---- | C] () -- C:\Documents and Settings\Sam\Application Data\default.rss
[2009/02/28 08:00:47 | 00,002,528 | ---- | C] () -- C:\Documents and Settings\Sam\Application Data\$_hpcst$.hpc
[2009/02/18 18:23:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\WB.ini
[2009/02/14 17:43:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2009/02/14 17:42:44 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\JJAKEn.dll
[2009/02/14 17:41:46 | 00,005,120 | ---- | C] () -- C:\Documents and Settings\Sam\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/14 17:40:02 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/14 17:36:57 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2009/02/14 17:35:02 | 00,000,777 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2009/02/14 17:35:02 | 00,000,459 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2009/02/14 17:35:02 | 00,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2009/02/14 17:35:02 | 00,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/02/14 17:28:11 | 00,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2009/02/14 16:42:33 | 00,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2009/02/14 16:42:33 | 00,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2009/02/14 16:42:31 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Wininit.ini
[2009/02/14 16:42:26 | 00,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
[2009/02/14 16:00:26 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\SSGK2PNP.DLL
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/04 12:16:34 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
< End of report >

#9 samlotan

samlotan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 16 December 2009 - 04:41 PM

Buckeye Sam

I ran Mbam and OTL and here are the results. I did not test google search again for fear of making things worse. Let me know what you think I should try next.

Thanks,

Sam

Malwarebytes' Anti-Malware 1.42
Database version: 3373
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/16/2009 3:23:04 PM
mbam-log-2009-12-16 (15-23-04).txt

Scan type: Quick Scan
Objects scanned: 156958
Time elapsed: 6 minute(s), 58 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 10
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
C:\WINDOWS\system32\winupdate86.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\winhelper86.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon86.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon86.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\winlogon86.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\AVR10.exe (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\7ENW1Q9M\SetupIS2010[1].exe (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winupdate86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper86.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

OTL logfile created on: 12/16/2009 3:32:56 PM - Run 3
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Sam\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.51 Gb Total Space | 738.01 Gb Free Space | 79.23% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DESKTOP
Current User Name: Sam
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/14 10:57:41 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
PRC - [2009/11/24 17:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 17:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 17:51:21 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 17:48:48 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 17:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/11/12 16:33:10 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/11/07 20:42:14 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/02/25 15:27:41 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2008/12/18 13:32:52 | 00,049,152 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PRC - [2008/12/18 12:19:44 | 00,049,152 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/10/10 04:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/08/13 14:34:08 | 01,891,416 | ---- | M] (GARMIN Corp.) -- C:\Garmin\gStart.exe
PRC - [2008/05/01 22:15:46 | 00,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2008/04/13 22:42:42 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/04/13 22:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/24 11:36:22 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2007/10/30 19:51:44 | 00,492,720 | ---- | M] () -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
PRC - [2007/10/30 19:11:48 | 00,909,208 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
PRC - [2007/10/30 19:07:40 | 00,140,568 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2007/10/30 19:07:38 | 00,427,288 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2007/10/30 19:06:42 | 02,595,616 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2007/10/16 20:04:12 | 01,094,936 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2007/04/10 14:28:44 | 16,126,464 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2006/11/13 12:39:54 | 04,270,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
PRC - [2006/11/13 12:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/11/13 12:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2006/10/12 21:38:04 | 00,958,464 | ---- | M] () -- C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WlanMon.exe
PRC - [2006/06/29 19:34:20 | 00,049,152 | ---- | M] (Alpha Networks Inc.) -- C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
PRC - [2004/07/20 08:34:28 | 00,851,968 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\ControlCenter2\brctrcen.exe
PRC - [2004/06/14 20:09:06 | 00,073,728 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
PRC - [2004/04/14 16:46:50 | 00,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
PRC - [2004/03/26 18:30:12 | 00,819,200 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
PRC - [2003/07/14 22:45:18 | 00,196,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\outlook.exe
PRC - [2003/05/05 18:30:22 | 00,065,536 | ---- | M] (Brother Industries, Ltd.) -- C:\WINDOWS\system32\Brmfrmps.exe
PRC - [2002/04/12 02:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe
PRC - [2001/12/13 02:01:00 | 00,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe


========== Modules (SafeList) ==========

MOD - [2009/12/14 10:57:41 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
MOD - [2008/05/01 22:15:35 | 00,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (NMIndexingService)
SRV - [2009/11/24 17:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 17:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 17:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 17:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/03 21:19:41 | 00,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/02/25 15:27:41 | 00,602,112 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2009/02/25 14:15:00 | 00,593,920 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/10/10 04:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/08/04 06:53:06 | 00,065,536 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AMD\OverDrive\AODAssist.exe -- (AODService)
SRV - [2008/01/24 11:36:22 | 00,073,728 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2007/10/30 19:51:44 | 00,492,720 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe -- (TryAndDecideService)
SRV - [2007/10/30 19:07:38 | 00,427,288 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2007/10/16 20:04:12 | 01,094,936 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2006/07/03 17:22:58 | 00,049,152 | ---- | M] (Alpha Networks Inc.) [Auto | Stopped] -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe -- (ANIWZCSdService)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/05/05 18:30:22 | 00,065,536 | ---- | M] (Brother Industries, Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Brmfrmps.exe -- (brmfrmps)
SRV - [2002/04/12 02:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) [Auto | Running] -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service)


========== Driver Services (SafeList) ==========

DRV - [2009/12/15 07:28:26 | 00,096,512 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\tsk_atapi.sys -- (atapi)
DRV - [2009/11/24 17:50:59 | 00,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/24 17:50:12 | 00,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/24 17:50:00 | 00,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/24 17:49:07 | 00,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/24 17:48:57 | 00,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 17:47:54 | 00,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/05/29 19:02:18 | 00,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009/05/29 19:02:18 | 00,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/05/29 19:01:54 | 00,129,248 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2009/05/29 19:01:35 | 00,368,544 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpman.sys -- (tdrpman)
DRV - [2009/05/18 14:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/02/25 16:58:57 | 03,565,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/10/19 23:00:06 | 00,025,728 | ---- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\androidusb.sys -- (androidusb)
DRV - [2008/08/14 06:57:42 | 00,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2008/04/14 00:26:50 | 00,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usb8023x.sys -- (usb_rndisx)
DRV - [2008/04/13 23:15:30 | 00,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 16:04:32 | 01,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/04/13 15:09:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 15:06:06 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/27 18:30:00 | 03,688,640 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtHDMI.sys -- (RTHDMIAzAudService)
DRV - [2008/01/03 08:10:16 | 00,105,856 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/12/17 16:14:06 | 00,012,400 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2007/12/06 08:51:00 | 00,285,952 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2007/10/11 19:40:12 | 00,009,096 | R--- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdide.sys -- (amdide)
DRV - [2007/06/29 13:47:34 | 00,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2007/04/16 15:46:34 | 00,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2007/04/10 18:04:40 | 04,397,568 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/11/06 18:04:56 | 00,028,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wceusbsh.sys -- (wceusbsh)
DRV - [2006/11/03 17:30:44 | 00,467,040 | ---- | M] (Atheros Communications, Inc. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\N5SG.sys -- (N5SG)
DRV - [2006/07/01 21:39:40 | 00,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/04/13 13:33:28 | 00,008,192 | ---- | M] (BIOSTAR Group) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BS_I2cIo.sys -- (BS_I2cIo)
DRV - [2005/12/11 13:55:38 | 00,028,195 | ---- | M] (Alpha Networks Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\ANIO.sys -- (ANIO)
DRV - [2005/06/20 21:08:44 | 02,324,480 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/05/17 16:45:08 | 00,092,800 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2005/04/06 02:22:30 | 00,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/04/06 02:22:28 | 00,033,536 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/03/16 00:23:54 | 00,013,696 | R--- | M] (BIOSTAR Group) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BIOS.sys -- (BIOS)
DRV - [2004/08/14 01:56:20 | 00,005,810 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/06/12 07:27:18 | 00,051,712 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrSerIf.sys -- (BrSerIf)
DRV - [2004/03/03 20:30:54 | 00,125,184 | ---- | M] (Ahead Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\imagesrv.sys -- (imagesrv)
DRV - [2004/03/03 20:30:54 | 00,005,504 | ---- | M] (Ahead Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\imagedrv.sys -- (imagedrv)
DRV - [2004/01/10 06:28:18 | 00,011,648 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2003/12/19 23:15:50 | 00,015,263 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
DRV - [2003/03/19 15:51:00 | 00,018,688 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2002/11/27 06:52:00 | 00,080,896 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET)
DRV - [2001/08/23 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/17 13:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [2001/08/17 12:53:32 | 00,006,784 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\serscan.sys -- (StillCam)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 7171
FF - prefs.js..network.proxy.type: 1

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/16 07:22:01 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/11 14:55:25 | 00,000,000 | ---D | M]

[2009/02/14 16:31:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Extensions
[2009/02/15 23:24:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rm1n.Default\extensions
[2009/02/15 23:22:36 | 00,000,000 | ---D | M] (macbird) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rm1n.Default\extensions\{2564ae73-58ac-4aab-9a32-b531c778b549}
[2009/02/15 23:15:03 | 00,000,000 | ---D | M] (macfoxIIgraphite) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rm1n.Default\extensions\{a883dc70-3e3e-11db-a98b-0800200c9a66}
[2009/12/16 07:32:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions
[2009/10/18 07:43:27 | 00,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2009/07/08 04:26:08 | 00,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/08/09 00:30:11 | 00,000,000 | ---D | M] (jDownFF) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions\{a3b24d40-bac4-11dc-95ff-0800200c9a66}
[2009/07/09 17:56:09 | 00,000,000 | ---D | M] (iFox Smooth) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions\{d3d70bca-2d54-425e-b02c-b7e2f4b07688}
[2009/02/14 16:31:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\iqs3nny1.default\extensions
[2009/02/15 17:51:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\lwvafais.default\extensions
[2009/12/16 07:32:12 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (796 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O1 - Hosts: 127.0.0.1 activate.adobe.com
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Spy Blocker Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll File not found
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Airlink101 WLAN Monitor] C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WlanMon.exe ()
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Alpha Networks Inc.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe (Brother Industories, Ltd.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe ()
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKCU..\Run: [gStart] C:\Garmin\gStart.exe (GARMIN Corp.)
O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} https://mygmgw.gm.com/http://usabhembma04.m...om/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.238.96.12 68.238.64.12
O20 - AppInit_DLLs: (jiweyiyi.dll) - File not found
O20 - AppInit_DLLs: (c:\windows\system32\tenogapa.dll) - C:\WINDOWS\System32\tenogapa.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O21 - SSODL: jazalovag - {3bb4a5f7-a211-4af8-985b-abc6d697af72} - C:\WINDOWS\System32\tenogapa.dll File not found
O22 - SharedTaskScheduler: {3bb4a5f7-a211-4af8-985b-abc6d697af72} - tokatiluy - C:\WINDOWS\System32\tenogapa.dll File not found
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/14 16:25:33 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/16 07:24:27 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/16 07:24:24 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/16 07:24:23 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/16 07:23:51 | 04,844,296 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sam\Desktop\mbam-setup.exe
[2009/12/15 07:28:18 | 00,134,408 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Sam\Desktop\TDSSKiller.exe
[2009/12/14 10:57:40 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
[2009/12/14 01:20:27 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Sam\Desktop\RootRepeal.exe
[2009/12/11 14:57:51 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/12/11 14:57:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/12/11 14:54:56 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/12/11 14:50:31 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/12/06 23:33:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\Local Settings\Application Data\Deployment
[2009/12/04 07:42:13 | 00,000,000 | ---D | C] -- C:\2e11cd110d260ff173fddfc221cfc3
[2009/11/23 11:07:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\My Documents\iphone
[2009/11/21 11:55:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\Local Settings\Application Data\Roblox
[2009/11/21 11:55:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\Local Settings\Application Data\RobloxDownloads
[2009/11/21 11:55:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\Local Settings\Application Data\RobloxVersions
[2009/05/29 19:05:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Acronis
[2009/02/26 10:51:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/21 17:25:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/02/14 16:30:51 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/02/14 16:30:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/02/14 16:30:43 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/02/14 16:30:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/16 15:29:32 | 00,645,286 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/16 15:29:32 | 00,169,084 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/16 15:29:32 | 00,072,794 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/16 15:27:21 | 06,291,456 | -H-- | M] () -- C:\Documents and Settings\Sam\NTUSER.DAT
[2009/12/16 15:25:55 | 00,000,007 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME
[2009/12/16 15:25:00 | 00,000,306 | -HS- | M] () -- C:\WINDOWS\tasks\Lpbuhpd.job
[2009/12/16 15:25:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/16 15:24:55 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/16 15:24:00 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Sam\ntuser.ini
[2009/12/16 15:23:51 | 00,000,296 | ---- | M] () -- C:\WINDOWS\tasks\ufnghvdw.job
[2009/12/16 15:07:59 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\18467.exe
[2009/12/16 07:24:30 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/16 07:23:53 | 04,844,296 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sam\Desktop\mbam-setup.exe
[2009/12/15 07:38:48 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\jugitive
[2009/12/15 07:28:26 | 00,096,512 | ---- | M] () -- C:\WINDOWS\System32\drivers\tsk_atapi.sys
[2009/12/15 07:27:06 | 00,117,293 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\tdsskiller.zip
[2009/12/15 07:02:44 | 00,724,952 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\avenger.zip
[2009/12/14 11:19:53 | 00,068,096 | RHS- | M] () -- C:\WINDOWS\System32\mqperfl.dll
[2009/12/14 11:10:35 | 00,292,864 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\z27pck4r.exe
[2009/12/14 10:57:41 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
[2009/12/14 01:20:28 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Sam\Desktop\RootRepeal.exe
[2009/12/14 01:14:45 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\dds.scr
[2009/12/13 20:53:38 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/12 21:43:47 | 00,002,497 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\Microsoft Office Word 2003.lnk
[2009/12/11 14:59:53 | 00,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/12/11 14:55:16 | 00,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/12/11 14:45:08 | 00,001,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2009/12/05 17:37:40 | 00,134,408 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Sam\Desktop\TDSSKiller.exe
[2009/12/04 10:40:07 | 02,097,352 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/04 10:23:15 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/12/04 07:44:21 | 00,049,784 | ---- | M] () -- C:\Documents and Settings\Sam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/12/04 07:36:01 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/24 17:54:29 | 01,280,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/11/24 17:51:09 | 00,093,424 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/11/24 17:50:59 | 00,094,160 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/11/24 17:50:12 | 00,114,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/11/24 17:50:00 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/11/24 17:49:07 | 00,048,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/11/24 17:48:57 | 00,023,120 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/11/24 17:47:54 | 00,027,408 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/11/24 17:47:28 | 00,097,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/16 15:07:59 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\18467.exe
[2009/12/16 07:24:30 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/15 07:28:26 | 00,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\tsk_atapi.sys
[2009/12/15 07:27:05 | 00,117,293 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\tdsskiller.zip
[2009/12/15 07:26:04 | 00,000,296 | ---- | C] () -- C:\WINDOWS\tasks\ufnghvdw.job
[2009/12/15 07:07:53 | 00,731,136 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\avenger.exe
[2009/12/15 07:02:44 | 00,724,952 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\avenger.zip
[2009/12/14 11:19:54 | 00,000,306 | -HS- | C] () -- C:\WINDOWS\tasks\Lpbuhpd.job
[2009/12/14 11:19:53 | 00,068,096 | RHS- | C] () -- C:\WINDOWS\System32\mqperfl.dll
[2009/12/14 11:10:35 | 00,292,864 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\z27pck4r.exe
[2009/12/14 01:14:44 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\dds.scr
[2009/12/11 14:59:53 | 00,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/12/11 14:55:16 | 00,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/08/05 21:39:13 | 00,270,848 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/07/22 12:31:23 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2009/06/29 12:13:38 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2009/06/03 11:23:33 | 00,000,040 | ---- | C] () -- C:\WINDOWS\opt_2460.ini
[2009/05/18 04:55:30 | 00,000,229 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/05/12 21:11:07 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2009/05/12 21:11:07 | 00,012,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2009/05/12 21:08:55 | 00,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2009/05/12 21:07:11 | 00,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2009/05/12 20:31:50 | 00,005,810 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/04/21 19:31:35 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2009/03/08 13:44:47 | 00,000,054 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2009/03/03 20:30:35 | 00,000,123 | ---- | C] () -- C:\Documents and Settings\Sam\Application Data\default.rss
[2009/02/28 08:00:47 | 00,002,528 | ---- | C] () -- C:\Documents and Settings\Sam\Application Data\$_hpcst$.hpc
[2009/02/18 18:23:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\WB.ini
[2009/02/14 17:43:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2009/02/14 17:42:44 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\JJAKEn.dll
[2009/02/14 17:41:46 | 00,005,120 | ---- | C] () -- C:\Documents and Settings\Sam\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/14 17:40:02 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/14 17:36:57 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2009/02/14 17:35:02 | 00,000,777 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2009/02/14 17:35:02 | 00,000,459 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2009/02/14 17:35:02 | 00,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2009/02/14 17:35:02 | 00,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/02/14 17:28:11 | 00,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2009/02/14 16:42:33 | 00,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2009/02/14 16:42:33 | 00,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2009/02/14 16:42:31 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Wininit.ini
[2009/02/14 16:42:26 | 00,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
[2009/02/14 16:00:26 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\SSGK2PNP.DLL
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/04 12:16:34 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
< End of report >

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:29 AM

Posted 16 December 2009 - 06:30 PM

Run this code through Avenger just like you did before.

Files to delete:
C:\WINDOWS\tasks\Lpbuhpd.job
C:\WINDOWS\tasks\ufnghvdw.job
C:\WINDOWS\System32\18467.exe



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Please post the contents of the log from DrWeb in your next reply.



====================


Run OTL.exe and copy this into the custom scan box.


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT


Click the "Run Scan" button.
Please copy and paste the log back here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 samlotan

samlotan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 17 December 2009 - 05:09 PM

Buckeye Sam

Here are the logs:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\tasks\Lpbuhpd.job" deleted successfully.
File "C:\WINDOWS\tasks\ufnghvdw.job" deleted successfully.
File "C:\WINDOWS\System32\18467.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


garmin_kgen_14.exe;C:\Documents and Settings\Sam\My Documents\Omnitech\garmin\GarminXT 5.00.20w\4. Jetmouse Keygen;Trojan.PWS.Ageloc.9;Deleted.;

OTL logfile created on: 12/17/2009 4:01:12 PM - Run 4
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Sam\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.51 Gb Total Space | 737.71 Gb Free Space | 79.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DESKTOP
Current User Name: Sam
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/17 07:26:33 | 25,453,400 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\Sam\Desktop\drweb-cureit.exe
PRC - [2009/12/14 10:57:41 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
PRC - [2009/11/26 17:13:00 | 02,360,584 | ---- | M] () -- C:\Documents and Settings\Sam\Local Settings\Temp\RarSFX0\6b4usxp.exe
PRC - [2009/11/24 17:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 17:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 17:51:21 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 17:48:48 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 17:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/11/12 16:33:10 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/11/07 20:42:14 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/30 15:08:00 | 00,124,216 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\Sam\Local Settings\Temp\RarSFX0\6w45ny.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/02/25 15:27:41 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2008/12/18 13:32:52 | 00,049,152 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PRC - [2008/12/18 12:19:44 | 00,049,152 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/10/10 04:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/08/13 14:34:08 | 01,891,416 | ---- | M] (GARMIN Corp.) -- C:\Garmin\gStart.exe
PRC - [2008/05/01 22:15:46 | 00,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2008/04/13 22:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/24 11:36:22 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2007/10/30 19:51:44 | 00,492,720 | ---- | M] () -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
PRC - [2007/10/30 19:11:48 | 00,909,208 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
PRC - [2007/10/30 19:07:40 | 00,140,568 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2007/10/30 19:07:38 | 00,427,288 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2007/10/30 19:06:42 | 02,595,616 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2007/10/16 20:04:12 | 01,094,936 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2007/04/10 14:28:44 | 16,126,464 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2006/11/13 12:39:54 | 04,270,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
PRC - [2006/11/13 12:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/11/13 12:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2006/10/12 21:38:04 | 00,958,464 | ---- | M] () -- C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WlanMon.exe
PRC - [2006/06/29 19:34:20 | 00,049,152 | ---- | M] (Alpha Networks Inc.) -- C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
PRC - [2004/07/20 08:34:28 | 00,851,968 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\ControlCenter2\brctrcen.exe
PRC - [2004/06/14 20:09:06 | 00,073,728 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
PRC - [2004/04/14 16:46:50 | 00,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
PRC - [2004/03/26 18:30:12 | 00,819,200 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
PRC - [2003/07/14 22:45:18 | 00,196,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\outlook.exe
PRC - [2003/05/05 18:30:22 | 00,065,536 | ---- | M] (Brother Industries, Ltd.) -- C:\WINDOWS\system32\Brmfrmps.exe
PRC - [2002/04/12 02:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe
PRC - [2001/12/13 02:01:00 | 00,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe


========== Modules (SafeList) ==========

MOD - [2009/12/14 10:57:41 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
MOD - [2008/05/01 22:15:35 | 00,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (NMIndexingService)
SRV - [2009/11/24 17:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 17:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 17:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 17:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/03 21:19:41 | 00,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/02/25 15:27:41 | 00,602,112 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2009/02/25 14:15:00 | 00,593,920 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/10/10 04:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/08/04 06:53:06 | 00,065,536 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AMD\OverDrive\AODAssist.exe -- (AODService)
SRV - [2008/01/24 11:36:22 | 00,073,728 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2007/10/30 19:51:44 | 00,492,720 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe -- (TryAndDecideService)
SRV - [2007/10/30 19:07:38 | 00,427,288 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2007/10/16 20:04:12 | 01,094,936 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2006/07/03 17:22:58 | 00,049,152 | ---- | M] (Alpha Networks Inc.) [Auto | Stopped] -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe -- (ANIWZCSdService)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/05/05 18:30:22 | 00,065,536 | ---- | M] (Brother Industries, Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Brmfrmps.exe -- (brmfrmps)
SRV - [2002/04/12 02:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) [Auto | Running] -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service)


========== Driver Services (SafeList) ==========

DRV - [2009/12/15 07:28:26 | 00,096,512 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\tsk_atapi.sys -- (atapi)
DRV - [2009/11/24 17:50:59 | 00,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/24 17:50:12 | 00,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/24 17:50:00 | 00,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/24 17:49:07 | 00,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/24 17:48:57 | 00,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 17:47:54 | 00,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/05/29 19:02:18 | 00,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009/05/29 19:02:18 | 00,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/05/29 19:01:54 | 00,129,248 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2009/05/29 19:01:35 | 00,368,544 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpman.sys -- (tdrpman)
DRV - [2009/05/18 14:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/02/25 16:58:57 | 03,565,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/10/19 23:00:06 | 00,025,728 | ---- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\androidusb.sys -- (androidusb)
DRV - [2008/08/14 06:57:42 | 00,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2008/04/14 00:26:50 | 00,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usb8023x.sys -- (usb_rndisx)
DRV - [2008/04/13 23:15:30 | 00,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 16:04:32 | 01,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/04/13 15:09:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 15:06:06 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/27 18:30:00 | 03,688,640 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtHDMI.sys -- (RTHDMIAzAudService)
DRV - [2008/01/03 08:10:16 | 00,105,856 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/12/17 16:14:06 | 00,012,400 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2007/12/06 08:51:00 | 00,285,952 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2007/10/11 19:40:12 | 00,009,096 | R--- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdide.sys -- (amdide)
DRV - [2007/06/29 13:47:34 | 00,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2007/04/16 15:46:34 | 00,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2007/04/10 18:04:40 | 04,397,568 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/11/06 18:04:56 | 00,028,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wceusbsh.sys -- (wceusbsh)
DRV - [2006/11/03 17:30:44 | 00,467,040 | ---- | M] (Atheros Communications, Inc. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\N5SG.sys -- (N5SG)
DRV - [2006/07/01 21:39:40 | 00,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/04/13 13:33:28 | 00,008,192 | ---- | M] (BIOSTAR Group) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BS_I2cIo.sys -- (BS_I2cIo)
DRV - [2005/12/11 13:55:38 | 00,028,195 | ---- | M] (Alpha Networks Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\ANIO.sys -- (ANIO)
DRV - [2005/06/20 21:08:44 | 02,324,480 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/05/17 16:45:08 | 00,092,800 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2005/04/06 02:22:30 | 00,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/04/06 02:22:28 | 00,033,536 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/03/16 00:23:54 | 00,013,696 | R--- | M] (BIOSTAR Group) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BIOS.sys -- (BIOS)
DRV - [2004/08/14 01:56:20 | 00,005,810 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/06/12 07:27:18 | 00,051,712 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrSerIf.sys -- (BrSerIf)
DRV - [2004/03/03 20:30:54 | 00,125,184 | ---- | M] (Ahead Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\imagesrv.sys -- (imagesrv)
DRV - [2004/03/03 20:30:54 | 00,005,504 | ---- | M] (Ahead Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\imagedrv.sys -- (imagedrv)
DRV - [2004/01/10 06:28:18 | 00,011,648 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2003/12/19 23:15:50 | 00,015,263 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
DRV - [2003/03/19 15:51:00 | 00,018,688 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2002/11/27 06:52:00 | 00,080,896 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET)
DRV - [2001/08/23 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/17 13:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [2001/08/17 12:53:32 | 00,006,784 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\serscan.sys -- (StillCam)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 7171
FF - prefs.js..network.proxy.type: 1

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/16 07:22:01 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/11 14:55:25 | 00,000,000 | ---D | M]

[2009/02/14 16:31:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Extensions
[2009/02/15 23:24:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rm1n.Default\extensions
[2009/02/15 23:22:36 | 00,000,000 | ---D | M] (macbird) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rm1n.Default\extensions\{2564ae73-58ac-4aab-9a32-b531c778b549}
[2009/02/15 23:15:03 | 00,000,000 | ---D | M] (macfoxIIgraphite) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rm1n.Default\extensions\{a883dc70-3e3e-11db-a98b-0800200c9a66}
[2009/12/17 07:43:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions
[2009/10/18 07:43:27 | 00,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2009/07/08 04:26:08 | 00,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/08/09 00:30:11 | 00,000,000 | ---D | M] (jDownFF) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions\{a3b24d40-bac4-11dc-95ff-0800200c9a66}
[2009/07/09 17:56:09 | 00,000,000 | ---D | M] (iFox Smooth) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\3c022rmn.default\extensions\{d3d70bca-2d54-425e-b02c-b7e2f4b07688}
[2009/02/14 16:31:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\iqs3nny1.default\extensions
[2009/02/15 17:51:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\lwvafais.default\extensions
[2009/12/17 07:43:50 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (789 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Spy Blocker Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll File not found
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Airlink101 WLAN Monitor] C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WlanMon.exe ()
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Alpha Networks Inc.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe (Brother Industories, Ltd.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe ()
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKCU..\Run: [gStart] C:\Garmin\gStart.exe (GARMIN Corp.)
O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} https://mygmgw.gm.com/http://usabhembma04.m...om/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O20 - AppInit_DLLs: (jiweyiyi.dll) - File not found
O20 - AppInit_DLLs: (c:\windows\system32\tenogapa.dll) - C:\WINDOWS\System32\tenogapa.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O21 - SSODL: jazalovag - {3bb4a5f7-a211-4af8-985b-abc6d697af72} - C:\WINDOWS\System32\tenogapa.dll File not found
O22 - SharedTaskScheduler: {3bb4a5f7-a211-4af8-985b-abc6d697af72} - tokatiluy - C:\WINDOWS\System32\tenogapa.dll File not found
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/14 16:25:33 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/02/14 16:24:46 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891947461378048)

========== Files/Folders - Created Within 30 Days ==========

[2009/12/17 07:30:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\DoctorWeb
[2009/12/17 07:25:18 | 25,453,400 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\Sam\Desktop\drweb-cureit.exe
[2009/12/17 07:25:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/12/17 07:24:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/12/17 07:21:53 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/12/17 03:00:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\KB905474
[2009/12/16 07:24:27 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/16 07:24:24 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/16 07:24:23 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/16 07:23:51 | 04,844,296 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sam\Desktop\mbam-setup.exe
[2009/12/15 07:28:18 | 00,134,408 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Sam\Desktop\TDSSKiller.exe
[2009/12/14 10:57:40 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
[2009/12/14 01:20:27 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Sam\Desktop\RootRepeal.exe
[2009/12/11 14:57:51 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/12/11 14:57:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/12/11 14:54:56 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/12/11 14:50:31 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/12/06 23:33:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\Local Settings\Application Data\Deployment
[2009/12/04 07:42:13 | 00,000,000 | ---D | C] -- C:\2e11cd110d260ff173fddfc221cfc3
[2009/11/23 11:07:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\My Documents\iphone
[2009/11/21 11:55:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\Local Settings\Application Data\Roblox
[2009/11/21 11:55:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\Local Settings\Application Data\RobloxDownloads
[2009/11/21 11:55:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sam\Local Settings\Application Data\RobloxVersions
[2009/05/29 19:05:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Acronis
[2009/02/26 10:51:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/21 17:25:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/02/14 16:30:51 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/02/14 16:30:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/02/14 16:30:43 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/02/14 16:30:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/17 12:31:40 | 00,000,146 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\DrWeb.csv
[2009/12/17 12:29:38 | 00,000,789 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/17 07:29:35 | 00,649,114 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/17 07:29:35 | 00,171,004 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/17 07:29:35 | 00,072,794 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/17 07:28:49 | 06,291,456 | -H-- | M] () -- C:\Documents and Settings\Sam\NTUSER.DAT
[2009/12/17 07:26:33 | 25,453,400 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\Sam\Desktop\drweb-cureit.exe
[2009/12/17 07:25:09 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/17 07:23:27 | 00,000,007 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME
[2009/12/17 07:22:10 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/17 07:22:06 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/17 07:21:21 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Sam\ntuser.ini
[2009/12/16 15:43:08 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/16 07:24:30 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/16 07:23:53 | 04,844,296 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sam\Desktop\mbam-setup.exe
[2009/12/15 07:38:48 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\jugitive
[2009/12/15 07:28:26 | 00,096,512 | ---- | M] () -- C:\WINDOWS\System32\drivers\tsk_atapi.sys
[2009/12/15 07:27:06 | 00,117,293 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\tdsskiller.zip
[2009/12/15 07:02:44 | 00,724,952 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\avenger.zip
[2009/12/14 11:19:53 | 00,068,096 | RHS- | M] () -- C:\WINDOWS\System32\mqperfl.dll
[2009/12/14 11:10:35 | 00,292,864 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\z27pck4r.exe
[2009/12/14 10:57:41 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
[2009/12/14 01:20:28 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Sam\Desktop\RootRepeal.exe
[2009/12/14 01:14:45 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\dds.scr
[2009/12/12 21:43:47 | 00,002,497 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\Microsoft Office Word 2003.lnk
[2009/12/11 14:59:53 | 00,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/12/11 14:55:16 | 00,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/12/11 14:45:08 | 00,001,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2009/12/05 17:37:40 | 00,134,408 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Sam\Desktop\TDSSKiller.exe
[2009/12/04 10:40:07 | 02,097,352 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/04 10:23:15 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/12/04 07:44:21 | 00,049,784 | ---- | M] () -- C:\Documents and Settings\Sam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/24 17:54:29 | 01,280,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/11/24 17:51:09 | 00,093,424 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/11/24 17:50:59 | 00,094,160 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/11/24 17:50:12 | 00,114,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/11/24 17:50:00 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/11/24 17:49:07 | 00,048,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/11/24 17:48:57 | 00,023,120 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/11/24 17:47:54 | 00,027,408 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/11/24 17:47:28 | 00,097,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2009/11/21 09:51:42 | 01,206,508 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/11/21 09:51:04 | 00,471,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/17 12:31:40 | 00,000,146 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\DrWeb.csv
[2009/12/16 07:24:30 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/15 07:28:26 | 00,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\tsk_atapi.sys
[2009/12/15 07:27:05 | 00,117,293 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\tdsskiller.zip
[2009/12/15 07:07:53 | 00,731,136 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\avenger.exe
[2009/12/15 07:02:44 | 00,724,952 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\avenger.zip
[2009/12/14 11:19:53 | 00,068,096 | RHS- | C] () -- C:\WINDOWS\System32\mqperfl.dll
[2009/12/14 11:10:35 | 00,292,864 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\z27pck4r.exe
[2009/12/14 01:14:44 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\dds.scr
[2009/12/11 14:59:53 | 00,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/12/11 14:55:16 | 00,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/08/05 21:39:13 | 00,270,848 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/07/22 12:31:23 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2009/06/29 12:13:38 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2009/06/03 11:23:33 | 00,000,040 | ---- | C] () -- C:\WINDOWS\opt_2460.ini
[2009/05/18 04:55:30 | 00,000,229 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/05/12 21:11:07 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2009/05/12 21:11:07 | 00,012,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2009/05/12 21:08:55 | 00,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2009/05/12 21:07:11 | 00,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2009/05/12 20:31:50 | 00,005,810 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/04/21 19:31:35 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2009/03/08 13:44:47 | 00,000,054 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2009/03/03 20:30:35 | 00,000,123 | ---- | C] () -- C:\Documents and Settings\Sam\Application Data\default.rss
[2009/02/28 08:00:47 | 00,002,528 | ---- | C] () -- C:\Documents and Settings\Sam\Application Data\$_hpcst$.hpc
[2009/02/18 18:23:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\WB.ini
[2009/02/14 17:43:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2009/02/14 17:42:44 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\JJAKEn.dll
[2009/02/14 17:41:46 | 00,005,120 | ---- | C] () -- C:\Documents and Settings\Sam\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/14 17:40:02 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/14 17:36:57 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2009/02/14 17:35:02 | 00,000,777 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2009/02/14 17:35:02 | 00,000,459 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2009/02/14 17:35:02 | 00,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2009/02/14 17:35:02 | 00,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/02/14 17:28:11 | 00,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2009/02/14 16:42:33 | 00,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2009/02/14 16:42:33 | 00,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2009/02/14 16:42:31 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Wininit.ini
[2009/02/14 16:42:26 | 00,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
[2009/02/14 16:00:26 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\SSGK2PNP.DLL
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/04 12:16:34 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: ATAPI.SYS >
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 02:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 22:41:54 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/13 22:41:54 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 22:42:02 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/13 22:42:02 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATA.SYS >
[2005/05/17 16:45:08 | 00,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\system32\drivers\nvata.sys

< MD5 for: SCECLI.DLL >
[2008/04/13 22:42:06 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/13 22:42:06 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:29 AM

Posted 18 December 2009 - 08:16 AM

Looks pretty good to me. How is your computer behaving now? Are you still being redirected?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 samlotan

samlotan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 18 December 2009 - 08:11 PM

The redirection seems to be fixed. I still seem to be having a problem with the home page on firefox which was my yahoo.com. I t keeps coming up with encountered problem on the my yahoo page even when I try to bring up my yahoo from the main yahoo page. On Internet explorer the my yahoo page comes up fine. This seems to be the only problem from what I can see.

Sam

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:29 AM

Posted 19 December 2009 - 11:50 AM

Open Firefox and click Tools -> Options
Select the Privacy tab
Make sure the box to accept cookies is checked.

Edited by Buckeye_Sam, 19 December 2009 - 11:51 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 samlotan

samlotan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 21 December 2009 - 04:56 PM

Everything seems to be in order now. I cleared the history on firefox and my yahoo is coming up ok now. Thank you for your help. Any other suggestions or thoughts?

Sam

Edited by samlotan, 21 December 2009 - 09:42 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users