Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect/Hijack


  • This topic is locked This topic is locked
16 replies to this topic

#1 JBS103

JBS103

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 06 January 2010 - 09:53 PM

Well each time I do a Google search, the search results are redirected to different websites (it initially changes to something like pleasewaitclick.com and then redirects again to something like c.ppcxml.net which Firefox tells me is a malicious site). I've run scans with AVG, Malwarebytes, and SuperAntiSpyware (as you can probably sense from my logs) rather naively in attempt to remove it, but the problem remains. My friend also suggested a system restore but there were no restore points that worked. I must admit I'm pretty clueless when it comes to all of this so who knows what I got myself into...

I've just installed and run the DDS and RootRepeal as suggested by the topic at the top of this forum. Here is the DDS log with the other two attached. I believe I've followed those directions correctly. Thank you in advance!


DDS (Ver_09-12-01.01) - NTFSx86
Run by James at 21:20:03.20 on Wed 01/06/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.78 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\SafeConnect\scManager.sys
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\CollabNet Subversion Server\svnserve.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SafeConnect\scClient.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell4me.com/myway
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar =
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - No File
BHO: {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
TB: {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [ViewMgr] c:\program files\viewpoint\viewpoint manager\ViewMgr.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [StatusClient 2.6] c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe
mRun: [ZCfgSvc.exe] c:\windows\system32\ZCfgSvc.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\james\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\safeco~1.lnk - c:\program files\safeconnect\scClient.exe
uPolicies-explorer: NoCloseKey = 1
IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} c:\program files\partygaming\partypoker\runapp.exe - c:\program files\partygaming\partypoker\runapp.exe\inprocserver32 does not exist!
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135126616485
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135127248746
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
AppInit_DLLs: c:\windows\system32\kbdsock.dll,jusidevi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\james\applic~1\mozilla\firefox\profiles\default.k3o\
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMCult3DP.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\windows\system32\cult3d\NPMCult3DP.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Internal security: No Registry Reference - c:\program files\mozilla firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-14 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-14 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-14 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-29 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-12 297752]
R2 SCManager;SafeConnect Manager;c:\program files\safeconnect\scmanager.sys servicestart --> c:\program files\safeconnect\scManager.sys servicestart [?]
R2 svnserve;Subversion Server;c:\program files\collabnet subversion server\svnserve.exe [2008-8-29 110703]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S2 Apache2.2;Apache2.2;c:\program files\collabnet subversion server\httpd\bin\httpd.exe [2008-8-29 24654]
S2 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\tivobeacon.exe --> c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [?]
S3 ElectroServer Service;ElectroServer Service;c:\progra~1\electr~1\electr~1\electr~1.exe --> c:\progra~1\electr~1\electr~1\ELECTR~1.EXE [?]
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\ultramonmirror.sys --> c:\windows\system32\drivers\UltraMonMirror.sys [?]

=============== Created Last 30 ================

2010-01-07 00:23:56 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-07 00:23:23 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-07 00:23:23 0 d-----w- c:\docume~1\james\applic~1\SUPERAntiSpyware.com
2010-01-07 00:22:23 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-06 15:52:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-06 15:52:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 07:32:41 0 d-sh--w- c:\documents and settings\james\.COMMgr
2010-01-06 07:32:39 0 d-sh--w- c:\docume~1\james\applic~1\SystemProc
2009-12-30 16:50:30 0 d-----w- c:\documents and settings\james\dreamcyclecache
2009-12-27 00:14:05 0 d-----w- c:\docume~1\james\applic~1\Malwarebytes
2009-12-27 00:13:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-27 00:13:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-26 21:18:42 236544 ----a-w- c:\documents and settings\james\pev.exe

==================== Find3M ====================

2009-10-27 11:06:22 18432 ------w- c:\windows\system32\dllcache\iedw.exe
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 06:00:55 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 14:58:48 263552 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:53:29 266752 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:17 69632 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:54:17 112128 ------w- c:\windows\system32\dllcache\rastls.dll

============= FINISH: 21:22:15.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:48 AM

Posted 07 January 2010 - 08:53 AM

Hello! smile.gif
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.



=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 JBS103

JBS103
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 07 January 2010 - 02:01 PM

Hi Sam. Thanks for your quick response. When I initially ran OTL as per those directions, I was given an Access Violation Error. I tried again and everything seemed okay. The two logs are pasted below.

When I try to run GMER, my entire system hangs within 10 seconds of scan starting. Everything becomes unresponsive, including my mouse which even stops moving. I had to restart using my power button. What should I do? Thanks.

OTL logfile created on: 1/7/2010 1:19:43 PM - Run 1
OTL by OldTimer - Version 3.1.21.0 Folder = C:\Documents and Settings\James\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 75.00 Mb Available Physical Memory | 15.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 42.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 1.63 Gb Free Space | 4.37% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JAMIE
Current User Name: James
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/07 13:15:46 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\OTL.exe
PRC - [2010/01/06 02:21:35 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/01/05 07:56:02 | 02,002,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/12/24 16:35:25 | 02,043,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/11/26 12:31:58 | 00,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/29 17:22:35 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/29 17:22:30 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/29 17:22:26 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/08/29 17:22:24 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/05/27 03:27:04 | 29,262,680 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2009/04/26 13:27:51 | 00,136,472 | ---- | M] (Impulse Point, LLC) -- C:\Program Files\SafeConnect\scManager.sys
PRC - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/08/30 21:01:38 | 00,577,024 | ---- | M] (http://tortoisesvn.net) -- C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
PRC - [2008/08/29 05:56:46 | 00,110,703 | ---- | M] (http://subversion.tigris.org/) -- C:\Program Files\CollabNet Subversion Server\svnserve.exe
PRC - [2008/05/29 21:43:38 | 02,580,480 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
PRC - [2008/05/29 21:43:36 | 02,363,392 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
PRC - [2008/01/11 11:54:44 | 00,090,112 | ---- | M] (brother) -- C:\Program Files\Brownie\brpjp04a.exe
PRC - [2008/01/08 08:28:02 | 00,864,256 | ---- | M] (brother) -- C:\Program Files\Brownie\BrStsWnd.exe
PRC - [2007/11/13 09:39:10 | 00,271,640 | ---- | M] (Impulse Point, LLC) -- C:\Program Files\SafeConnect\SCClient.exe
PRC - [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/08/01 14:35:36 | 00,067,112 | ---- | M] (America Online, Inc.) -- C:\Program Files\AIM\aim.exe
PRC - [2005/03/01 22:01:31 | 00,020,572 | ---- | M] () -- C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
PRC - [2004/08/11 08:20:54 | 00,409,664 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
PRC - [2004/08/11 08:17:52 | 00,204,800 | ---- | M] (Intel) -- C:\WINDOWS\SYSTEM32\1XConfig.exe
PRC - [2004/08/11 08:17:24 | 00,303,171 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\SYSTEM32\S24EvMon.exe
PRC - [2004/08/11 08:15:52 | 00,122,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\RegSrvc.exe
PRC - [2004/05/11 09:03:36 | 00,020,545 | ---- | M] () -- C:\Program Files\Apache Group\Apache\Apache.exe
PRC - [2004/02/27 12:29:24 | 00,061,440 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
PRC - [2004/02/02 15:32:16 | 00,155,648 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2003/08/29 05:59:24 | 00,122,880 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\BCMSMMSG.exe
PRC - [2003/08/13 10:27:40 | 00,028,672 | ---- | M] (Dell - Advanced Desktop Engineering) -- C:\WINDOWS\SYSTEM32\DSentry.exe
PRC - [2003/07/29 14:11:00 | 00,323,584 | ---- | M] () -- C:\WINDOWS\SYSTEM32\ati2evxx.exe
PRC - [2003/07/29 13:30:00 | 00,335,872 | ---- | M] (ATI Technologies, Inc.) -- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PRC - [2003/02/26 11:08:42 | 00,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2000/06/29 03:45:10 | 00,052,224 | ---- | M] (Kenonic Controls Ltd.) -- C:\WINDOWS\SYSTEM32\Crypserv.exe


========== Modules (SafeList) ==========

MOD - [2010/01/07 13:15:46 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\OTL.exe
MOD - [2006/08/25 10:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (TivoBeacon2)
SRV - File not found [On_Demand | Stopped] -- -- (iPod Service)
SRV - File not found [On_Demand | Stopped] -- -- (ElectroServer Service)
SRV - [2009/08/29 17:22:26 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/08/29 17:22:24 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/05/27 03:27:04 | 29,262,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2009/04/26 13:27:51 | 00,136,472 | ---- | M] (Impulse Point, LLC) [Auto | Running] -- C:\Program Files\SafeConnect\scManager.sys -- (SCManager)
SRV - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 21:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/08/29 05:57:06 | 00,024,654 | ---- | M] (Apache Software Foundation) [Auto | Stopped] -- C:\Program Files\CollabNet Subversion Server\httpd\bin\httpd.exe -- (Apache2.2)
SRV - [2008/08/29 05:56:46 | 00,110,703 | ---- | M] (http://subversion.tigris.org/) [Auto | Running] -- C:\Program Files\CollabNet Subversion Server\svnserve.exe -- (svnserve)
SRV - [2006/11/08 15:35:38 | 00,053,248 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\SYSTEM32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2006/11/08 15:35:36 | 00,043,520 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\SYSTEM32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2005/09/13 14:31:55 | 00,072,704 | ---- | M] (Adobe Systems) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/08/19 19:51:57 | 00,069,632 | ---- | M] (Macromedia) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service)
SRV - [2004/08/11 08:17:24 | 00,303,171 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\SYSTEM32\S24EvMon.exe -- (S24EventMonitor)
SRV - [2004/08/11 08:15:52 | 00,122,880 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\RegSrvc.exe -- (RegSrvc)
SRV - [2004/05/29 08:05:26 | 02,179,072 | ---- | M] () [Auto | Stopped] -- C:/mysql/bin/mysqld-nt.exe -- (MySql)
SRV - [2004/05/11 09:03:36 | 00,020,545 | ---- | M] () [Auto | Running] -- C:\Program Files\Apache Group\Apache\Apache.exe -- (Apache)
SRV - [2003/07/29 14:11:00 | 00,323,584 | ---- | M] () [Auto | Running] -- C:\WINDOWS\SYSTEM32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2003/04/29 14:29:54 | 00,139,264 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)
SRV - [2000/06/29 03:45:10 | 00,052,224 | ---- | M] (Kenonic Controls Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/12/24 16:43:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/06 13:25:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/06 02:21:48 | 00,000,000 | ---D | M]

[2008/06/17 19:49:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Mozilla\Extensions
[2010/01/07 13:05:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\default.k3o\extensions
[2009/07/26 18:10:40 | 00,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\default.k3o\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2006/10/27 05:38:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\default.k3o\extensions\fr@dictionaries.addons.mozilla.org
[2010/01/07 02:45:03 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/01/06 02:32:37 | 00,000,000 | ---D | M] (Internal security) -- C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
[2003/05/15 02:59:03 | 00,004,608 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll
[2004/01/14 11:07:00 | 01,925,120 | ---- | M] (Cycore AB) -- C:\Program Files\Mozilla Firefox\plugins\NPMCult3DP.dll
[2004/11/17 17:21:00 | 00,110,592 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll

O1 HOSTS File: (1396 bytes) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 easywarez.com #www.easywarez.com
O1 - Hosts: 127.0.0.1 www.warezspot.com #ftp.warezspot.com
O1 - Hosts: 127.0.0.1 ftp.freegirlfun.com #update.freegirlfun.com
O1 - Hosts: 127.0.0.1 update.204.177.92.193 #support.204.177.92.193
O1 - Hosts: 127.0.0.1 support.204.177.92.198 #free-memberships.net
O1 - Hosts: 127.0.0.1 warezdownloads.info #www.warezdownloads.info
O1 - Hosts: 127.0.0.1 www.easydownloads.net #ftp.easydownloads.net
O1 - Hosts: 127.0.0.1 ftp.fullversion.com #update.fullversion.com
O1 - Hosts: 127.0.0.1 update.wareztitan.com #support.wareztitan.com
O1 - Hosts: 127.0.0.1 support.myddl.com #shadow-software.com
O1 - Hosts: 127.0.0.1 easywarez.com #www.easywarez.com
O1 - Hosts: 127.0.0.1 www.warezspot.com #ftp.warezspot.com
O1 - Hosts: 127.0.0.1 ftp.warez-vortex.net #update.warez-vortex.net
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - No CLSID value found.
O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BCMSMMSG] C:\WINDOWS\BCMSMMSG.exe (Broadcom Corporation)
O4 - HKLM..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe (brother)
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\SYSTEM32\DSentry.exe (Dell - Advanced Desktop Engineering)
O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe (Intel® Corporation)
O4 - HKLM..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe (Hewlett-Packard)
O4 - HKLM..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe (Hewlett-Packard)
O4 - HKLM..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe File not found
O4 - HKLM..\Run: [ZCfgSvc.exe] C:\WINDOWS\SYSTEM32\ZCfgSvc.exe (Intel Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SafeConnect.lnk = C:\Program Files\SafeConnect\SCClient.exe (Impulse Point, LLC)
O4 - Startup: C:\Documents and Settings\James\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCloseKey = 1
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - Reg Error: Key error. File not found
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe File not found
O9 - Extra Button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe File not found
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (Reg Error: Key error.)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1135126616485 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1135127248746 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn.com/download/MsnMesse...pDownloader.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.2
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\kbdsock.dll) - C:\WINDOWS\System32\kbdsock.dll File not found
O20 - AppInit_DLLs: (jusidevi.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll ()
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\Sebring: DllName - C:\WINDOWS\System32\LgNotify.dll - C:\WINDOWS\SYSTEM32\LgNotify.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/14 13:36:26 | 00,000,047 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/10/28 18:05:53 | 00,000,159 | ---- | M] () - C:\Autoexec.nt.txt -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: BtwSrv - File not found
NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\SYSTEM32\IAS [2004/06/07 12:47:38 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\SYSTEM32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17454953249374208)

========== Files/Folders - Created Within 14 Days ==========

[2010/01/07 13:15:44 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\OTL.exe
[2010/01/06 21:29:44 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\James\Desktop\RootRepeal.exe
[2010/01/06 19:23:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/01/06 19:23:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\James\Application Data\SUPERAntiSpyware.com
[2010/01/06 19:23:23 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/01/06 19:22:23 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/01/06 19:04:06 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\James\Recent
[2010/01/06 19:04:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Real
[2010/01/06 10:52:40 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/06 10:52:37 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/06 03:15:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/01/06 02:32:41 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\James\.COMMgr
[2010/01/06 02:32:39 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\James\Application Data\SystemProc
[2009/12/30 11:50:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\James\dreamcyclecache
[2009/12/29 16:13:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\James\Local Settings\Application Data\xveosr
[2009/12/26 19:14:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\James\Application Data\Malwarebytes
[2009/12/26 19:13:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/26 19:13:41 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/26 16:10:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\James\Local Settings\Application Data\dmxwey
[2008/08/14 14:03:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2006/01/01 21:42:40 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2005/12/27 15:57:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\TiVo Desktop
[2005/12/23 13:51:56 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2005/12/21 06:52:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2005/01/05 14:37:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\TiVo Desktop
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/01/07 13:15:46 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\OTL.exe
[2010/01/07 09:15:40 | 47,541,798 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/01/07 09:15:40 | 00,136,354 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/01/06 21:30:27 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\James\Desktop\settings.dat
[2010/01/06 21:29:45 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\James\Desktop\RootRepeal.exe
[2010/01/06 21:18:58 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\James\Desktop\dds.scr
[2010/01/06 20:19:34 | 00,000,316 | ---- | M] () -- C:\WINDOWS\Brownie.ini
[2010/01/06 20:19:13 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/01/06 20:16:51 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/06 20:16:46 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/01/06 20:16:43 | 53,612,9536 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/06 20:15:11 | 08,388,608 | -H-- | M] () -- C:\Documents and Settings\James\NTUSER.DAT
[2010/01/06 20:15:11 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\James\NTUSER.INI
[2010/01/06 20:14:57 | 03,786,766 | -H-- | M] () -- C:\Documents and Settings\James\Local Settings\Application Data\IconCache.db
[2010/01/06 19:23:38 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/01/06 10:52:44 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/06 05:58:51 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\vafukoma
[2010/01/04 22:47:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/04 20:11:58 | 00,079,270 | ---- | M] () -- C:\Documents and Settings\James\Desktop\profile.php
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/26 23:27:13 | 00,024,064 | ---- | M] () -- C:\Documents and Settings\James\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/26 16:18:42 | 00,236,544 | ---- | M] () -- C:\Documents and Settings\James\pev.exe
[2009/12/24 16:33:19 | 00,490,760 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2009/12/24 16:33:19 | 00,090,794 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2009/12/24 16:33:18 | 00,591,840 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 00,006,456 | -H-- | C] () -- C:\WINDOWS\System32\vafukoma
[2010/01/06 21:30:27 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\James\Desktop\settings.dat
[2010/01/06 21:18:57 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\James\Desktop\dds.scr
[2010/01/06 19:23:38 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/01/06 19:05:03 | 53,612,9536 | -HS- | C] () -- C:\hiberfil.sys
[2010/01/06 10:52:44 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/05 13:12:04 | 00,005,597 | ---- | C] () -- C:\Documents and Settings\James\Desktop\check_requirements.php
[2010/01/04 20:11:54 | 00,079,270 | ---- | C] () -- C:\Documents and Settings\James\Desktop\profile.php
[2009/12/26 16:18:42 | 00,236,544 | ---- | C] () -- C:\Documents and Settings\James\pev.exe
[2008/10/21 18:26:55 | 00,000,663 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/08/28 22:28:08 | 00,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2008/08/28 22:22:29 | 00,000,000 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2008/08/28 22:22:28 | 00,000,145 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
[2008/08/28 22:21:21 | 00,000,114 | ---- | C] () -- C:\WINDOWS\System32\brlmw03a.ini
[2008/08/28 22:21:17 | 00,009,853 | ---- | C] () -- C:\WINDOWS\HL-2140.INI
[2008/08/28 22:20:21 | 00,000,316 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2006/11/07 19:51:28 | 00,000,248 | ---- | C] () -- C:\Documents and Settings\James\Application Data\.googlewebacchosts
[2006/05/25 22:05:41 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2006/01/21 13:53:19 | 00,001,347 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/07/11 00:18:17 | 00,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2005/04/24 16:31:12 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/03/18 07:59:43 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\frapsvid.dll
[2005/03/09 09:26:04 | 00,000,103 | ---- | C] () -- C:\WINDOWS\Crypkey.ini
[2005/03/09 09:26:01 | 00,024,608 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys
[2005/03/09 09:26:01 | 00,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll
[2005/03/09 09:25:55 | 00,097,802 | ---- | C] () -- C:\WINDOWS\System32\Crp32dll.dll
[2005/03/01 22:02:30 | 00,074,752 | ---- | C] () -- C:\WINDOWS\System32\jst.dll
[2005/03/01 22:02:29 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\PMLJNI.dll
[2005/03/01 22:00:07 | 00,000,783 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2005/03/01 21:59:30 | 00,192,512 | R--- | C] () -- C:\WINDOWS\System32\HPB1320V.DLL
[2005/03/01 21:58:02 | 00,000,124 | ---- | C] () -- C:\WINDOWS\hplj1320.ini
[2004/12/31 00:53:00 | 00,000,115 | ---- | C] () -- C:\WINDOWS\AIMPR.INI
[2004/12/31 00:12:20 | 00,000,077 | ---- | C] () -- C:\WINDOWS\bhwin.sys
[2004/12/31 00:12:00 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL
[2004/11/20 12:38:37 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\James\Local Settings\Application Data\fusioncache.dat
[2004/10/26 17:39:05 | 03,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/10/26 14:46:44 | 00,000,045 | ---- | C] () -- C:\WINDOWS\GFIKJGNP.ini
[2004/10/23 19:05:02 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2004/10/21 21:06:59 | 00,001,568 | ---- | C] () -- C:\Documents and Settings\James\Application Data\mpauth.dat
[2004/09/20 16:35:27 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\James\Application Data\dm.ini
[2004/08/11 08:25:48 | 00,045,124 | ---- | C] () -- C:\WINDOWS\System32\LsaWrApi.dll
[2004/08/11 08:18:24 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\ShellNav.dll
[2004/08/11 08:16:36 | 00,225,349 | ---- | C] () -- C:\WINDOWS\System32\C1XStngs.dll
[2004/08/04 23:52:02 | 00,061,678 | ---- | C] () -- C:\Documents and Settings\James\Application Data\PFP110JPR.{PB
[2004/08/04 23:52:02 | 00,012,358 | ---- | C] () -- C:\Documents and Settings\James\Application Data\PFP110JCM.{PB
[2004/07/30 23:06:57 | 00,024,064 | ---- | C] () -- C:\Documents and Settings\James\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/07/25 01:51:58 | 00,001,125 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2004/07/24 15:04:29 | 00,000,478 | ---- | C] () -- C:\WINDOWS\my.ini
[2004/07/23 23:45:47 | 00,039,912 | ---- | C] () -- C:\WINDOWS\php.ini
[2004/07/23 19:18:06 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/06/07 13:39:30 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/06/07 13:31:37 | 00,000,258 | ---- | C] () -- C:\WINDOWS\System32\BDEMERGE.INI
[2004/06/07 13:24:50 | 00,000,159 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/06/07 13:21:44 | 00,000,831 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/06/07 13:04:35 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/06/07 12:51:10 | 00,000,545 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2002/12/02 14:57:00 | 00,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2002/12/02 14:57:00 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2001/07/31 05:17:12 | 00,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[1980/01/01 00:00:00 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll

========== LOP Check ==========

[2007/04/13 21:54:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2008/06/17 07:57:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ConeXware
[2007/06/26 12:04:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2008/08/14 07:52:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sirius
[2004/09/20 09:41:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Aim
[2004/08/01 22:57:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\GlobalSCAPE
[2004/08/09 22:25:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Jasc
[2005/05/28 12:30:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Keyhole
[2006/11/18 10:38:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Opera
[2008/05/06 11:56:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Sirius
[2008/09/21 17:50:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Subversion
[2010/01/06 05:47:29 | 00,000,000 | -HSD | M] -- C:\Documents and Settings\James\Application Data\SystemProc
[2004/12/18 12:04:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Thunderbird
[2010/01/06 05:10:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\uTorrent
[2004/08/06 23:25:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Viewpoint

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
[2004/08/03 23:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2004/08/03 23:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\SYSTEM32\DRIVERS\agp440.sys
[2001/08/17 13:58:00 | 00,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\I386\AGP440.SYS
[2001/08/17 13:58:00 | 00,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2004/08/03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys
[2003/04/23 09:29:54 | 00,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\I386\atapi.sys
[2003/04/23 09:29:54 | 00,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2003/04/23 09:29:54 | 00,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2004/08/04 00:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2004/08/04 00:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\SYSTEM32\eventlog.dll
[2002/08/29 05:00:00 | 00,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\I386\EVENTLOG.DLL
[2002/08/29 05:00:00 | 00,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2002/08/29 05:00:00 | 00,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\I386\NETLOGON.DLL
[2002/08/29 05:00:00 | 00,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2009/02/06 13:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 13:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 00:56:46 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2004/08/04 00:56:46 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\SYSTEM32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2004/08/04 00:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\SYSTEM32\scecli.dll
[2002/08/29 05:00:00 | 00,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\I386\SCECLI.DLL
[2002/08/29 05:00:00 | 00,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
< End of report >

OTL Extras logfile created on: 1/7/2010 1:19:43 PM - Run 1
OTL by OldTimer - Version 3.1.21.0 Folder = C:\Documents and Settings\James\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 75.00 Mb Available Physical Memory | 15.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 42.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 1.63 Gb Free Space | 4.37% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JAMIE
Current User Name: James
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.js [@ = JSFile] -- C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe (Macromedia, Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
jsfile [open] -- "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1" (Macromedia, Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe" = C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe:*:Enabled:javaw -- ()
"C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe:*:Enabled:LimeWire: The most advanced file sharing program on the planet. -- File not found
"C:\Program Files\SmartFTP\SmartFTP.exe" = C:\Program Files\SmartFTP\SmartFTP.exe:*:Enabled:SmartFTP -- (SmartFTP)
"C:\Program Files\Grisoft\AVG Free\avginet.exe" = C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe -- File not found
"D:\Setup.exe" = D:\Setup.exe:*:Enabled:Setup -- File not found
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)
"C:\Documents and Settings\James\Desktop\utorrent.exe" = C:\Documents and Settings\James\Desktop\utorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard)
"C:\Documents and Settings\James\Local Settings\Temp\RarSFX0\FW_Upgrade.exe" = C:\Documents and Settings\James\Local Settings\Temp\RarSFX0\FW_Upgrade.exe:*:Enabled:Linksys WET54G Upgrade Utility -- File not found
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{044F9133-B8D7-4d11-BF39-803FA20F5C8B}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
"{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}" = Macromedia Dreamweaver MX 2004
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{11C762F9-95EA-486A-A8E7-683A50C231C1}" = SmartFTP
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{225AF9A1-B556-88D5-94AA-0010B5426419}" = My DSC
"{23E5C72C-CC08-4EE0-9CC2-D925B232B331}" = Microsoft MSDN 2005 Express Edition - ENU
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{2CD2C0DB-81C3-416B-9FA6-589B9235359B}" = OpenOffice.org 2.4
"{2F353D44-73BB-4971-B31D-F7642E9E9531}" = Macromedia Flash MX 2004
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{32A3A4F4-B792-11D6-A78A-00B0D0160010}" = Java™ SE Development Kit 6 Update 1
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{44CDBD1B-89FB-4E02-8319-2A4C550F664A}" = RTC Client API v1.2
"{4DBBA793-4668-48DE-BDA8-AC105FE460F1}" = Wireless
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{54F90B55-BEB3-4F0D-8802-228822FA5921}" = WordPerfect Office 11
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{5BE1E709-30E4-3D6D-A708-96CE8D5E5E8D}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
"{5D29A4EF-A57F-4F47-89F8-4EB3C5302A53}" = Apache HTTP Server 1.3.31
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
"{68D60342-7686-45C9-B8EB-40EF843D0460}" = Dell Networking Guide
"{6B407945-AE16-4A2A-BAAF-497FE62EDED3}" = PS_AIO_03_C4400_Software_Min
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7E7D7935-B0C8-4032-80BA-2CDC9E43C3B8}" = Microsoft Visual C# 2005 Express Edition - ENU
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan
"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{8922F418-1066-4FED-AF92-278EAF8DE5B2}" = TortoiseSVN 1.5.3.13783 (32 bit)
"{89EE857B-8970-4F9F-AB58-A1C873AC72B3}" = Broadcom Advanced Control Suite
"{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{954B7F64-D1D4-476F-8919-99585D0A6ABF}" = PS_AIO_03_C4400_Software
"{98DF85D9-96C0-4F57-A92E-C3539477EF5E}" = DVDSentry
"{9A0ED01E-FD18-457A-AB9C-0835DCDB17BB}" = Microsoft Platform SDK (R2) (3790.2075)
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}" = Apple Software Update
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Extension Manager
"{AB6F4AB9-AC85-4002-9829-B6EEA55AE3A5}" = Microsoft Visual C++ 2005 Express Edition - ENU
"{AC76BA86-7AD7-1033-7B44-A00000000001}" = Adobe Reader 6.0.1
"{B8338205-958D-4A50-B773-602B43703D67}" = PowerArchiver 2007
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C6AE288B-A5F3-4E34-9CAF-189AD91E98CC}" = Intel® PROSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}" = MSN Messenger 7.5
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{D8087907-E255-3A41-A46D-D0F798709C71}" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
"{DF6A67FE-CB36-4E4E-944C-AB64B6C415C7}" = Brother HL-2140
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{FC4ED75D-916C-4A8C-BB67-3C6F6E06D62B}" = Banctec Service Agreement
"{FF1F4E8E-A833-4c4b-A14A-45D5B841B5D8}" = HP Photosmart C4400 All-In-One Driver Software 10.0 Rel .3
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"AdobeESD" = Adobe Download Manager 1.2 (Remove Only)
"AIM Ad Hack_is1" = AIM Ad Hack
"AOL Instant Messenger" = AOL Instant Messenger
"ATI Display Driver" = ATI Display Driver
"AVG8Uninstall" = AVG Free 8.5
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"CCleaner" = CCleaner (remove only)
"CollabNet Subversion" = CollabNet Subversion 1.5.2
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"DellSupport" = Dell Support 5.0.0 (766)
"HijackThis" = HijackThis 2.0.2
"HTMLKit_is1" = HTML-Kit
"Icy Tower_is1" = Icy Tower v1.2 (11kHz)
"InstallShield_{89EE857B-8970-4F9F-AB58-A1C873AC72B3}" = Broadcom Advanced Control Suite
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft MSDN 2005 Express Edition - ENU" = Microsoft MSDN 2005 Express Edition - ENU
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual C# 2005 Express Edition - ENU" = Microsoft Visual C# 2005 Express Edition - ENU
"Microsoft Visual C++ 2005 Express Edition - ENU" = Microsoft Visual C++ 2005 Express Edition - ENU
"Microsoft Visual C++ 2008 Express Edition with SP1 - ENU" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"MySQL Servers and Clients 4.0.20d" = MySQL Servers and Clients 4.0.20d
"PokerStars" = PokerStars
"RealPlayer 6.0" = RealPlayer
"SafeConnect" = SafeConnect
"Shockwave" = Shockwave
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/6/2010 3:37:33 AM | Computer Name = JAMIE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 1/6/2010 4:40:32 AM | Computer Name = JAMIE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 1/6/2010 4:40:32 AM | Computer Name = JAMIE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 1/6/2010 4:40:35 AM | Computer Name = JAMIE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 1/6/2010 7:06:43 AM | Computer Name = JAMIE | Source = Apache Service | ID = 3299
Description = The Apache service named reported the following error: >>> (OS 10048)Only
one usage of each socket address (protocol/network address/port) is normally permitted.
: make_sock: could not bind to address 0.0.0.0:80 .

Error - 1/6/2010 1:39:48 PM | Computer Name = JAMIE | Source = Apache Service | ID = 3299
Description = The Apache service named Apache.exe reported the following error: >>>
[Wed Jan 06 12:39:48 2010] [warn] pid file c:/program files/apache group/apache/logs/httpd.pid
overwritten -- Unclean shutdown of previous Apache run? <<< before the error.log
file could be opened. More information may be available in the error.log file.
.

Error - 1/6/2010 8:05:23 PM | Computer Name = JAMIE | Source = Apache Service | ID = 3299
Description = The Apache service named reported the following error: >>> (OS 10048)Only
one usage of each socket address (protocol/network address/port) is normally permitted.
: make_sock: could not bind to address 0.0.0.0:80 .

Error - 1/6/2010 9:17:03 PM | Computer Name = JAMIE | Source = Apache Service | ID = 3299
Description = The Apache service named reported the following error: >>> (OS 10048)Only
one usage of each socket address (protocol/network address/port) is normally permitted.
: make_sock: could not bind to address 0.0.0.0:80 .

Error - 1/6/2010 9:17:03 PM | Computer Name = JAMIE | Source = Apache Service | ID = 3299
Description = The Apache service named reported the following error: >>> no listening
sockets available, shutting down .

Error - 1/6/2010 9:17:03 PM | Computer Name = JAMIE | Source = Apache Service | ID = 3299
Description = The Apache service named reported the following error: >>> Unable
to open logs .

[ System Events ]
Error - 1/6/2010 8:05:16 PM | Computer Name = JAMIE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/6/2010 8:05:16 PM | Computer Name = JAMIE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/6/2010 8:05:41 PM | Computer Name = JAMIE | Source = Service Control Manager | ID = 7024
Description = The Apache2.2 service terminated with service-specific error 1 (0x1).

Error - 1/6/2010 8:05:41 PM | Computer Name = JAMIE | Source = Service Control Manager | ID = 7000
Description = The TiVo Beacon service failed to start due to the following error:
%%2

Error - 1/6/2010 8:05:44 PM | Computer Name = JAMIE | Source = Service Control Manager | ID = 7034
Description = The MySql service terminated unexpectedly. It has done this 1 time(s).

Error - 1/6/2010 9:16:56 PM | Computer Name = JAMIE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/6/2010 9:16:56 PM | Computer Name = JAMIE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/6/2010 9:17:22 PM | Computer Name = JAMIE | Source = Service Control Manager | ID = 7024
Description = The Apache2.2 service terminated with service-specific error 1 (0x1).

Error - 1/6/2010 9:17:22 PM | Computer Name = JAMIE | Source = Service Control Manager | ID = 7000
Description = The TiVo Beacon service failed to start due to the following error:
%%2

Error - 1/6/2010 9:17:25 PM | Computer Name = JAMIE | Source = Service Control Manager | ID = 7034
Description = The MySql service terminated unexpectedly. It has done this 1 time(s).


< End of report >


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:48 AM

Posted 08 January 2010 - 08:22 AM

That's ok. We'll work around the Gmer issue for now.


Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    [2010/01/06 02:32:37 | 00,000,000 | ---D | M] (Internal security) -- C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
    O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - No CLSID value found.
    O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_04)
    O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
    O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_04)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_04)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
    O20 - AppInit_DLLs: (C:\WINDOWS\system32\kbdsock.dll) - C:\WINDOWS\System32\kbdsock.dll File not found
    O20 - AppInit_DLLs: (jusidevi.dll) - File not found

    :Commands
    [purity]
    [emptytemp]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.


==================



Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.



==================



Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 JBS103

JBS103
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 08 January 2010 - 07:04 PM

Hi Sam. Everything worked. Here are the 3 logs requested.

At the moment, I am still getting redirected on my searches. It stopped for a little while but has seemed to have come back. Thanks again.


All processes killed
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D} folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{F8AD5AA5-D966-4667-9DAF-2561D68B2012} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {D27CDB6E-AE6D-11CF-96B8-444553540000}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: James
->Temp folder emptied: 242493463 bytes
->Temporary Internet Files folder emptied: 179441 bytes
->Java cache emptied: 6304854 bytes
->FireFox cache emptied: 37868906 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 439314 bytes

User: NetworkService
->Temp folder emptied: 1392640 bytes
->Temporary Internet Files folder emptied: 1005406 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 38802 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 14316781 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10897738 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 8419386 bytes
RecycleBin emptied: 381921 bytes

Total Files Cleaned = 309.00 mb


OTL by OldTimer - Version 3.1.21.0 log created on 01082010_133045

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_42c.dat not found!

Registry entries deleted on Reboot...


OTL logfile created on: 1/8/2010 1:38:49 PM - Run 2
OTL by OldTimer - Version 3.1.21.0 Folder = C:\Documents and Settings\James\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 55.00 Mb Available Physical Memory | 11.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 58.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 1.95 Gb Free Space | 5.23% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JAMIE
Current User Name: James
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/07 13:15:46 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\OTL.exe
PRC - [2010/01/06 02:21:35 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/01/05 07:56:02 | 02,002,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/12/24 16:35:25 | 02,043,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/11/26 12:31:58 | 00,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/29 17:22:35 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/29 17:22:30 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/29 17:22:26 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/08/29 17:22:24 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/05/27 03:27:04 | 29,262,680 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2009/04/26 13:27:51 | 00,136,472 | ---- | M] (Impulse Point, LLC) -- C:\Program Files\SafeConnect\scManager.sys
PRC - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/08/30 21:01:38 | 00,577,024 | ---- | M] (http://tortoisesvn.net) -- C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
PRC - [2008/08/29 05:57:06 | 00,024,654 | ---- | M] (Apache Software Foundation) -- C:\Program Files\CollabNet Subversion Server\httpd\bin\httpd.exe
PRC - [2008/08/29 05:56:46 | 00,110,703 | ---- | M] (http://subversion.tigris.org/) -- C:\Program Files\CollabNet Subversion Server\svnserve.exe
PRC - [2008/05/29 21:43:38 | 02,580,480 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
PRC - [2008/05/29 21:43:36 | 02,363,392 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
PRC - [2008/01/11 11:54:44 | 00,090,112 | ---- | M] (brother) -- C:\Program Files\Brownie\brpjp04a.exe
PRC - [2008/01/08 08:28:02 | 00,864,256 | ---- | M] (brother) -- C:\Program Files\Brownie\BrStsWnd.exe
PRC - [2007/11/13 09:39:10 | 00,271,640 | ---- | M] (Impulse Point, LLC) -- C:\Program Files\SafeConnect\SCClient.exe
PRC - [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/03/01 22:01:31 | 00,020,572 | ---- | M] () -- C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
PRC - [2004/08/11 08:20:54 | 00,409,664 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
PRC - [2004/08/11 08:17:52 | 00,204,800 | ---- | M] (Intel) -- C:\WINDOWS\SYSTEM32\1XConfig.exe
PRC - [2004/08/11 08:17:24 | 00,303,171 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\SYSTEM32\S24EvMon.exe
PRC - [2004/08/11 08:15:52 | 00,122,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\RegSrvc.exe
PRC - [2004/05/11 09:03:36 | 00,020,545 | ---- | M] () -- C:\Program Files\Apache Group\Apache\Apache.exe
PRC - [2004/02/27 12:29:24 | 00,061,440 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
PRC - [2004/02/02 15:32:16 | 00,155,648 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2003/08/29 05:59:24 | 00,122,880 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\BCMSMMSG.exe
PRC - [2003/08/13 10:27:40 | 00,028,672 | ---- | M] (Dell - Advanced Desktop Engineering) -- C:\WINDOWS\SYSTEM32\DSentry.exe
PRC - [2003/07/29 14:11:00 | 00,323,584 | ---- | M] () -- C:\WINDOWS\SYSTEM32\ati2evxx.exe
PRC - [2003/07/29 13:30:00 | 00,335,872 | ---- | M] (ATI Technologies, Inc.) -- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PRC - [2003/02/26 11:08:42 | 00,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2000/06/29 03:45:10 | 00,052,224 | ---- | M] (Kenonic Controls Ltd.) -- C:\WINDOWS\SYSTEM32\Crypserv.exe


========== Modules (SafeList) ==========

MOD - [2010/01/07 13:15:46 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\OTL.exe
MOD - [2006/08/25 10:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (TivoBeacon2)
SRV - File not found [On_Demand | Stopped] -- -- (iPod Service)
SRV - File not found [On_Demand | Stopped] -- -- (ElectroServer Service)
SRV - [2009/08/29 17:22:26 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/08/29 17:22:24 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/05/27 03:27:04 | 29,262,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2009/04/26 13:27:51 | 00,136,472 | ---- | M] (Impulse Point, LLC) [Auto | Running] -- C:\Program Files\SafeConnect\scManager.sys -- (SCManager)
SRV - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 21:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/08/29 05:57:06 | 00,024,654 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files\CollabNet Subversion Server\httpd\bin\httpd.exe -- (Apache2.2)
SRV - [2008/08/29 05:56:46 | 00,110,703 | ---- | M] (http://subversion.tigris.org/) [Auto | Running] -- C:\Program Files\CollabNet Subversion Server\svnserve.exe -- (svnserve)
SRV - [2006/11/08 15:35:38 | 00,053,248 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\SYSTEM32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2006/11/08 15:35:36 | 00,043,520 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\SYSTEM32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2005/09/13 14:31:55 | 00,072,704 | ---- | M] (Adobe Systems) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/08/19 19:51:57 | 00,069,632 | ---- | M] (Macromedia) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service)
SRV - [2004/08/11 08:17:24 | 00,303,171 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\SYSTEM32\S24EvMon.exe -- (S24EventMonitor)
SRV - [2004/08/11 08:15:52 | 00,122,880 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\RegSrvc.exe -- (RegSrvc)
SRV - [2004/05/29 08:05:26 | 02,179,072 | ---- | M] () [Auto | Stopped] -- C:/mysql/bin/mysqld-nt.exe -- (MySql)
SRV - [2004/05/11 09:03:36 | 00,020,545 | ---- | M] () [Auto | Running] -- C:\Program Files\Apache Group\Apache\Apache.exe -- (Apache)
SRV - [2003/07/29 14:11:00 | 00,323,584 | ---- | M] () [Auto | Running] -- C:\WINDOWS\SYSTEM32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2003/04/29 14:29:54 | 00,139,264 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)
SRV - [2000/06/29 03:45:10 | 00,052,224 | ---- | M] (Kenonic Controls Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1134830889-1112932403-3249420932-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =
IE - HKU\S-1-5-21-1134830889-1112932403-3249420932-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKU\S-1-5-21-1134830889-1112932403-3249420932-1007\S-1-5-21-1134830889-1112932403-3249420932-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/12/24 16:43:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/06 13:25:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/06 02:21:48 | 00,000,000 | ---D | M]

[2008/06/17 19:49:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Mozilla\Extensions
[2010/01/07 13:59:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\default.k3o\extensions
[2009/07/26 18:10:40 | 00,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\default.k3o\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2006/10/27 05:38:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\default.k3o\extensions\fr@dictionaries.addons.mozilla.org
[2010/01/08 13:36:36 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2003/05/15 02:59:03 | 00,004,608 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll
[2004/01/14 11:07:00 | 01,925,120 | ---- | M] (Cycore AB) -- C:\Program Files\Mozilla Firefox\plugins\NPMCult3DP.dll
[2004/11/17 17:21:00 | 00,110,592 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll

O1 HOSTS File: (1396 bytes) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 easywarez.com #www.easywarez.com
O1 - Hosts: 127.0.0.1 www.warezspot.com #ftp.warezspot.com
O1 - Hosts: 127.0.0.1 ftp.freegirlfun.com #update.freegirlfun.com
O1 - Hosts: 127.0.0.1 update.204.177.92.193 #support.204.177.92.193
O1 - Hosts: 127.0.0.1 support.204.177.92.198 #free-memberships.net
O1 - Hosts: 127.0.0.1 warezdownloads.info #www.warezdownloads.info
O1 - Hosts: 127.0.0.1 www.easydownloads.net #ftp.easydownloads.net
O1 - Hosts: 127.0.0.1 ftp.fullversion.com #update.fullversion.com
O1 - Hosts: 127.0.0.1 update.wareztitan.com #support.wareztitan.com
O1 - Hosts: 127.0.0.1 support.myddl.com #shadow-software.com
O1 - Hosts: 127.0.0.1 easywarez.com #www.easywarez.com
O1 - Hosts: 127.0.0.1 www.warezspot.com #ftp.warezspot.com
O1 - Hosts: 127.0.0.1 ftp.warez-vortex.net #update.warez-vortex.net
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BCMSMMSG] C:\WINDOWS\BCMSMMSG.exe (Broadcom Corporation)
O4 - HKLM..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe (brother)
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\SYSTEM32\DSentry.exe (Dell - Advanced Desktop Engineering)
O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe (Intel® Corporation)
O4 - HKLM..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe (Hewlett-Packard)
O4 - HKLM..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe (Hewlett-Packard)
O4 - HKLM..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe File not found
O4 - HKLM..\Run: [ZCfgSvc.exe] C:\WINDOWS\SYSTEM32\ZCfgSvc.exe (Intel Corporation)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-1134830889-1112932403-3249420932-1007..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SafeConnect.lnk = C:\Program Files\SafeConnect\SCClient.exe (Impulse Point, LLC)
O4 - Startup: C:\Documents and Settings\James\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1134830889-1112932403-3249420932-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1134830889-1112932403-3249420932-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCloseKey = 1
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - Reg Error: Key error. File not found
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe File not found
O9 - Extra Button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe File not found
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1134830889-1112932403-3249420932-1007\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (Reg Error: Key error.)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1135126616485 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1135127248746 (MUWebControl Class)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn.com/download/MsnMesse...pDownloader.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.2
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll ()
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\Sebring: DllName - C:\WINDOWS\System32\LgNotify.dll - C:\WINDOWS\SYSTEM32\LgNotify.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/14 13:36:26 | 00,000,047 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/10/28 18:05:53 | 00,000,159 | ---- | M] () - C:\Autoexec.nt.txt -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: BtwSrv - File not found
NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\SYSTEM32\IAS [2004/06/07 12:47:38 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\SYSTEM32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17454953249374208)

========== Files/Folders - Created Within 14 Days ==========

[2010/01/08 13:30:45 | 00,000,000 | ---D | C] -- C:\_OTL
[2010/01/07 13:15:44 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\OTL.exe
[2010/01/06 21:29:44 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\James\Desktop\RootRepeal.exe
[2010/01/06 19:23:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/01/06 19:23:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\James\Application Data\SUPERAntiSpyware.com
[2010/01/06 19:23:23 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/01/06 19:22:23 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/01/06 19:04:06 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\James\Recent
[2010/01/06 19:04:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Real
[2010/01/06 10:52:40 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/06 10:52:37 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/06 03:15:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/01/06 02:32:41 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\James\.COMMgr
[2010/01/06 02:32:39 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\James\Application Data\SystemProc
[2009/12/30 11:50:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\James\dreamcyclecache
[2009/12/29 16:13:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\James\Local Settings\Application Data\xveosr
[2009/12/26 19:14:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\James\Application Data\Malwarebytes
[2009/12/26 19:13:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/26 19:13:41 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/26 16:10:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\James\Local Settings\Application Data\dmxwey
[2008/08/14 14:03:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2006/01/01 21:42:40 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2005/12/27 15:57:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\TiVo Desktop
[2005/12/23 13:51:56 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2005/12/21 06:52:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2005/01/05 14:37:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\TiVo Desktop

========== Files - Modified Within 14 Days ==========

[2010/01/08 13:35:13 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/01/08 13:34:37 | 00,000,316 | ---- | M] () -- C:\WINDOWS\Brownie.ini
[2010/01/08 13:33:38 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/08 13:33:34 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/01/08 13:33:31 | 53,612,9536 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/08 13:32:27 | 08,388,608 | -H-- | M] () -- C:\Documents and Settings\James\NTUSER.DAT
[2010/01/08 13:32:27 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\James\NTUSER.INI
[2010/01/08 13:24:03 | 04,317,682 | -H-- | M] () -- C:\Documents and Settings\James\Local Settings\Application Data\IconCache.db
[2010/01/08 00:17:29 | 00,034,263 | ---- | M] () -- C:\Documents and Settings\James\Desktop\k.jpg
[2010/01/07 19:28:21 | 47,552,490 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/01/07 13:15:46 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\OTL.exe
[2010/01/07 09:15:40 | 00,136,354 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/01/06 21:30:27 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\James\Desktop\settings.dat
[2010/01/06 21:29:45 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\James\Desktop\RootRepeal.exe
[2010/01/06 21:18:58 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\James\Desktop\dds.scr
[2010/01/06 19:23:38 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/01/06 10:52:44 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/06 05:58:51 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\vafukoma
[2010/01/04 22:47:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/04 20:11:58 | 00,079,270 | ---- | M] () -- C:\Documents and Settings\James\Desktop\profile.php
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/26 23:27:13 | 00,024,064 | ---- | M] () -- C:\Documents and Settings\James\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/26 16:18:42 | 00,236,544 | ---- | M] () -- C:\Documents and Settings\James\pev.exe

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 00,006,456 | -H-- | C] () -- C:\WINDOWS\System32\vafukoma
[2010/01/08 00:17:20 | 00,034,263 | ---- | C] () -- C:\Documents and Settings\James\Desktop\k.jpg
[2010/01/07 13:51:22 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\James\Desktop\gmer.exe
[2010/01/06 21:30:27 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\James\Desktop\settings.dat
[2010/01/06 21:18:57 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\James\Desktop\dds.scr
[2010/01/06 19:23:38 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/01/06 19:05:03 | 53,612,9536 | -HS- | C] () -- C:\hiberfil.sys
[2010/01/06 10:52:44 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/05 13:12:04 | 00,005,597 | ---- | C] () -- C:\Documents and Settings\James\Desktop\check_requirements.php
[2010/01/04 20:11:54 | 00,079,270 | ---- | C] () -- C:\Documents and Settings\James\Desktop\profile.php
[2009/12/26 16:18:42 | 00,236,544 | ---- | C] () -- C:\Documents and Settings\James\pev.exe
[2008/10/21 18:26:55 | 00,000,663 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/08/28 22:28:08 | 00,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2008/08/28 22:22:29 | 00,000,000 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2008/08/28 22:22:28 | 00,000,145 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
[2008/08/28 22:21:21 | 00,000,114 | ---- | C] () -- C:\WINDOWS\System32\brlmw03a.ini
[2008/08/28 22:21:17 | 00,009,853 | ---- | C] () -- C:\WINDOWS\HL-2140.INI
[2008/08/28 22:20:21 | 00,000,316 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2006/11/07 19:51:28 | 00,000,248 | ---- | C] () -- C:\Documents and Settings\James\Application Data\.googlewebacchosts
[2006/05/25 22:05:41 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2006/01/21 13:53:19 | 00,001,347 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/07/11 00:18:17 | 00,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2005/04/24 16:31:12 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/03/18 07:59:43 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\frapsvid.dll
[2005/03/09 09:26:04 | 00,000,103 | ---- | C] () -- C:\WINDOWS\Crypkey.ini
[2005/03/09 09:26:01 | 00,024,608 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys
[2005/03/09 09:26:01 | 00,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll
[2005/03/09 09:25:55 | 00,097,802 | ---- | C] () -- C:\WINDOWS\System32\Crp32dll.dll
[2005/03/01 22:02:30 | 00,074,752 | ---- | C] () -- C:\WINDOWS\System32\jst.dll
[2005/03/01 22:02:29 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\PMLJNI.dll
[2005/03/01 22:00:07 | 00,000,783 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2005/03/01 21:59:30 | 00,192,512 | R--- | C] () -- C:\WINDOWS\System32\HPB1320V.DLL
[2005/03/01 21:58:02 | 00,000,124 | ---- | C] () -- C:\WINDOWS\hplj1320.ini
[2004/12/31 00:53:00 | 00,000,115 | ---- | C] () -- C:\WINDOWS\AIMPR.INI
[2004/12/31 00:12:20 | 00,000,077 | ---- | C] () -- C:\WINDOWS\bhwin.sys
[2004/12/31 00:12:00 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL
[2004/11/20 12:38:37 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\James\Local Settings\Application Data\fusioncache.dat
[2004/10/26 17:39:05 | 03,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/10/26 14:46:44 | 00,000,045 | ---- | C] () -- C:\WINDOWS\GFIKJGNP.ini
[2004/10/23 19:05:02 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2004/10/21 21:06:59 | 00,001,568 | ---- | C] () -- C:\Documents and Settings\James\Application Data\mpauth.dat
[2004/09/20 16:35:27 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\James\Application Data\dm.ini
[2004/08/11 08:25:48 | 00,045,124 | ---- | C] () -- C:\WINDOWS\System32\LsaWrApi.dll
[2004/08/11 08:18:24 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\ShellNav.dll
[2004/08/11 08:16:36 | 00,225,349 | ---- | C] () -- C:\WINDOWS\System32\C1XStngs.dll
[2004/08/04 23:52:02 | 00,061,678 | ---- | C] () -- C:\Documents and Settings\James\Application Data\PFP110JPR.{PB
[2004/08/04 23:52:02 | 00,012,358 | ---- | C] () -- C:\Documents and Settings\James\Application Data\PFP110JCM.{PB
[2004/07/30 23:06:57 | 00,024,064 | ---- | C] () -- C:\Documents and Settings\James\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/07/25 01:51:58 | 00,001,125 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2004/07/24 15:04:29 | 00,000,478 | ---- | C] () -- C:\WINDOWS\my.ini
[2004/07/23 23:45:47 | 00,039,912 | ---- | C] () -- C:\WINDOWS\php.ini
[2004/07/23 19:18:06 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/06/07 13:39:30 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/06/07 13:31:37 | 00,000,258 | ---- | C] () -- C:\WINDOWS\System32\BDEMERGE.INI
[2004/06/07 13:24:50 | 00,000,159 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/06/07 13:21:44 | 00,000,831 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/06/07 13:04:35 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/06/07 12:51:10 | 00,000,545 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2002/12/02 14:57:00 | 00,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2002/12/02 14:57:00 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2001/07/31 05:17:12 | 00,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[1980/01/01 00:00:00 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll

========== LOP Check ==========

[2007/04/13 21:54:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2008/06/17 07:57:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ConeXware
[2007/06/26 12:04:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2008/08/14 07:52:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sirius
[2004/09/20 09:41:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Aim
[2004/08/01 22:57:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\GlobalSCAPE
[2004/08/09 22:25:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Jasc
[2005/05/28 12:30:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Keyhole
[2006/11/18 10:38:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Opera
[2008/05/06 11:56:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Sirius
[2008/09/21 17:50:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Subversion
[2010/01/06 05:47:29 | 00,000,000 | -HSD | M] -- C:\Documents and Settings\James\Application Data\SystemProc
[2004/12/18 12:04:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Thunderbird
[2010/01/06 05:10:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\uTorrent
[2004/08/06 23:25:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Viewpoint

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
[2004/08/03 23:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2004/08/03 23:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\SYSTEM32\DRIVERS\agp440.sys
[2001/08/17 13:58:00 | 00,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\I386\AGP440.SYS
[2001/08/17 13:58:00 | 00,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2004/08/03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys
[2003/04/23 09:29:54 | 00,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\I386\atapi.sys
[2003/04/23 09:29:54 | 00,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2003/04/23 09:29:54 | 00,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2004/08/04 00:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2004/08/04 00:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\SYSTEM32\eventlog.dll
[2002/08/29 05:00:00 | 00,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\I386\EVENTLOG.DLL
[2002/08/29 05:00:00 | 00,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2002/08/29 05:00:00 | 00,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\I386\NETLOGON.DLL
[2002/08/29 05:00:00 | 00,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2009/02/06 13:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 13:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 00:56:46 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2004/08/04 00:56:46 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\SYSTEM32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2004/08/04 00:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\SYSTEM32\scecli.dll
[2002/08/29 05:00:00 | 00,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\I386\SCECLI.DLL
[2002/08/29 05:00:00 | 00,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
< End of report >

Malwarebytes' Anti-Malware 1.44
Database version: 3520
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/8/2010 6:56:03 PM
mbam-log-2010-01-08 (18-56-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 229706
Time elapsed: 2 hour(s), 28 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\James\Templates\info.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

Edited by JBS103, 08 January 2010 - 10:33 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:48 AM

Posted 09 January 2010 - 10:59 AM

We need to run this special tool.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • If prompted to reboot, please do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 JBS103

JBS103
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 09 January 2010 - 01:05 PM

Hi Sam. This program behaves very similarly to GMER when I run it.

It opens and begins the scan normally. It gets through the Registry with no problem, then begins to scan the Kernal Memory and immediately posts a line that says:

Driver "atapi" Irp handler infected with TDSS rootkit ... cured

(No report is ever produced so I am going from memory...)

Then the cursor continues to blink and nothing else happens. I left to let the computer run for just about an hour but it made no progress from that point. If I did so much as to even move my mouse, the entire computer hangs and becomes completely unresponsive.

Thanks.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:48 AM

Posted 10 January 2010 - 11:02 AM

That's all I needed to know. No need for the log now.
I'm still wondering if it actually removed the infection though. Are you still being redirected?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 JBS103

JBS103
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 10 January 2010 - 11:23 AM

I've done my best to stop using Google in the meantime, only checking periodically to see if its fixed. From what I can tell in the three or four searches I just tried, the redirecting has stopped. However, it's did this a day ago after I ran MBAM. It will work okay for an hour (maybe one browser session or something?) and then all the sudden every link will start to redirect again.

Thanks again for your time. I will use Google normally and report back. Crossing my fingers.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:48 AM

Posted 10 January 2010 - 11:24 AM

Ok, just let me know.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 JBS103

JBS103
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 10 January 2010 - 11:42 AM

The redirecting has returned, unfortunately.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:48 AM

Posted 10 January 2010 - 04:14 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 JBS103

JBS103
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 10 January 2010 - 08:36 PM

Hi Sam. Everything seems to have gone smoothly. I've pasted the log for you.

ComboFix 10-01-04.01 - James 01/10/2010 20:12:56.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.171 [GMT -5:00]
Running from: c:\documents and settings\James\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\James\Application Data\SystemProc
c:\windows\bhwin.sys
c:\windows\Install.txt
c:\windows\system32\comrepl.exe
c:\windows\system32\drivers\fad.sys
c:\windows\system32\Install.txt
c:\windows\system32\SOCKETX.DLL
c:\windows\system32\SOCKETX.OCX

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_WINSTS


((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))
.

2010-01-09 17:27 . 2010-01-09 17:34 16904 ----a-w- c:\windows\system32\drivers\KLMD.sys
2010-01-08 19:05 . 2010-01-08 19:05 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 19:04 . 2010-01-08 19:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-08 18:30 . 2010-01-08 18:30 -------- d-----w- C:\_OTL
2010-01-07 00:24 . 2010-01-07 00:24 52224 ----a-w- c:\documents and settings\James\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-07 00:24 . 2010-01-07 00:24 117760 ----a-w- c:\documents and settings\James\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-07 00:23 . 2010-01-07 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-07 00:23 . 2010-01-07 00:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-07 00:23 . 2010-01-07 00:23 -------- d-----w- c:\documents and settings\James\Application Data\SUPERAntiSpyware.com
2010-01-07 00:22 . 2010-01-07 00:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-06 15:52 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-06 15:52 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 07:32 . 2010-01-06 07:34 -------- d-sh--w- c:\documents and settings\James\.COMMgr
2010-01-04 13:20 . 2009-12-24 21:36 2066200 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-30 16:50 . 2009-12-30 16:50 -------- d-----w- c:\documents and settings\James\dreamcyclecache
2009-12-29 21:13 . 2009-12-30 00:27 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\xveosr
2009-12-27 00:14 . 2009-12-27 00:14 -------- d-----w- c:\documents and settings\James\Application Data\Malwarebytes
2009-12-27 00:13 . 2009-12-27 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-27 00:13 . 2010-01-08 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-26 21:18 . 2009-12-26 21:18 236544 ----a-w- c:\documents and settings\James\pev.exe
2009-12-26 21:10 . 2009-12-27 02:50 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\dmxwey

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 01:27 . 2008-09-01 19:29 -------- d-----w- c:\documents and settings\James\Application Data\OpenOffice.org2
2010-01-09 17:17 . 2004-07-24 05:18 -------- d-----w- c:\program files\PowerArchiver
2010-01-08 19:03 . 2004-06-07 18:20 -------- d-----w- c:\program files\Java
2010-01-06 10:16 . 2008-08-14 19:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-01-06 10:10 . 2006-11-29 20:35 -------- d-----w- c:\documents and settings\James\Application Data\uTorrent
2009-11-28 19:48 . 2008-09-01 19:31 1 ----a-w- c:\documents and settings\James\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-11-26 02:41 . 2005-12-23 18:47 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-29 05:48 . 2005-10-21 17:51 662016 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00 . 2005-12-21 02:58 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 06:00 . 2005-12-21 02:58 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-20 14:58 . 2005-12-21 02:58 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2002-08-29 10:00 266752 ----a-w- c:\windows\system32\oakley.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2004-08-11 86016]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-11 188416]
"ZCfgSvc.exe"="c:\windows\System32\ZCfgSvc.exe" [2004-08-11 409664]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-24 2043160]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-01-08 864256]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-08 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\James\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-29 113664]
SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2007-11-13 271640]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoCloseKey"= 1

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 22:22 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-08-11 13:22 180290 ----a-w- c:\windows\SYSTEM32\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\James\\Desktop\\utorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [8/14/2008 2:05 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [8/14/2008 2:05 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 Apache2.2;Apache2.2;c:\program files\CollabNet Subversion Server\httpd\bin\httpd.exe [8/29/2008 5:57 AM 24654]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/29/2009 5:22 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/12/2009 2:12 PM 297752]
R2 SCManager;SafeConnect Manager;c:\program files\SafeConnect\scManager.sys servicestart --> c:\program files\SafeConnect\scManager.sys servicestart [?]
R2 svnserve;Subversion Server;c:\program files\CollabNet Subversion Server\svnserve.exe [8/29/2008 5:56 AM 110703]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe --> c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [?]
S3 ElectroServer Service;ElectroServer Service;c:\progra~1\ELECTR~1\ELECTR~1\ELECTR~1.EXE --> c:\progra~1\ELECTR~1\ELECTR~1\ELECTR~1.EXE [?]
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys --> c:\windows\system32\DRIVERS\UltraMonMirror.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page =
IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\default.k3o\
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMCult3DP.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\windows\SYSTEM32\Cult3D\NPMCult3DP.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 20:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk21]
"ImagePath"="\??\c:\windows\System32\Drivers\HNPsSdk.drv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\LgNotify.dll

- - - - - - - > 'explorer.exe'(4516)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\S24EvMon.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Apache Group\Apache\Apache.exe
c:\windows\system32\crypserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Apache Group\Apache\Apache.exe
c:\windows\System32\RegSrvc.exe
c:\program files\SafeConnect\scManager.sys
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\System32\1XConfig.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\BCMSMMSG.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.BIN
.
**************************************************************************
.
Completion time: 2010-01-10 20:34:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-11 01:34

Pre-Run: 1,652,649,984 bytes free
Post-Run: 1,629,081,600 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - AE9D1592BC0186DCF42A1D36D4A6B644


#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:48 AM

Posted 11 January 2010 - 08:08 AM

There it looks like we got it that time. Use your computer for a while like you did before and let me know if the redirections occur or not.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 JBS103

JBS103
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 12 January 2010 - 01:05 PM

Hi Sam. Everything looks good! I think we (read: you) got it. Thanks so much.

Is there anything left to do to finalize everything? Clean up? Can I delete everything I've installed from this thread?

Thanks again. You nailed it.







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users