Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Security 2010/constantly finding trojans


  • This topic is locked This topic is locked
20 replies to this topic

#1 jbooth

jbooth

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 24 January 2010 - 10:46 PM

The other day, ads started popping up in firefox which usually doesn't happen for me. A little bit later my desktop background was replaced and Internet Security 2010 had installed itself. I found a guide to removing it here and followed the directions. It seems to be gone but I'm still getting pop-ups and whenever I run a scan (Malwarebytes, SUPERAntiSpyware, Spybot, etc.) I'm constantly finding trojans and other things wrong. I choose to remove them, then I scan again and it finds other ones. Sometimes they are related to Internet Security 2010. I'd appreciate any help in figuring out how to get my PC back to normal. I've included the DDS and RootRepeal logs. Thanks in advance.


DDS (Ver_09-12-01.01) - NTFSx86
Run by robert davies at 22:01:46.10 on Sun 01/24/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.168 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\robert davies\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Corel File Shell Monitor] c:\program files\corel\corel paint shop pro photo x2\CorelIOMonitor.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: sufasisa.dll c:\windows\system32\rawetuye.dll
SSODL: jogiyejek - {50c81fb8-55e6-4a13-b760-9c7c0225e97c} - No File
STS: {50c81fb8-55e6-4a13-b760-9c7c0225e97c} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli konafida.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\1yzvyzpz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.netflix.com/MemberHome
FF - plugin: c:\documents and settings\robert davies\application data\mozilla\firefox\profiles\1yzvyzpz.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-22 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-22 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-22 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-22 56816]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-9-16 192112]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-9-16 169584]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]

=============== Created Last 30 ================

2010-01-25 01:01:51 0 d--h--w- c:\windows\PIF
2010-01-23 20:05:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-23 20:05:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-23 05:39:12 0 ----a-w- c:\windows\system32\23512.exe
2010-01-23 05:19:12 0 ----a-w- c:\windows\system32\1878.exe
2010-01-23 04:59:11 0 ----a-w- c:\windows\system32\3308.exe
2010-01-23 04:39:11 0 ----a-w- c:\windows\system32\6481.exe
2010-01-23 04:19:11 0 ----a-w- c:\windows\system32\5453.exe
2010-01-23 03:59:10 0 ----a-w- c:\windows\system32\4764.exe
2010-01-23 03:39:10 0 ----a-w- c:\windows\system32\2644.exe
2010-01-23 03:19:10 0 ----a-w- c:\windows\system32\21415.exe
2010-01-23 02:59:00 0 ----a-w- c:\windows\system32\7624.exe
2010-01-23 02:39:00 0 ----a-w- c:\windows\system32\8562.exe
2010-01-23 02:19:00 0 ----a-w- c:\windows\system32\6064.exe
2010-01-23 01:58:59 0 ----a-w- c:\windows\system32\11794.exe
2010-01-23 01:38:58 0 ----a-w- c:\windows\system32\9896.exe
2010-01-23 01:26:55 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-23 01:26:49 0 d-----w- c:\program files\Avira
2010-01-23 01:26:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-01-23 01:18:53 0 ----a-w- c:\windows\system32\17865.exe
2010-01-22 19:46:58 135168 ----a-w- C:\ojjw.exe
2010-01-20 19:40:03 0 d-----w- c:\docume~1\robert~1\applic~1\iSproggler
2010-01-12 19:25:44 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 08:00:39 0 d-----w- c:\program files\MSXML 4.0
2010-01-09 04:46:04 88 --sh--r- c:\docume~1\alluse~1\applic~1\4CE13CD8B1.sys
2010-01-09 04:46:04 2828 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-01-09 03:41:23 0 d-----w- c:\program files\common files\Protexis
2010-01-09 03:41:22 0 d-----w- c:\program files\common files\Corel
2010-01-09 03:41:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Corel
2010-01-09 03:30:40 0 d-----w- c:\program files\Corel
2010-01-09 02:34:47 0 d-----w- c:\program files\Microsoft Digital Image 10
2010-01-09 01:10:11 0 d-----w- c:\program files\Microsoft Picture It! PhotoPub
2010-01-07 03:02:46 0 d-----w- c:\program files\mp3DirectCut
2010-01-07 02:55:02 0 d-----w- C:\Temp
2010-01-07 02:50:27 0 d-----w- c:\program files\Lame for Audacity
2010-01-06 19:33:45 0 d-----w- c:\program files\Audacity
2009-12-28 22:28:43 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2009-12-28 20:03:33 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-12-28 20:03:29 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-12-28 20:03:16 0 d-----w- c:\windows\Logs
2009-12-28 20:03:11 0 d-----w- c:\program files\Winamp Detect
2009-12-28 20:02:54 129520 ------w- c:\windows\system32\pxafs.dll
2009-12-28 07:20:54 0 d-----w- c:\windows\system32\scripting
2009-12-28 07:20:53 0 d-----w- c:\windows\l2schemas
2009-12-28 07:20:52 0 d-----w- c:\windows\system32\en
2009-12-28 07:20:52 0 d-----w- c:\windows\system32\bits
2009-12-28 07:16:19 0 d-----w- c:\windows\network diagnostic
2009-12-28 07:12:35 0 d-----w- c:\windows\EHome
2009-12-28 01:17:16 0 d-----w- c:\program files\iPod
2009-12-28 01:17:02 0 d-----w- c:\program files\iTunes
2009-12-28 01:17:02 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-28 01:15:25 0 d-----w- c:\program files\Bonjour
2009-12-28 01:07:01 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-28 01:07:01 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-28 00:53:43 0 d-----w- c:\program files\Xilisoft
2009-12-28 00:53:17 0 d-----w- c:\program files\MP3Gain
2009-12-28 00:30:27 0 d-----w- c:\program files\Ant Movie Catalog

==================== Find3M ====================

2010-01-23 19:25:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-17 03:26:50 87608 ----a-w- c:\docume~1\robert~1\applic~1\inst.exe
2009-12-17 03:26:50 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-17 03:26:50 47360 ----a-w- c:\docume~1\robert~1\applic~1\pcouffin.sys
2009-11-14 06:47:57 260608 ----a-w- c:\windows\PEV.exe
2009-10-29 19:08:22 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 05:38:23 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 05:38:22 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 05:38:22 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll

============= FINISH: 22:03:32.46 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 PM

Posted 25 January 2010 - 09:13 AM

Hello! smile.gif
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  • Click the "Run Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 jbooth

jbooth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 25 January 2010 - 11:13 AM

Hi, thanks for the quick response. Here are the OTL logs:

OTL logfile created on: 1/25/2010 10:41:54 AM - Run 1
OTL by OldTimer - Version 3.1.26.0 Folder = C:\Documents and Settings\robert davies\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 103.00 Mb Available Physical Memory | 20.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 51.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 50.48 Gb Total Space | 23.77 Gb Free Space | 47.09% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 5.41 Gb Total Space | 5.15 Gb Free Space | 95.30% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-4105E587B6
Current User Name: robert davies
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/25 10:39:51 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\robert davies\Desktop\OTL.exe
PRC - [2010/01/22 16:20:27 | 02,002,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2010/01/07 18:44:15 | 00,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/21 00:45:56 | 00,039,424 | ---- | M] (Nullsoft) -- C:\Program Files\Winamp\winampa.exe
PRC - [2009/11/12 16:33:10 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/03/02 12:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009/01/21 17:34:22 | 00,016,712 | R--- | M] () -- C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 19:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/25 01:11:35 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
PRC - [2007/07/24 11:15:14 | 00,185,632 | ---- | M] (Protexis Inc.) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2006/11/13 12:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/11/13 12:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2006/10/09 13:23:06 | 00,697,976 | ---- | M] () -- C:\WINDOWS\SMINST\Scheduler.exe
PRC - [2006/06/19 14:33:12 | 00,163,840 | ---- | M] ( Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
PRC - [2006/06/16 11:22:46 | 00,794,713 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2006/05/03 17:58:26 | 00,458,752 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
PRC - [2006/05/02 18:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
PRC - [2006/04/06 08:20:00 | 00,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2005/12/23 16:44:26 | 00,491,606 | ---- | M] () -- C:\Program Files\HPQ\Shared\HpqToaster.exe
PRC - [2005/10/19 05:15:22 | 00,159,744 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2005/10/19 05:15:12 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2005/10/19 05:15:00 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2005/09/24 11:10:58 | 00,749,696 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
PRC - [2005/09/19 06:24:20 | 00,214,672 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
PRC - [2005/09/16 19:27:12 | 00,169,584 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/09/16 19:27:06 | 00,192,112 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/09/16 19:27:02 | 00,052,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2005/02/17 02:11:42 | 00,049,152 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
PRC - [2003/10/21 09:43:12 | 00,868,352 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
PRC - [2003/07/15 11:36:50 | 00,319,488 | ---- | M] (Roxio, Inc.) -- C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
PRC - [2003/07/15 11:36:50 | 00,118,784 | ---- | M] (Roxio, Inc.) -- C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
PRC - [2001/05/01 16:06:22 | 00,053,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MsPMSPSv.exe


========== Modules (SafeList) ==========

MOD - [2010/01/25 10:39:51 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\robert davies\Desktop\OTL.exe
MOD - [2005/09/23 13:38:24 | 00,123,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\AntiSpam\asOEHook.dll
MOD - [2005/09/16 19:33:36 | 00,377,968 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\ccL40.dll
MOD - [2003/03/19 01:14:52 | 00,499,712 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp71.dll
MOD - [2003/02/21 07:42:22 | 00,348,160 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcr71.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/09/03 10:53:00 | 00,048,368 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2007/07/24 11:15:14 | 00,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2007/05/23 18:15:55 | 00,138,168 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2006/06/12 16:27:28 | 00,126,976 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -- (AddFiltr)
SRV - [2006/05/02 18:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Auto | Running] -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex)
SRV - [2006/01/12 15:22:38 | 00,294,912 | ---- | M] (SoftThinks) [Auto | Stopped] -- C:\WINDOWS\SMINST\PCAngel.exe -- (PCA)
SRV - [2005/10/22 13:28:54 | 00,045,696 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- c:\Program Files\Norton Internet Security\comHost.exe -- (comHost)
SRV - [2005/10/13 03:48:40 | 00,072,280 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- c:\Program Files\Norton Internet Security\ccPwdSvc.exe -- (ccISPwdSvc)
SRV - [2005/09/24 11:10:58 | 00,749,696 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE -- (NSCService)
SRV - [2005/09/19 06:24:20 | 00,214,672 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2005/09/16 19:27:12 | 00,169,584 | ---- | M] (Symantec Corporation) [Auto | Running] -- c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005/09/16 19:27:06 | 00,192,112 | ---- | M] (Symantec Corporation) [Auto | Running] -- c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2004/10/22 06:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/08/11 03:46:56 | 00,483,328 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- c:\Program Files\Windows Media Connect\mswmccds.exe -- (WmcCds) Windows Media Connect (WMC)
SRV - [2004/08/11 00:50:42 | 00,028,160 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Media Connect\mswmcls.exe -- (WmcCdsLs) Windows Media Connect (WMC)
SRV - [2004/07/15 04:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)
SRV - [2001/05/01 16:06:22 | 00,053,248 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\MsPMSPSv.exe -- (WMDM PMSP Service)


========== Driver Services (SafeList) ==========

DRV - [2010/01/23 15:07:08 | 00,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/01/23 14:25:40 | 00,096,512 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\atapi.sys -- (atapi)
DRV - [2009/12/16 22:26:50 | 00,047,360 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin)
DRV - [2009/09/15 10:42:48 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/09/15 10:42:46 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/09/15 10:42:44 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/05/18 14:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/05/11 09:12:24 | 00,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/04/28 15:20:06 | 00,044,944 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2009/04/28 15:20:06 | 00,009,200 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2009/04/28 15:20:06 | 00,009,072 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2009/03/30 09:33:07 | 00,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 11:35:05 | 00,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/04/13 13:56:49 | 00,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usb8023x.sys -- (usb_rndisx)
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2006/08/22 02:21:26 | 00,163,328 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®
DRV - [2006/08/21 17:16:56 | 00,530,176 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)
DRV - [2006/08/21 17:16:20 | 00,038,144 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)
DRV - [2006/07/17 10:17:28 | 02,206,720 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2006/06/16 10:40:56 | 00,193,120 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/05/17 23:26:32 | 00,990,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/05/17 23:25:56 | 00,246,912 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2006/05/17 23:25:50 | 00,727,808 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/04/06 08:20:00 | 00,094,460 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/04/06 08:20:00 | 00,087,068 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/04/06 08:20:00 | 00,086,812 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/04/06 08:20:00 | 00,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/04/06 08:20:00 | 00,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/04/06 08:20:00 | 00,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/04/06 08:20:00 | 00,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2006/03/30 06:30:00 | 00,089,072 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2006/03/17 11:35:24 | 00,005,660 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/03/17 11:34:46 | 00,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2006/03/17 08:20:00 | 00,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005/10/19 05:15:02 | 01,302,812 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2005/10/04 22:57:08 | 00,012,544 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2005/09/19 17:24:20 | 00,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2005/09/19 17:24:10 | 00,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2005/09/19 17:23:52 | 00,007,808 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2005/09/19 06:23:52 | 00,196,240 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2005/09/19 06:23:48 | 00,024,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/09/19 06:23:40 | 00,031,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMIDS.SYS -- (SYMIDS)
DRV - [2005/09/19 06:23:36 | 00,027,792 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMNDIS.SYS -- (SYMNDIS)
DRV - [2005/09/19 06:23:32 | 00,109,200 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMFW.SYS -- (SYMFW)
DRV - [2005/09/19 06:23:26 | 00,012,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMDNS.SYS -- (SYMDNS)
DRV - [2005/09/16 19:20:06 | 00,108,168 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/09/01 14:07:36 | 00,199,408 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SymcData\idsdefs\20050901.036\SymIDSCo.sys -- (SYMIDSCO)
DRV - [2004/08/04 03:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2003/10/21 09:43:16 | 00,213,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\UdfReadr_xp.sys -- (UdfReadr_xp)
DRV - [2003/10/21 09:43:16 | 00,146,560 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys -- (DVDVRRdr_xp)
DRV - [2003/10/21 09:43:14 | 00,260,224 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\Cdudf_xp.sys -- (cdudf_xp)
DRV - [2003/10/21 09:43:14 | 00,118,409 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2003/10/21 09:43:14 | 00,022,777 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2003/10/21 09:43:14 | 00,021,993 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2001/08/17 15:10:28 | 00,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
DRV - [2001/08/17 10:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2533584975-652044822-2608800130-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2533584975-652044822-2608800130-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-2533584975-652044822-2608800130-1006\S-1-5-21-2533584975-652044822-2608800130-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2533584975-652044822-2608800130-1006\S-1-5-21-2533584975-652044822-2608800130-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.netflix.com/MemberHome"
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 44
FF - prefs.js..extensions.enabledItems: hide.unvisited@agadak.net:3
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20081111
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.5.2.20080717

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/07 18:44:20 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/07 18:44:20 | 00,000,000 | ---D | M]

[2009/01/07 19:28:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\robert davies\Application Data\Mozilla\Extensions
[2010/01/25 10:38:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\robert davies\Application Data\Mozilla\Firefox\Profiles\1yzvyzpz.default\extensions
[2008/09/28 13:39:42 | 00,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\robert davies\Application Data\Mozilla\Firefox\Profiles\1yzvyzpz.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/02/28 09:35:06 | 00,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\robert davies\Application Data\Mozilla\Firefox\Profiles\1yzvyzpz.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2009/09/16 11:13:26 | 00,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\robert davies\Application Data\Mozilla\Firefox\Profiles\1yzvyzpz.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2009/01/13 12:02:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\robert davies\Application Data\Mozilla\Firefox\Profiles\1yzvyzpz.default\extensions\hide.unvisited@agadak.net
[2010/01/24 13:29:38 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2005/12/05 21:31:00 | 00,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
[2009/12/21 00:47:02 | 00,063,488 | ---- | M] (Nullsoft) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2009/12/01 02:58:25 | 00,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-2533584975-652044822-2608800130-1006\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2533584975-652044822-2608800130-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2533584975-652044822-2608800130-1006\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-2533584975-652044822-2608800130-1006\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [ccApp] c:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
O4 - HKLM..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe (Hewlett-Packard Co.)
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [QlbCtrl] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe ( Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\CREATOR\Remind_XP.exe ()
O4 - HKLM..\Run: [RoxioAudioCentral] C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe (Roxio, Inc.)
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [RoxioEngineUtility] C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe (Roxio)
O4 - HKLM..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft)
O4 - HKU\S-1-5-21-2533584975-652044822-2608800130-1006..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2533584975-652044822-2608800130-1006..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-2533584975-652044822-2608800130-1006..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2533584975-652044822-2608800130-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2533584975-652044822-2608800130-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2533584975-652044822-2608800130-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2533584975-652044822-2608800130-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-2533584975-652044822-2608800130-1006_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 31 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 30 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 30 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 30 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 30 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-2533584975-652044822-2608800130-1006\..Trusted Domains: 30 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - AppInit_DLLs: (sufasisa.dll) - File not found
O20 - AppInit_DLLs: (c:\windows\system32\rawetuye.dll) - C:\WINDOWS\System32\rawetuye.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: jogiyejek - {50c81fb8-55e6-4a13-b760-9c7c0225e97c} - CLSID or File not found.
O22 - SharedTaskScheduler: {50c81fb8-55e6-4a13-b760-9c7c0225e97c} - jugezatag - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/07/27 18:07:00 | 00,000,000 | -HS- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/01/27 00:13:36 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - C:\WINDOWS\system32\irmon.dll (Microsoft Corporation)
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17454841580224512)

========== Files/Folders - Created Within 30 Days ==========

[2010/01/25 10:39:51 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\robert davies\Desktop\OTL.exe
[2010/01/24 22:07:57 | 00,000,000 | ---D | C] -- C:\HJT
[2010/01/24 20:01:51 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/01/23 15:05:28 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/23 15:05:26 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/23 14:23:07 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/01/23 01:33:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/01/22 20:26:55 | 00,096,104 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/01/22 20:26:55 | 00,056,816 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/01/22 20:26:55 | 00,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/01/22 20:26:55 | 00,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/01/22 20:26:53 | 00,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/01/22 20:26:49 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/01/22 20:26:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/01/22 20:13:28 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\robert davies\Desktop\RootRepeal.exe
[2010/01/20 14:40:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\robert davies\Application Data\iSproggler
[2010/01/20 12:18:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\robert davies\Local Settings\Application Data\Last.fm
[2010/01/12 14:25:44 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010/01/10 03:00:39 | 00,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2010/01/08 23:47:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\robert davies\My Documents\My Corel Shows
[2010/01/08 23:47:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\robert davies\Local Settings\Application Data\Corel
[2010/01/08 22:45:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\robert davies\My Documents\My PSP Files
[2010/01/08 22:45:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\robert davies\Application Data\Corel
[2010/01/08 22:41:23 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Protexis
[2010/01/08 22:41:22 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Corel
[2010/01/08 22:41:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Corel
[2010/01/08 22:30:40 | 00,000,000 | ---D | C] -- C:\Program Files\Corel
[2010/01/08 22:29:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\robert davies\Application Data\InstallShield
[2010/01/08 22:13:13 | 33,379,0888 | ---- | C] (Macrovision Corporation) -- C:\Documents and Settings\robert davies\My Documents\PSPP12_Corel_TBYB_EN_IE_FR_DE_ES_IT_NL_ESD.exe
[2010/01/08 21:34:47 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Digital Image 10
[2010/01/08 20:10:11 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Picture It! PhotoPub
[2010/01/06 22:02:46 | 00,000,000 | ---D | C] -- C:\Program Files\mp3DirectCut
[2010/01/06 21:55:02 | 00,000,000 | ---D | C] -- C:\Temp
[2010/01/06 21:50:27 | 00,000,000 | ---D | C] -- C:\Program Files\Lame for Audacity
[2010/01/06 14:33:45 | 00,000,000 | ---D | C] -- C:\Program Files\Audacity
[2009/12/28 17:28:43 | 00,512,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jscript.dll
[2009/12/28 15:03:33 | 03,426,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_32.dll
[2009/12/28 15:03:29 | 02,414,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_31.dll
[2009/12/28 15:03:16 | 00,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2009/12/28 15:03:11 | 00,000,000 | ---D | C] -- C:\Program Files\Winamp Detect
[2009/12/28 15:02:55 | 00,072,176 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxhpinst.exe
[2009/12/28 15:02:55 | 00,066,544 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxcpya64.exe
[2009/12/28 15:02:55 | 00,066,032 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxinsa64.exe
[2009/12/28 15:02:54 | 00,129,520 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxafs.dll
[2009/12/28 15:02:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\robert davies\Application Data\Winamp
[2009/12/28 15:02:48 | 00,000,000 | ---D | C] -- C:\Program Files\Winamp
[2009/12/28 02:37:23 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/12/28 02:20:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/12/28 02:20:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us
[2009/12/28 02:20:53 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/12/28 02:20:52 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/12/28 02:20:52 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2009/12/28 02:16:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
[2009/12/28 02:12:38 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2009/12/28 02:12:35 | 00,000,000 | ---D | C] -- C:\WINDOWS\EHome
[2009/12/27 20:17:16 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/12/27 20:17:02 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/12/27 20:17:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/12/27 20:15:25 | 00,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2009/12/27 20:14:20 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/12/27 20:07:01 | 00,107,368 | ---- | C] (GEAR Software Inc.) -- C:\WINDOWS\System32\GEARAspi.dll
[2009/12/27 20:07:01 | 00,026,600 | ---- | C] (GEAR Software Inc.) -- C:\WINDOWS\System32\drivers\GEARAspiWDM.sys
[2009/12/27 20:05:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2009/12/27 19:54:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\robert davies\Local Settings\Application Data\Collectorz.com
[2009/12/27 19:54:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\robert davies\My Documents\Music Collector
[2009/12/27 19:53:43 | 00,000,000 | ---D | C] -- C:\Program Files\Xilisoft
[2009/12/27 19:53:17 | 00,000,000 | ---D | C] -- C:\Program Files\MP3Gain
[2009/12/27 19:30:27 | 00,000,000 | ---D | C] -- C:\Program Files\Ant Movie Catalog
[2009/12/27 19:25:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\robert davies\My Documents\00 - MY STUFF
[2009/12/16 22:26:50 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\robert davies\Application Data\pcouffin.sys
[2009/01/07 19:28:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/04/12 12:40:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ApplicationHistory
[2008/04/12 12:40:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2007/07/20 22:26:50 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/25 10:39:51 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\robert davies\Desktop\OTL.exe
[2010/01/24 22:10:00 | 00,000,491 | ---- | M] () -- C:\Documents and Settings\robert davies\Desktop\Shortcut to HiJackThis.lnk
[2010/01/24 21:57:36 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/24 21:57:32 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/24 21:57:30 | 52,788,0192 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/24 21:56:11 | 05,242,880 | ---- | M] () -- C:\Documents and Settings\robert davies\ntuser.dat
[2010/01/24 21:56:11 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\robert davies\ntuser.ini
[2010/01/23 17:37:59 | 00,380,918 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/23 17:37:59 | 00,053,166 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/23 17:37:58 | 00,439,376 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/23 15:07:08 | 00,056,816 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/01/23 15:05:30 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/23 14:25:40 | 00,096,512 | ---- | M] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2010/01/23 00:55:26 | 00,263,168 | ---- | M] () -- C:\Documents and Settings\robert davies\Desktop\rkill.com
[2010/01/23 00:39:12 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\23512.exe
[2010/01/23 00:19:12 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\1878.exe
[2010/01/22 23:59:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\3308.exe
[2010/01/22 23:39:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\6481.exe
[2010/01/22 23:19:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\5453.exe
[2010/01/22 22:59:10 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\4764.exe
[2010/01/22 22:39:10 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\2644.exe
[2010/01/22 22:19:10 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\21415.exe
[2010/01/22 21:59:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\7624.exe
[2010/01/22 21:39:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\8562.exe
[2010/01/22 21:19:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\6064.exe
[2010/01/22 20:58:59 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\11794.exe
[2010/01/22 20:38:58 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\9896.exe
[2010/01/22 20:27:19 | 00,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/01/22 20:23:10 | 30,909,992 | ---- | M] () -- C:\Documents and Settings\robert davies\Desktop\avira_antivir_personal_en.exe
[2010/01/22 20:18:53 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\17865.exe
[2010/01/22 20:14:08 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\robert davies\Desktop\settings.dat
[2010/01/22 20:13:29 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\robert davies\Desktop\RootRepeal.exe
[2010/01/22 20:11:30 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\robert davies\Desktop\dds.scr
[2010/01/22 14:46:58 | 00,135,168 | ---- | M] () -- C:\ojjw.exe
[2010/01/18 21:48:05 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/15 16:14:53 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/01/13 07:38:10 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/12 01:23:07 | 00,016,896 | ---- | M] () -- C:\Documents and Settings\robert davies\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/11 02:02:28 | 00,002,828 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010/01/11 01:47:38 | 00,000,088 | RHS- | M] () -- C:\Documents and Settings\All Users\Application Data\4CE13CD8B1.sys
[2010/01/10 21:25:23 | 00,000,495 | ---- | M] () -- C:\Documents and Settings\robert davies\Desktop\MY STUFF.lnk
[2010/01/10 07:03:51 | 00,321,928 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/01/08 22:24:54 | 33,379,0888 | ---- | M] (Macrovision Corporation) -- C:\Documents and Settings\robert davies\My Documents\PSPP12_Corel_TBYB_EN_IE_FR_DE_ES_IT_NL_ESD.exe
[2010/01/08 21:50:42 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/08 21:37:22 | 00,086,296 | ---- | M] () -- C:\Documents and Settings\robert davies\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/06 22:02:46 | 00,000,730 | ---- | M] () -- C:\Documents and Settings\robert davies\Desktop\mp3DirectCut.lnk
[2009/12/28 02:37:57 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2009/12/28 02:15:56 | 00,250,048 | RHS- | M] () -- C:\ntldr
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/24 22:10:00 | 00,000,491 | ---- | C] () -- C:\Documents and Settings\robert davies\Desktop\Shortcut to HiJackThis.lnk
[2010/01/23 15:05:30 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/23 00:55:26 | 00,263,168 | ---- | C] () -- C:\Documents and Settings\robert davies\Desktop\rkill.com
[2010/01/23 00:39:12 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\23512.exe
[2010/01/23 00:19:12 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\1878.exe
[2010/01/22 23:59:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\3308.exe
[2010/01/22 23:39:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\6481.exe
[2010/01/22 23:19:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\5453.exe
[2010/01/22 22:59:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\4764.exe
[2010/01/22 22:39:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\2644.exe
[2010/01/22 22:19:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\21415.exe
[2010/01/22 21:59:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\7624.exe
[2010/01/22 21:39:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\8562.exe
[2010/01/22 21:19:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\6064.exe
[2010/01/22 20:58:59 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\11794.exe
[2010/01/22 20:38:58 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\9896.exe
[2010/01/22 20:27:18 | 00,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/01/22 20:22:43 | 30,909,992 | ---- | C] () -- C:\Documents and Settings\robert davies\Desktop\avira_antivir_personal_en.exe
[2010/01/22 20:18:53 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\17865.exe
[2010/01/22 20:14:08 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\robert davies\Desktop\settings.dat
[2010/01/22 20:11:29 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\robert davies\Desktop\dds.scr
[2010/01/22 14:46:58 | 00,135,168 | ---- | C] () -- C:\ojjw.exe
[2010/01/10 21:25:23 | 00,000,495 | ---- | C] () -- C:\Documents and Settings\robert davies\Desktop\MY STUFF.lnk
[2010/01/08 23:46:04 | 00,002,828 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010/01/08 23:46:04 | 00,000,088 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\4CE13CD8B1.sys
[2010/01/06 22:02:46 | 00,000,730 | ---- | C] () -- C:\Documents and Settings\robert davies\Desktop\mp3DirectCut.lnk
[2009/12/27 20:18:25 | 00,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/12/16 22:27:54 | 00,001,041 | ---- | C] () -- C:\Documents and Settings\robert davies\Application Data\vso_ts_preview.xml
[2009/12/16 22:27:09 | 00,000,034 | ---- | C] () -- C:\Documents and Settings\robert davies\Application Data\pcouffin.log
[2009/12/16 22:26:50 | 00,087,608 | ---- | C] () -- C:\Documents and Settings\robert davies\Application Data\inst.exe
[2009/12/16 22:26:50 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\robert davies\Application Data\pcouffin.cat
[2009/12/16 22:26:50 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\robert davies\Application Data\pcouffin.inf
[2009/10/31 17:45:13 | 00,002,528 | ---- | C] () -- C:\Documents and Settings\robert davies\Application Data\$_hpcst$.hpc
[2008/06/09 17:57:28 | 00,016,896 | ---- | C] () -- C:\Documents and Settings\robert davies\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/04/12 12:40:38 | 00,000,137 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\fusioncache.dat
[2007/07/08 20:43:43 | 00,000,015 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameD.txt
[2007/05/27 10:36:26 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/24 02:13:01 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2007/05/24 02:13:01 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2007/05/24 02:13:01 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2007/05/24 02:13:00 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2007/05/24 02:13:00 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2007/05/24 02:13:00 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2007/05/24 02:11:48 | 00,000,138 | ---- | C] () -- C:\Documents and Settings\robert davies\Local Settings\Application Data\fusioncache.dat
[2007/05/24 02:11:48 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\robert davies\Local Settings\Application Data\QSwitch.txt
[2007/05/24 02:11:48 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\robert davies\Local Settings\Application Data\DSwitch.txt
[2007/05/24 02:11:48 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\robert davies\Local Settings\Application Data\AtStart.txt
[2007/01/27 00:42:14 | 00,000,313 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/01/27 00:40:54 | 00,028,510 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/08/17 09:11:32 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/07 08:16:44 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 08:10:08 | 00,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/03 19:59:44 | 00,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2010/01/22 14:46:58 | 00,135,168 | ---- | M] () -- C:\ojjw.exe


< MD5 for: AGP440.SYS >
[2004/08/04 08:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2004/08/04 03:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/12/28 02:12:34 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/12/28 02:12:34 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 08:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2004/08/04 03:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/12/28 02:12:34 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/12/28 02:12:34 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2010/01/23 14:25:40 | 00,096,512 | ---- | M] () MD5=1515855F67B8FD9044FEA8BC6D45012A -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2009/11/28 05:05:03 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2009/11/28 05:05:03 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\erdnt\cache\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 03:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2004/08/04 03:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\erdnt\cache\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 13:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2009/02/06 13:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\erdnt\cache\netlogon.dll
[2004/08/04 03:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389_0$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2004/08/04 03:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\erdnt\cache\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
< End of report >


OTL Extras logfile created on: 1/25/2010 10:41:54 AM - Run 1
OTL by OldTimer - Version 3.1.26.0 Folder = C:\Documents and Settings\robert davies\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 103.00 Mb Available Physical Memory | 20.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 51.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 50.48 Gb Total Space | 23.77 Gb Free Space | 47.09% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 5.41 Gb Total Space | 5.15 Gb Free Space | 95.30% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-4105E587B6
Current User Name: robert davies
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Documents and Settings\robert davies\My Documents\00 - MY STUFF\iSproggler-1.2.0-bin\iSproggler.exe" = C:\Documents and Settings\robert davies\My Documents\00 - MY STUFF\iSproggler-1.2.0-bin\iSproggler.exe:*:Enabled:iSproggler -- ()
"C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe" = C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe:*:Enabled:hpqwmiex -- (Hewlett-Packard Development Company, L.P.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{1248C09A-BD6B-47F5-BF3F-CD2B700D9FCB}" = ccCommon
"{12E2B9E9-05B1-407d-B0FD-B5F350535125}" = Norton Internet Security
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}" = SymNet
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.10 A2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F9F7336-6DF8-476F-ABF6-C70A17FAF619}" = HP Backup and Recovery Manager Installer
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 2.00 G2
"{5677563D-0CB1-485F-9E18-C5025306BB3F}" = Norton AntiSpam
"{5D97A4A7-C274-4B63-86D9-07A33435F505}" = InterVideo DVD Check
"{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}" = Easy CD & DVD Creator 6
"{64E72FB1-2343-4977-B4A8-262CD53D0BD3}" = Corel Paint Shop Pro Photo X2
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{82A5BF38-8461-4A5C-B2C9-24F5256D92A6}" = Norton Protection Center
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{91190409-6000-11D3-8CFE-0050048383C9}" = Microsoft Publisher 2002
"{929AB598-BB08-4875-B8D2-952C151D6E47}" = HP User Guides 0038
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{A93C9E60-29B6-49da-BA21-F70AC6AADE20}" = Norton Internet Security
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio Module
"{AC76BA86-7AD7-1033-7B44-A70500000002}" = Adobe Reader 7.0.5
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7C61755-DB48-4003-948F-3D34DB8EAF69}" = MSRedist
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.0.9.322
"{E0DBC47C-ED3F-4A1B-A929-9A26DAAA14B3}" = Application Installer 4.00.B5
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"8461-7759-5462-8226" = Vuze
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Ant Movie Catalog_is1" = Ant Movie Catalog
"Audacity_is1" = Audacity 1.2.6
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner (remove only)
"CNXT_AUDIO" = Conexant AC-Link Audio
"CNXT_MODEM_PCI_VEN_8086&DEV_266D&SUBSYS_30C4103C" = Soft Data Fax Modem with SmartCP
"Collectorz.com Music Collector" = Collectorz.com Music Collector
"DVD Audio Extractor_is1" = DVD Audio Extractor 4.5.5
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"HijackThis" = HijackThis 2.0.2
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"LiveUpdate" = LiveUpdate 2.7 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.17)" = Mozilla Firefox (3.0.17)
"PROSet" = Intel® PRO Network Connections Drivers
"RegAce_mp1" = RegAce V1.2
"SymSetup.{A93C9E60-29B6-49da-BA21-F70AC6AADE20}" = Norton Internet Security 2006 (Symantec Corporation)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"VLC media player" = VLC media player 1.0.0
"WGA" = Windows Genuine Advantage Validation Tool
"Winamp" = Winamp
"Windows Media Connect" = Windows Media Connect
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows Mobile Device Handbook" = Windows Mobile® Device Handbook
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! SiteBuilder" = Yahoo! SiteBuilder
"Yahoo! Toolbar" = Yahoo! Toolbar
"YInstHelper" = Yahoo! Install Manager

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2533584975-652044822-2608800130-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Winamp Detect" = Winamp Application Detect

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/8/2010 7:13:15 PM | Computer Name = YOUR-4105E587B6 | Source = MsiInstaller | ID = 11305
Description = Product: Microsoft Picture It! Photo 2001 -- Error 1305.Error reading
from file: D:\PIP\PIP2001\DswMedia\anim\startPI.dcr. Verify that the file exists
and that you can access it.

Error - 1/8/2010 9:18:08 PM | Computer Name = YOUR-4105E587B6 | Source = MsiInstaller | ID = 11305
Description = Product: Microsoft Picture It! Photo 2001 -- Error 1305.Error reading
from file: D:\PIP\PIP2001\DswMedia\anim\startPI.dcr. Verify that the file exists
and that you can access it.

Error - 1/10/2010 9:51:06 PM | Computer Name = YOUR-4105E587B6 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3642, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/10/2010 9:51:07 PM | Computer Name = YOUR-4105E587B6 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3642, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/10/2010 9:51:21 PM | Computer Name = YOUR-4105E587B6 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3642, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/12/2010 12:44:37 PM | Computer Name = YOUR-4105E587B6 | Source = Application Error | ID = 1000
Description = Faulting application roxupd~1.exe, version 6.2.0.130, faulting module
softwareupdater.dll, version 6.2.0.130, fault address 0x0000a6e1.

Error - 1/15/2010 11:08:58 AM | Computer Name = YOUR-4105E587B6 | Source = Application Hang | ID = 1002
Description = Hanging application explorer.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/21/2010 11:11:38 AM | Computer Name = YOUR-4105E587B6 | Source = Application Hang | ID = 1002
Description = Hanging application audacity.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/22/2010 9:24:19 PM | Computer Name = YOUR-4105E587B6 | Source = Application Hang | ID = 1002
Description = Hanging application RootRepeal.exe, version 1.3.5.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/22/2010 9:24:19 PM | Computer Name = YOUR-4105E587B6 | Source = Application Hang | ID = 1002
Description = Hanging application RootRepeal.exe, version 1.3.5.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 1/24/2010 8:41:38 PM | Computer Name = YOUR-4105E587B6 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Symantec Network Drivers
Service service to connect.

Error - 1/24/2010 9:03:40 PM | Computer Name = YOUR-4105E587B6 | Source = Service Control Manager | ID = 7034
Description = The Protexis Licensing V2 service terminated unexpectedly. It has
done this 1 time(s).

Error - 1/24/2010 10:05:06 PM | Computer Name = YOUR-4105E587B6 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 1/24/2010 10:05:06 PM | Computer Name = YOUR-4105E587B6 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/24/2010 10:05:06 PM | Computer Name = YOUR-4105E587B6 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/24/2010 10:05:17 PM | Computer Name = YOUR-4105E587B6 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AliIde IntelIde ViaIde

Error - 1/24/2010 10:07:37 PM | Computer Name = YOUR-4105E587B6 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Symantec Network Drivers
Service service to connect.

Error - 1/24/2010 10:13:00 PM | Computer Name = YOUR-4105E587B6 | Source = Service Control Manager | ID = 7034
Description = The Protexis Licensing V2 service terminated unexpectedly. It has
done this 1 time(s).

Error - 1/24/2010 10:57:55 PM | Computer Name = YOUR-4105E587B6 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/24/2010 10:57:55 PM | Computer Name = YOUR-4105E587B6 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.


< End of report >


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 PM

Posted 25 January 2010 - 07:54 PM

The first step I need you to take is remove one of the antivirus programs you have running. You should never run more than one antivirus at a time. They can conflict and cause serious issues. Please remove either Avira or Norton.


Once you have done that, proceed with this next step.


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 jbooth

jbooth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 25 January 2010 - 09:08 PM

Ok, I uninstalled Norton, then ran combofix.



ComboFix 10-01-25.02 - robert davies 01/25/2010 20:30:11.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.257 [GMT -5:00]
Running from: c:\documents and settings\robert davies\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\robert davies\Application Data\inst.exe
c:\windows\system32\11794.exe
c:\windows\system32\17865.exe
c:\windows\system32\1878.exe
c:\windows\system32\21415.exe
c:\windows\system32\23512.exe
c:\windows\system32\2644.exe
c:\windows\system32\3308.exe
c:\windows\system32\4764.exe
c:\windows\system32\5453.exe
c:\windows\system32\6064.exe
c:\windows\system32\6481.exe
c:\windows\system32\7624.exe
c:\windows\system32\8562.exe
c:\windows\system32\9896.exe
c:\windows\system32\config\systemprofile\Desktop\Internet Security 2010.lnk
c:\windows\system32\config\systemprofile\Start Menu\Internet Security 2010.lnk

c:\windows\system32\DRIVERS\atapi.sys . . . is infected!! . . .Failed to restore. Attempting to replace on reboot

.
((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))
.

2010-01-25 03:07 . 2010-01-25 03:09 -------- d-----w- C:\HJT
2010-01-25 01:01 . 2010-01-25 01:01 -------- d--h--w- c:\windows\PIF
2010-01-24 23:57 . 2010-01-24 23:58 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-23 20:05 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-23 20:05 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-23 01:26 . 2010-01-23 20:07 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-23 01:26 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-23 01:26 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-23 01:26 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-23 01:26 . 2010-01-23 01:26 -------- d-----w- c:\program files\Avira
2010-01-23 01:26 . 2010-01-23 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-22 20:32 . 2010-01-22 20:32 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-01-22 19:46 . 2010-01-22 19:46 135168 ----a-w- C:\ojjw.exe
2010-01-20 19:40 . 2010-01-20 20:52 -------- d-----w- c:\documents and settings\robert davies\Application Data\iSproggler
2010-01-20 17:18 . 2010-01-23 22:28 -------- d-----w- c:\documents and settings\robert davies\Local Settings\Application Data\Last.fm
2010-01-12 19:25 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 08:00 . 2010-01-10 08:00 -------- d-----w- c:\program files\MSXML 4.0
2010-01-09 04:47 . 2010-01-11 07:04 -------- d-----w- c:\documents and settings\robert davies\Local Settings\Application Data\Corel
2010-01-09 03:45 . 2010-01-09 04:46 -------- d-----w- c:\documents and settings\robert davies\Application Data\Corel
2010-01-09 03:41 . 2010-01-09 03:41 -------- d-----w- c:\program files\Common Files\Protexis
2010-01-09 03:41 . 2010-01-09 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-01-09 03:41 . 2010-01-09 03:43 -------- d-----w- c:\program files\Common Files\Corel
2010-01-09 03:30 . 2010-01-09 03:41 -------- d-----w- c:\program files\Corel
2010-01-09 03:29 . 2010-01-09 03:29 -------- d-----w- c:\documents and settings\robert davies\Application Data\InstallShield
2010-01-09 02:34 . 2010-01-09 02:56 -------- d-----w- c:\program files\Microsoft Digital Image 10
2010-01-09 01:10 . 2010-01-09 01:18 -------- d-----w- c:\program files\Microsoft Picture It! PhotoPub
2010-01-07 03:02 . 2010-01-07 03:09 -------- d-----w- c:\program files\mp3DirectCut
2010-01-07 02:55 . 2010-01-07 02:58 -------- d-----w- C:\Temp
2010-01-07 02:50 . 2010-01-07 02:50 -------- d-----w- c:\program files\Lame for Audacity
2010-01-06 19:33 . 2010-01-06 19:33 -------- d-----w- c:\program files\Audacity
2009-12-28 22:28 . 2009-08-13 15:16 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2009-12-28 20:03 . 2006-11-29 18:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-12-28 20:03 . 2006-09-28 21:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-12-28 20:03 . 2009-12-28 20:03 -------- d-----w- c:\windows\Logs
2009-12-28 20:03 . 2009-12-28 20:03 -------- d-----w- c:\program files\Winamp Detect
2009-12-28 20:02 . 2009-04-28 20:20 129520 ------w- c:\windows\system32\pxafs.dll
2009-12-28 20:02 . 2009-12-28 20:07 -------- d-----w- c:\documents and settings\robert davies\Application Data\Winamp
2009-12-28 20:02 . 2009-12-28 20:03 -------- d-----w- c:\program files\Winamp
2009-12-28 07:20 . 2009-12-28 07:20 -------- d-----w- c:\windows\system32\scripting
2009-12-28 07:20 . 2009-12-28 07:20 -------- d-----w- c:\windows\l2schemas
2009-12-28 07:20 . 2009-12-28 07:20 -------- d-----w- c:\windows\system32\en
2009-12-28 07:20 . 2009-12-28 07:20 -------- d-----w- c:\windows\system32\bits
2009-12-28 07:12 . 2009-12-28 07:12 -------- d-----w- c:\windows\EHome
2009-12-28 01:17 . 2009-12-28 01:17 -------- d-----w- c:\program files\iPod
2009-12-28 01:17 . 2010-01-20 17:19 -------- d-----w- c:\program files\iTunes
2009-12-28 01:17 . 2009-12-28 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-28 01:15 . 2009-12-28 01:15 -------- d-----w- c:\program files\Bonjour
2009-12-28 01:14 . 2009-12-28 01:14 -------- d-----w- c:\program files\QuickTime
2009-12-28 01:07 . 2009-05-18 19:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-28 01:07 . 2008-04-17 18:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-28 01:05 . 2009-12-28 01:18 -------- dc----w- c:\windows\system32\DRVSTORE
2009-12-28 00:59 . 2009-12-28 01:01 -------- d-----w- c:\documents and settings\default
2009-12-28 00:54 . 2009-12-28 00:54 -------- d-----w- c:\documents and settings\robert davies\Local Settings\Application Data\Collectorz.com
2009-12-28 00:53 . 2009-12-28 00:53 -------- d-----w- c:\program files\Xilisoft
2009-12-28 00:53 . 2010-01-07 13:06 -------- d-----w- c:\program files\MP3Gain
2009-12-28 00:30 . 2009-12-28 00:47 -------- d-----w- c:\program files\Ant Movie Catalog

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 01:27 . 2004-08-04 00:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-26 01:17 . 2007-01-27 05:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-26 01:15 . 2007-01-27 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-25 02:12 . 2009-09-27 12:27 117760 ----a-w- c:\documents and settings\robert davies\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-23 20:49 . 2010-01-23 20:49 52224 ----a-w- c:\documents and settings\robert davies\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-23 20:05 . 2008-09-13 17:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-23 20:05 . 2010-01-23 20:05 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-22 21:20 . 2009-03-01 14:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-22 19:47 . 2008-06-21 01:02 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-11 07:02 . 2010-01-09 04:46 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-11 07:02 . 2010-01-09 04:46 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-11 06:47 . 2010-01-09 04:46 88 --sh--r- c:\documents and settings\All Users\Application Data\4CE13CD8B1.sys
2010-01-11 06:47 . 2010-01-09 04:46 88 --sh--r- c:\documents and settings\All Users\Application Data\4CE13CD8B1.sys
2010-01-10 12:27 . 2009-07-10 03:34 -------- d-----w- c:\documents and settings\robert davies\Application Data\vlc
2010-01-09 02:37 . 2007-10-27 03:08 86296 ----a-w- c:\documents and settings\robert davies\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-28 01:25 . 2009-01-04 15:51 -------- d-----w- c:\documents and settings\robert davies\Application Data\Apple Computer
2009-12-28 01:19 . 2009-12-13 07:07 -------- d-----w- c:\documents and settings\robert davies\Application Data\Azureus
2009-12-28 01:17 . 2009-01-04 15:47 -------- d-----w- c:\program files\Common Files\Apple
2009-12-28 01:10 . 2009-12-28 01:10 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-28 01:06 . 2009-01-08 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-17 03:42 . 2009-12-17 03:26 -------- d-----w- c:\documents and settings\robert davies\Application Data\Vso
2009-12-17 03:26 . 2009-12-17 03:26 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-17 03:26 . 2009-12-17 03:26 47360 ----a-w- c:\documents and settings\robert davies\Application Data\pcouffin.sys
2009-12-17 03:26 . 2009-12-17 03:26 47360 ----a-w- c:\documents and settings\robert davies\Application Data\pcouffin.sys
2009-12-17 03:26 . 2009-12-17 03:26 -------- d-----w- c:\program files\VSO
2009-12-17 02:12 . 2009-12-17 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-12-17 02:03 . 2009-12-17 02:02 -------- d-----w- c:\program files\DVD Decrypter
2009-12-17 01:58 . 2009-12-17 01:58 -------- d-----w- c:\program files\DVD Shrink
2009-12-13 07:07 . 2009-12-13 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-12-13 07:07 . 2009-12-13 07:06 -------- d-----w- c:\program files\Vuze
2009-12-13 03:44 . 2009-12-13 03:44 -------- d-----w- c:\program files\DVD Audio Extractor
2009-12-01 08:33 . 2009-12-01 08:14 -------- d-----w- c:\program files\RegAce
2009-12-01 08:15 . 2009-12-01 08:15 -------- d-----w- c:\documents and settings\All Users\Application Data\RegAce
2009-11-29 08:06 . 2007-10-27 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-29 07:39 . 2007-10-27 16:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-29 05:38 . 2004-08-04 08:00 667136 ----a-w- c:\windows\system32\wininet.dll
.

------- Sigcheck -------

[-] 2010-01-26 01:27 . 1515855F67B8FD9044FEA8BC6D45012A . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2009-11-28 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2009-11-28 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-22 2002160]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-19 114688]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-04-06 122940]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-10 806912]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-10-21 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-12-21 39424]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2009-01-21 16712]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-5-24 184320]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\robert davies\\My Documents\\00 - MY STUFF\\iSproggler-1.2.0-bin\\iSproggler.exe"=
"c:\\Program Files\\Hewlett-Packard\\Shared\\hpqwmiex.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 10:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 10:42 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/22/2010 8:26 PM 108289]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 10:42 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\robert davies\Application Data\Mozilla\Firefox\Profiles\1yzvyzpz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.netflix.com/MemberHome
FF - plugin: c:\documents and settings\robert davies\Application Data\Mozilla\Firefox\Profiles\1yzvyzpz.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{50c81fb8-55e6-4a13-b760-9c7c0225e97c} - (no file)
SSODL-jogiyejek-{50c81fb8-55e6-4a13-b760-9c7c0225e97c} - (no file)
AddRemove-HijackThis - c:\documents and settings\robert davies\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 20:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???????????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82CA2856]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf86a5f28
\Driver\ACPI -> ACPI.sys @ 0xf8518cb8
\Driver\atapi -> atapi.sys @ 0xf84b2852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf83a8bb0
PacketIndicateHandler -> NDIS.sys @ 0xf8397a0d
SendHandler -> NDIS.sys @ 0xf83abb40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-25 20:57:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-26 01:57
ComboFix2.txt 2009-12-01 08:03
ComboFix3.txt 2007-11-06 00:43

Pre-Run: 25,642,020,864 bytes free
Post-Run: 25,824,284,672 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - EDBF715F6E84A8EE1BFA2BD33FA545D7


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 PM

Posted 26 January 2010 - 07:56 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

CODE
FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys

File::
c:\documents and settings\All Users\Application Data\4CE13CD8B1.sys
C:\ojjw.exe

Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.



This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


================



Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 jbooth

jbooth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 26 January 2010 - 10:09 AM

I disabled Antivir before running ComboFix, which needed to reboot almost right away. After rebooting, Antivir enables automatically. So I did get a few alerts from Antivir finding suspicious files while ComboFix was running. I chose ignore so hopefully it didn't interfere. Here are the logs:


ComboFix 10-01-25.02 - robert davies 01/26/2010 8:35.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.258 [GMT -5:00]
Running from: c:\documents and settings\robert davies\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\robert davies\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\documents and settings\All Users\Application Data\4CE13CD8B1.sys"
"C:\ojjw.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\4CE13CD8B1.sys
C:\ojjw.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\atapi.sys

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))
.

2010-01-25 03:07 . 2010-01-25 03:09 -------- d-----w- C:\HJT
2010-01-25 01:01 . 2010-01-25 01:01 -------- d--h--w- c:\windows\PIF
2010-01-23 20:49 . 2010-01-23 20:49 52224 ----a-w- c:\documents and settings\robert davies\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-23 20:05 . 2010-01-23 20:05 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-23 20:05 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-23 20:05 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-23 01:26 . 2010-01-23 20:07 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-23 01:26 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-23 01:26 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-23 01:26 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-23 01:26 . 2010-01-23 01:26 -------- d-----w- c:\program files\Avira
2010-01-23 01:26 . 2010-01-23 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-22 20:32 . 2010-01-22 20:32 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-01-20 19:40 . 2010-01-20 20:52 -------- d-----w- c:\documents and settings\robert davies\Application Data\iSproggler
2010-01-20 17:18 . 2010-01-23 22:28 -------- d-----w- c:\documents and settings\robert davies\Local Settings\Application Data\Last.fm
2010-01-12 19:25 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 08:00 . 2010-01-10 08:00 -------- d-----w- c:\program files\MSXML 4.0
2010-01-09 04:47 . 2010-01-11 07:04 -------- d-----w- c:\documents and settings\robert davies\Local Settings\Application Data\Corel
2010-01-09 04:46 . 2010-01-11 07:02 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-09 03:45 . 2010-01-09 04:46 -------- d-----w- c:\documents and settings\robert davies\Application Data\Corel
2010-01-09 03:41 . 2010-01-09 03:41 -------- d-----w- c:\program files\Common Files\Protexis
2010-01-09 03:41 . 2010-01-09 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-01-09 03:41 . 2010-01-09 03:43 -------- d-----w- c:\program files\Common Files\Corel
2010-01-09 03:30 . 2010-01-09 03:41 -------- d-----w- c:\program files\Corel
2010-01-09 03:29 . 2010-01-09 03:29 -------- d-----w- c:\documents and settings\robert davies\Application Data\InstallShield
2010-01-09 02:34 . 2010-01-09 02:56 -------- d-----w- c:\program files\Microsoft Digital Image 10
2010-01-09 01:10 . 2010-01-09 01:18 -------- d-----w- c:\program files\Microsoft Picture It! PhotoPub
2010-01-07 03:02 . 2010-01-07 03:09 -------- d-----w- c:\program files\mp3DirectCut
2010-01-07 02:55 . 2010-01-07 02:58 -------- d-----w- C:\Temp
2010-01-07 02:50 . 2010-01-07 02:50 -------- d-----w- c:\program files\Lame for Audacity
2010-01-06 19:33 . 2010-01-06 19:33 -------- d-----w- c:\program files\Audacity
2009-12-28 22:28 . 2009-08-13 15:16 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2009-12-28 20:03 . 2006-11-29 18:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-12-28 20:03 . 2006-09-28 21:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-12-28 20:03 . 2009-12-28 20:03 -------- d-----w- c:\windows\Logs
2009-12-28 20:03 . 2009-12-28 20:03 -------- d-----w- c:\program files\Winamp Detect
2009-12-28 20:02 . 2009-04-28 20:20 129520 ------w- c:\windows\system32\pxafs.dll
2009-12-28 20:02 . 2009-12-28 20:07 -------- d-----w- c:\documents and settings\robert davies\Application Data\Winamp
2009-12-28 20:02 . 2009-12-28 20:03 -------- d-----w- c:\program files\Winamp
2009-12-28 07:20 . 2009-12-28 07:20 -------- d-----w- c:\windows\system32\scripting
2009-12-28 07:20 . 2009-12-28 07:20 -------- d-----w- c:\windows\l2schemas
2009-12-28 07:20 . 2009-12-28 07:20 -------- d-----w- c:\windows\system32\en
2009-12-28 07:20 . 2009-12-28 07:20 -------- d-----w- c:\windows\system32\bits
2009-12-28 07:12 . 2009-12-28 07:12 -------- d-----w- c:\windows\EHome
2009-12-28 01:17 . 2009-12-28 01:17 -------- d-----w- c:\program files\iPod
2009-12-28 01:17 . 2010-01-20 17:19 -------- d-----w- c:\program files\iTunes
2009-12-28 01:17 . 2009-12-28 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-28 01:15 . 2009-12-28 01:15 -------- d-----w- c:\program files\Bonjour
2009-12-28 01:14 . 2009-12-28 01:14 -------- d-----w- c:\program files\QuickTime
2009-12-28 01:10 . 2009-12-28 01:10 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-28 01:07 . 2009-05-18 19:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-28 01:07 . 2008-04-17 18:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-28 01:05 . 2009-12-28 01:18 -------- dc----w- c:\windows\system32\DRVSTORE
2009-12-28 00:59 . 2009-12-28 01:01 -------- d-----w- c:\documents and settings\default
2009-12-28 00:54 . 2009-12-28 00:54 -------- d-----w- c:\documents and settings\robert davies\Local Settings\Application Data\Collectorz.com
2009-12-28 00:53 . 2009-12-28 00:53 -------- d-----w- c:\program files\Xilisoft
2009-12-28 00:53 . 2010-01-07 13:06 -------- d-----w- c:\program files\MP3Gain
2009-12-28 00:30 . 2009-12-28 00:47 -------- d-----w- c:\program files\Ant Movie Catalog

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 13:44 . 2004-08-04 00:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-26 01:17 . 2007-01-27 05:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-26 01:15 . 2007-01-27 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-25 02:12 . 2009-09-27 12:27 117760 ----a-w- c:\documents and settings\robert davies\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-23 20:05 . 2008-09-13 17:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-22 21:20 . 2009-03-01 14:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-22 19:47 . 2008-06-21 01:02 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-10 12:27 . 2009-07-10 03:34 -------- d-----w- c:\documents and settings\robert davies\Application Data\vlc
2010-01-09 02:37 . 2007-10-27 03:08 86296 ----a-w- c:\documents and settings\robert davies\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-28 07:24 . 2004-08-07 13:10 81983 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-28 01:25 . 2009-01-04 15:51 -------- d-----w- c:\documents and settings\robert davies\Application Data\Apple Computer
2009-12-28 01:19 . 2009-12-13 07:07 -------- d-----w- c:\documents and settings\robert davies\Application Data\Azureus
2009-12-28 01:17 . 2009-01-04 15:47 -------- d-----w- c:\program files\Common Files\Apple
2009-12-28 01:06 . 2009-01-08 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-22 05:21 . 2004-08-04 08:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-17 03:42 . 2009-12-17 03:26 -------- d-----w- c:\documents and settings\robert davies\Application Data\Vso
2009-12-17 03:26 . 2009-12-17 03:26 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-17 03:26 . 2009-12-17 03:26 47360 ----a-w- c:\documents and settings\robert davies\Application Data\pcouffin.sys
2009-12-17 03:26 . 2009-12-17 03:26 47360 ----a-w- c:\documents and settings\robert davies\Application Data\pcouffin.sys
2009-12-17 03:26 . 2009-12-17 03:26 -------- d-----w- c:\program files\VSO
2009-12-17 02:12 . 2009-12-17 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-12-17 02:03 . 2009-12-17 02:02 -------- d-----w- c:\program files\DVD Decrypter
2009-12-17 01:58 . 2009-12-17 01:58 -------- d-----w- c:\program files\DVD Shrink
2009-12-13 07:07 . 2009-12-13 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-12-13 07:07 . 2009-12-13 07:06 -------- d-----w- c:\program files\Vuze
2009-12-13 03:44 . 2009-12-13 03:44 -------- d-----w- c:\program files\DVD Audio Extractor
2009-12-01 08:33 . 2009-12-01 08:14 -------- d-----w- c:\program files\RegAce
2009-12-01 08:15 . 2009-12-01 08:15 -------- d-----w- c:\documents and settings\All Users\Application Data\RegAce
2009-11-29 08:06 . 2007-10-27 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-29 07:39 . 2007-10-27 16:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-21 15:51 . 2004-08-04 08:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

------- Sigcheck -------

[-] 2010-01-26 13:44 . 1515855F67B8FD9044FEA8BC6D45012A . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2009-11-28 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2009-11-28 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-22 2002160]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-19 114688]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-04-06 122940]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-10 806912]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-10-21 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-12-21 39424]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2009-01-21 16712]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-5-24 184320]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\robert davies\\My Documents\\00 - MY STUFF\\iSproggler-1.2.0-bin\\iSproggler.exe"=
"c:\\Program Files\\Hewlett-Packard\\Shared\\hpqwmiex.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 10:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 10:42 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/22/2010 8:26 PM 108289]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 10:42 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\robert davies\Application Data\Mozilla\Firefox\Profiles\1yzvyzpz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.netflix.com/MemberHome
FF - plugin: c:\documents and settings\robert davies\Application Data\Mozilla\Firefox\Profiles\1yzvyzpz.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 08:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???????????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82CA2856]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8696f28
\Driver\ACPI -> ACPI.sys @ 0xf8509cb8
\Driver\atapi -> atapi.sys @ 0xf84a3852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf8399bb0
PacketIndicateHandler -> NDIS.sys @ 0xf8388a0d
SendHandler -> NDIS.sys @ 0xf839cb40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-26 08:57:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-26 13:57
ComboFix2.txt 2010-01-26 01:57
ComboFix3.txt 2009-12-01 08:03
ComboFix4.txt 2007-11-06 00:43

Pre-Run: 25,797,750,784 bytes free
Post-Run: 25,766,268,928 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 1E0BE2CE3843DDB73B3716C109BDCA06





Malwarebytes' Anti-Malware 1.44
Database version: 3640
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/26/2010 9:46:47 AM
mbam-log-2010-01-26 (09-46-47).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 190106
Time elapsed: 42 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP382\A0048637.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP383\A0048854.sys (Malware.Trace) -> Quarantined and deleted successfully.



#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 PM

Posted 26 January 2010 - 06:30 PM

How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 jbooth

jbooth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 26 January 2010 - 07:01 PM

I'm still getting pop-ups in firefox, though not as frequent. I noticed that sometimes the URL of the pop-ups contain search terms I've recently entered in google. That seems to be the only problem right now.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 PM

Posted 26 January 2010 - 08:21 PM

Follow the direction in this link to start Firefox safe mode.
http://support.mozilla.com/en-US/kb/Safe+Mode

Let me know if you still experience the same issues when running Firefox this way.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 jbooth

jbooth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 26 January 2010 - 08:48 PM

There doesn't seem to be any pop-ups in safe mode.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 PM

Posted 26 January 2010 - 08:55 PM

Ok, now we're narrowing down the issue.


Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


===================


Open Firefox and install the Mr Tech Toolkit extension from here.
https://addons.mozilla.org/en-US/firefox/addon/421

Once installed, restart Firefox as prompted.
Click Tools -> My Config -> Save - Text
Save the report to your desktop.
Please copy and paste the contents of that report.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 jbooth

jbooth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 26 January 2010 - 09:26 PM

GooredFix by jpshortstuff (08.01.10.1)
Log created at 21:19 on 26/01/2010 (robert davies)
Firefox version 3.0.17 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [03:13 29/08/2007]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [00:14 06/11/2007]

C:\Documents and Settings\robert davies\Application Data\Mozilla\Firefox\Profiles\1yzvyzpz.default\extensions\
hide.unvisited@agadak.net [17:02 13/01/2009]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [18:39 28/09/2008]
{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [14:35 28/02/2009]
{E2883E8F-472F-4fb0-9522-AC9BF37916A7} [16:13 16/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(none)

-=E.O.F=-


Generated: Tue Jan 26 2010 21:23:02 GMT-0500 (Eastern Standard Time)
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.17) Gecko/2009122116 Firefox/3.0.17
Build ID: 2009122116

Enabled Extensions: [6]
- Adobe DLM (powered by getPlus®) 1,6,2,44: http://www.nosltd.com/
- Hide Unvisited 3: http://ed.agadak.net/
- Java Console 6.0.03: http://www.google.com/search?q=Firefox%20Java%20Console
- MR Tech Toolkit 6.0.4: http://www.mrtech.com/extensions/
- WOT 20081111: http://www.mywot.com/
- Yahoo! Toolbar 1.5.2.20080717: http://us.toolbar.yahoo.com/

Installed Themes: [1]
- Default: http://www.mozilla.org/

Installed Plugins: (13)
- Adobe Acrobat
- getPlusPlus for Adobe 16244
- iTunes Application Detector
- Java™ Platform SE 6 U3
- Microsoft® DRM
- Mozilla ActiveX control and plugin support
- Mozilla Default Plug-in
- QuickTime Plug-in 7.6.5
- Shockwave Flash
- Silverlight Plug-In
- Winamp Application Detector
- Windows Media Player Plug-in Dynamic Link Library
- Yahoo! activeX Plug-in Bridge

Edited by jbooth, 26 January 2010 - 09:28 PM.


#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 PM

Posted 27 January 2010 - 08:12 AM

You have some plugins that are outdated. Visit this site and install all available updates.
http://www.mozilla.com/en-US/plugincheck/

Same thing with your extensions. Many of them are quite old. The links are provided in the MrTech report so you can visit each site and then install the latest version.


Let me know if you are still experiencing the same issue with Firefox after updating everything.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 jbooth

jbooth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 27 January 2010 - 02:53 PM

I figured I would give it a few hours to see what happens. Right after I updated everything I wasn't getting any pop-ups but after a while they started again.

I did an Antivir scan of my computer this morning and it found 1 Trojan. I removed it. A couple of hours later I did another scan and this time it found 760!

I've posted an excerpt from the Antivir log so you can see. They are all in the same place and similarly named (OLD followed by a few numbers or letters). I had already removed these same ones a couple of days before I first posted here so they've come back now.

C:\WINDOWS\system32\drivers\OLD139.tmp
[DETECTION] Is the TR/Patched.Gen Trojan
[NOTE] The file was moved to '4a28a4ff.qua'!
C:\WINDOWS\system32\drivers\OLD13C.tmp
[DETECTION] Is the TR/Patched.Gen Trojan
[NOTE] The file was moved to '4ba496e0.qua'!
C:\WINDOWS\system32\drivers\OLD13F.tmp
[DETECTION] Is the TR/Patched.Gen Trojan
[NOTE] The file was moved to '4a28a501.qua'!
C:\WINDOWS\system32\drivers\OLD142.tmp
[DETECTION] Is the TR/Patched.Gen Trojan
[NOTE] The file was moved to '4ba496e2.qua'!
C:\WINDOWS\system32\drivers\OLD145.tmp
[DETECTION] Is the TR/Patched.Gen Trojan
[NOTE] The file was moved to '4a28a503.qua'!
C:\WINDOWS\system32\drivers\OLD148.tmp

Edited by jbooth, 27 January 2010 - 02:54 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users