Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

# Redirect Virus HELP!!

19 replies to this topic

### #1 yoyoyoda

yoyoyoda

• Members
• 9 posts
• OFFLINE
•
• Local time:06:59 PM

Posted 25 March 2010 - 10:25 PM

I have tried Ad-aware, Malwarebytes, Spybot, Avast, Hitman, and CCleaner. The virus won't even let me install new software or downloaded virus software. It redirects Mozilla and Internet Explorer, even though I have re-installed both. HELP!!!

Scan saved at 7:43:38 AM, on 3/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE C:\WINDOWS\System32\WISPTIS.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\explorer.exe C:\Program Files\Citrix\ICA Client\wfcrun32.exe C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hbo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway O1 - Hosts: 67.212.177.251 www.google.com O1 - Hosts: 67.212.177.251 google.com O1 - Hosts: 67.212.177.251 google.com.au O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35[1].exe" /scan:boot O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O12 - Plugin for .efp: C:\Program Files\Internet Explorer\Plugins\NPEFPrn.dll O12 - Plugin for .efv: C:\Program Files\Internet Explorer\Plugins\NPEFV.dll O12 - Plugin for .fmp: C:\Program Files\Internet Explorer\Plugins\NPFMP.dll O12 - Plugin for .fmr: C:\Program Files\Internet Explorer\Plugins\NPFME.dll O12 - Plugin for .ifx: C:\Program Files\Internet Explorer\Plugins\NPWebPrn.dll O12 - Plugin for .lfx: C:\Program Files\Internet Explorer\Plugins\NPLaunch.dll O12 - Plugin for .mwp: C:\Program Files\Internet Explorer\Plugins\NPMWPrn.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab O16 - DPF: {FC6703A7-5B7E-4f58-BE6D-2693AA3906AE} (HP Content Update) - http://h30299.www3.hp.com/ediags/hpnar/en/...hp.cab?1,0,0,94 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 10300 bytes ### BC AdBot (Login to Remove) ### #2 Ltangelic Ltangelic Angel Annihilator of Malware • Members • 348 posts • OFFLINE • • Gender:Female • Location:Somewhere • Local time:07:59 AM Posted 25 March 2010 - 11:36 PM Hey yoyoyoda, Welcome to BleepingComputer Forums! I'm Ltangelic and I'll be helping you fix your computer problem. Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, I ask for your patience. Please stick with me until we get your computer cleaned up or it will be a wasted effort on both sides. ;) I'm looking at your log now, and I'll post back with a fix when I'm ready. Thanks for your patience. PS. If I've not been responding, and you wonder why, feel free to PM me and I'll give an explanation. LT Bleepingcomputer Malware Response Team Please do NOT PM anyone with HJT logs, read this and post your logs here. ### #3 Ltangelic Ltangelic Angel Annihilator of Malware • Members • 348 posts • OFFLINE • • Gender:Female • Location:Somewhere • Local time:07:59 AM Posted 26 March 2010 - 11:27 PM Hey yoyoyoda, From your log, you seem to have multiple anti-spyware running on your computer. This is not recommended as multiple protection of the same kind can cause conflicts and reduce the efficiency of the softwares. Please keep only one of the following active and updated and disable/uninstall the other: Spyware Doctor Spybot Search and Destroy Also, it seems that you are running Uniblue RegistryBooster 2009, which in effect is a registry scanner/cleaner. Please be aware that the Registry is a very important segment of a computer system and that registry edit can be a dangerous process. Any mistakes in editing can corrupt the entire registry, rendering your system unbootable or unrepairable. Unless you have advanced knowledge about the inner workings of the Registry, you should never run any registry scanners/cleaners without the guidance of an expert. Doing so may not always deliver the results you want to see, in addition, fixing/cleaning a wrong section of the registry can ultimately corrupt your entire computer system. Thus, I highly recommend that you remove Uniblue RegistryBooster from your computer and refrain from downloading registry scanners/cleaners in the future. Let's run some preliminary scans to determine the infections on your computer. Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix. Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Avast anti-virus and your anti-spyware software) as it/they may hinder the tools from running. Instructions is in the link below: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/ 1) Run OTS To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link. Download OTS to your Desktop • Close ALL OTHER PROGRAMS. • Double-click on OTS.exe to start the program. • Check the box that says Scan All Users • Under Additional Scans check the following: • Reg - Shell Spawning • File - Lop Check • File - Purity Scan • Evnt - EvtViewer (last 10) • Under custom scans copy and paste the following netsvcs %SYSTEMDRIVE%\*.exe %SYSTEMDRIVE%\*.* %ProgramFiles%\Movie Maker\*.dll %ALLUSERSAPPDATA%\*.dll %SYSTEMROOT%\*.tmp %PROGRAMFILES%\Internet Explorer\*.dll %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*. %systemroot%\system32\*.dll /lockedfiles /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles c:\$recycle.bin\*.* /s
CREATERESTOREPOINT
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

To attach a file, do the following:
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post
2) Run GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

OTS.txt (attached)
GMER.txt

Bleepingcomputer Malware Response Team

### #4 Ltangelic

Ltangelic

Angel Annihilator of Malware

• Members
• 348 posts
• OFFLINE
•
• Gender:Female
• Location:Somewhere
• Local time:07:59 AM

Posted 29 March 2010 - 10:27 PM

Hi,

Do you still need help?

Bleepingcomputer Malware Response Team

### #5 yoyoyoda

yoyoyoda
• Topic Starter

• Members
• 9 posts
• OFFLINE
•
• Local time:06:59 PM

Posted 30 March 2010 - 01:23 AM

Yes, still having the problems. Here is the first OTS log.

CODE
OTS logfile created on: 3/28/2010 10:51:15 PM - Run 1
OTS by OldTimer - Version 3.1.27.1     Folder = C:\Documents and Settings\Greg Taal\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 632.00 Mb Available Physical Memory | 62.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 3000 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.99 Gb Total Space | 84.69 Gb Free Space | 56.84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GRAHAM
Current User Name: Greg Taal

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days

[Processes - Safe List]
ots.exe -> C:\Documents and Settings\Greg Taal\Desktop\OTS.exe -> [2010/03/28 22:48:28 | 000,637,440 | ---- | M] (OldTimer Tools)
pifsvc.exe -> C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -> [2010/03/24 01:51:13 | 000,583,048 | ---- | M] (Symantec Corporation)
aawtray.exe -> C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe -> [2010/03/19 23:57:16 | 000,818,256 | ---- | M] (Lavasoft)
aawservice.exe -> C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -> [2010/03/19 23:57:15 | 001,263,728 | ---- | M] (Lavasoft)
concentr.exe -> C:\Program Files\Citrix\ICA Client\concentr.exe -> [2009/09/13 00:09:10 | 000,103,768 | ---- | M] (Citrix Systems, Inc.)
wfcrun32.exe -> C:\Program Files\Citrix\ICA Client\wfcrun32.exe -> [2009/09/13 00:09:04 | 000,550,232 | ---- | M] (Citrix Systems, Inc.)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
symlcsvc.exe -> C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -> [2008/02/01 00:12:33 | 001,251,720 | ---- | M] ()
iaantmon.exe -> C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe -> [2004/03/23 10:15:40 | 000,073,852 | ---- | M] (Intel Corporation)
em_exec.exe -> C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE -> [2003/11/14 09:50:00 | 000,037,888 | ---- | M] (Logitech Inc.)

[Modules - Safe List]
ots.exe -> C:\Documents and Settings\Greg Taal\Desktop\OTS.exe -> [2010/03/28 22:48:28 | 000,637,440 | ---- | M] (OldTimer Tools)
msvcp60.dll -> C:\WINDOWS\SYSTEM32\msvcp60.dll -> [2008/04/13 17:12:01 | 000,413,696 | ---- | M] (Microsoft Corporation)
lgmsghk.dll -> C:\Program Files\Common Files\Logitech\Scrolling\LGMSGHK.DLL -> [2003/11/14 09:50:00 | 000,024,064 | ---- | M] (Logitech Inc.)
lgwndhk.dll -> C:\Program Files\Logitech\MouseWare\system\LgWndHk.dll -> [2003/11/14 09:50:00 | 000,006,144 | ---- | M] (Logitech Inc.)

[Win32 Services - Safe List]
(LiveUpdate Notice Ex) LiveUpdate Notice Service Ex [Disabled | Stopped] ->  -> File not found
(LiveUpdate Notice Service) LiveUpdate Notice Service [Disabled | Stopped] -> C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -> [2010/03/24 01:51:13 | 000,583,048 | ---- | M] (Symantec Corporation)
(Lavasoft Ad-Aware Service) Lavasoft Ad-Aware Service [Auto | Running] -> C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -> [2010/03/19 23:57:15 | 001,263,728 | ---- | M] (Lavasoft)
(getPlusHelper) getPlus(R) Helper [On_Demand | Stopped] -> C:\Program Files\NOS\bin\getPlus_Helper.dll -> [2009/09/23 16:37:30 | 000,051,168 | ---- | M] (NOS Microsystems Ltd.)
(Symantec Core LC) Symantec Core LC [Auto | Running] -> C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -> [2008/02/01 00:12:33 | 001,251,720 | ---- | M] ()
(DSBrokerService) DSBrokerService [On_Demand | Stopped] -> C:\Program Files\DellSupport\brkrsvc.exe -> [2007/03/07 15:47:46 | 000,076,848 | ---- | M] ()
(IAANTMon) IAA Event Monitor [Auto | Running] -> C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe -> [2004/03/23 10:15:40 | 000,073,852 | ---- | M] (Intel Corporation)
(SQLAgent$MICROSOFTBCM) SQLAgent$MICROSOFTBCM [On_Demand | Stopped] -> C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -> [2002/12/17 17:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) (CVPND) Cisco Systems, Inc. VPN Service [Disabled | Stopped] -> C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -> [2002/10/04 11:16:10 | 001,282,110 | ---- | M] (Cisco Systems, Inc.) (OracleOraHome81ClientCache) OracleOraHome81ClientCache [Disabled | Stopped] -> C:\oracle\ora81\bin\ONRSD.EXE -> [2000/10/19 12:55:50 | 000,411,244 | ---- | M] () [Driver Services - Safe List] (iaStor) Intel AHCI Controller [Kernel | Boot | Running] -> C:\WINDOWS\system32\drivers\iaStor.sys -> [2010/03/22 00:28:33 | 000,467,200 | ---- | M] (Intel Corporation) (Lbd) Lbd [File_System | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\Lbd.sys -> [2010/02/04 08:53:02 | 000,064,288 | ---- | M] (Lavasoft AB) (ctxusbm) Citrix USB Monitor Driver [Kernel | System | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\ctxusbm.sys -> [2009/09/08 19:13:16 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) (NwlnkIpx) NWLink IPX/SPX/NetBIOS Compatible Transport Protocol [Kernel | Auto | Stopped] -> C:\WINDOWS\SYSTEM32\DRIVERS\nwlnkipx.sys -> [2008/04/13 11:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) (amdagp) AMD AGP Bus Filter Driver [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\amdagp.sys -> [2008/04/13 11:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) (sisagp) SIS AGP Bus Filter [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\sisagp.sys -> [2008/04/13 11:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) (dsunidrv) DellSupport UniDriver [Kernel | Auto | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -> [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) (DSproct) DSproct [Kernel | On_Demand | Stopped] -> C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -> [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) (symlcbrd) symlcbrd [Kernel | Auto | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\symlcbrd.sys -> [2006/07/04 10:46:14 | 000,010,344 | ---- | M] (Symantec Corporation) (AFS2K) AFS2K [Kernel | System | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\AFS2K.SYS -> [2004/10/07 18:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) (P17) Sound Blaster Live! 24-bit [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\P17.sys -> [2004/06/09 10:16:00 | 000,840,960 | ---- | M] (Creative Technology Ltd.) (b57w2k) Broadcom NetXtreme 57xx Gigabit Controller [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\b57xp32.sys -> [2004/05/29 15:41:54 | 000,186,112 | ---- | M] (Broadcom Corporation) (ati2mtag) ati2mtag [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -> [2004/05/25 21:19:00 | 000,729,600 | ---- | M] (ATI Technologies Inc.) (NwlnkNb) NWLink NetBIOS [Kernel | Auto | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\NWLNKNB.SYS -> [2004/03/19 15:41:00 | 000,063,232 | ---- | M] (Microsoft Corporation) (NwlnkSpx) NWLink SPX/SPXII Protocol [Kernel | Auto | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\NWLNKSPX.SYS -> [2004/03/19 15:41:00 | 000,055,936 | ---- | M] (Microsoft Corporation) (tfsnudfa) tfsnudfa [File_System | Auto | Running] -> C:\WINDOWS\SYSTEM32\dla\tfsnudfa.sys -> [2004/03/14 23:04:00 | 000,100,597 | ---- | M] (Sonic Solutions) (tfsnudf) tfsnudf [File_System | Auto | Running] -> C:\WINDOWS\SYSTEM32\dla\tfsnudf.sys -> [2004/03/14 23:04:00 | 000,098,580 | ---- | M] (Sonic Solutions) (tfsnifs) tfsnifs [File_System | Auto | Running] -> C:\WINDOWS\SYSTEM32\dla\tfsnifs.sys -> [2004/03/14 23:04:00 | 000,085,972 | ---- | M] (Sonic Solutions) (tfsncofs) tfsncofs [File_System | Auto | Running] -> C:\WINDOWS\SYSTEM32\dla\tfsncofs.sys -> [2004/03/14 23:04:00 | 000,034,837 | ---- | M] (Sonic Solutions) (tfsnboio) tfsnboio [File_System | Auto | Running] -> C:\WINDOWS\SYSTEM32\dla\tfsnboio.sys -> [2004/03/14 23:04:00 | 000,025,685 | ---- | M] (Sonic Solutions) (tfsnopio) tfsnopio [File_System | Auto | Running] -> C:\WINDOWS\SYSTEM32\dla\tfsnopio.sys -> [2004/03/14 23:04:00 | 000,014,229 | ---- | M] (Sonic Solutions) (tfsnpool) tfsnpool [File_System | Auto | Running] -> C:\WINDOWS\SYSTEM32\dla\tfsnpool.sys -> [2004/03/14 23:04:00 | 000,006,357 | ---- | M] (Sonic Solutions) (tfsndrct) tfsndrct [File_System | Auto | Running] -> C:\WINDOWS\SYSTEM32\dla\tfsndrct.sys -> [2004/03/14 23:04:00 | 000,004,117 | ---- | M] (Sonic Solutions) (tfsndres) tfsndres [File_System | Auto | Running] -> C:\WINDOWS\SYSTEM32\dla\tfsndres.sys -> [2004/03/14 23:04:00 | 000,002,233 | ---- | M] (Sonic Solutions) (IntelC52) IntelC52 [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys -> [2004/03/05 20:15:34 | 000,647,929 | ---- | M] (Intel Corporation) (IntelC51) IntelC51 [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys -> [2004/03/05 20:14:42 | 001,233,525 | ---- | M] (Intel Corporation) (IntelC53) IntelC53 [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys -> [2004/03/05 20:13:52 | 000,060,949 | ---- | M] (Intel Corporation) (mohfilt) mohfilt [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys -> [2004/03/05 20:13:38 | 000,037,048 | ---- | M] (Intel Corporation) (drvnddm) drvnddm [File_System | Auto | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\drvnddm.sys -> [2004/02/27 00:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) (drvmcdb) drvmcdb [Kernel | Boot | Running] -> C:\WINDOWS\system32\drivers\drvmcdb.sys -> [2004/02/13 01:21:00 | 000,086,160 | ---- | M] (Sonic Solutions) (sscdbhk5) sscdbhk5 [File_System | System | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\sscdbhk5.sys -> [2004/01/14 17:18:16 | 000,005,621 | ---- | M] (Sonic Solutions) (ssrtln) ssrtln [File_System | System | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\ssrtln.sys -> [2004/01/14 17:18:04 | 000,023,219 | ---- | M] (Sonic Solutions) (LMouFlt2) Logitech Mouse Class Filter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\LMouFlt2.Sys -> [2003/11/07 02:50:00 | 000,070,798 | ---- | M] (Logitech, Inc.) (L8042pr2) Logitech PS/2 Mouse Filter Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\SYSTEM32\DRIVERS\L8042PR2.SYS -> [2003/11/07 02:50:00 | 000,051,486 | ---- | M] (Logitech, Inc.) (LHidUsb) Logitech USB Receiver device driver [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\LHidUsb.sys -> [2003/11/07 02:50:00 | 000,037,884 | ---- | M] (Logitech, Inc.) (LHidFlt2) Logitech HID/USB Mouse Filter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\LHidFlt2.Sys -> [2003/11/07 02:50:00 | 000,025,502 | ---- | M] (Logitech, Inc.) (LCcfltr) Logitech USB Filter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\LCcfltr.sys -> [2003/11/07 02:50:00 | 000,014,092 | ---- | M] (Logitech, Inc.) (ctsfm2k) Creative SoundFont Management Device Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\ctsfm2k.sys -> [2003/09/22 06:48:00 | 000,130,192 | ---- | M] (Creative Technology Ltd) (ossrv) Creative OS Services Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\ctoss2k.sys -> [2003/09/22 06:47:00 | 000,178,672 | ---- | M] (Creative Technology Ltd.) (PfModNT) PfModNT [Kernel | Auto | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\Pfmodnt.sys -> [2003/03/05 10:19:00 | 000,015,840 | ---- | M] (Creative Technology Ltd.) (omci) OMCI WDM Device Driver [Kernel | System | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -> [2002/11/08 11:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) (CVPNDRV) Cisco Systems IPsec Driver [Kernel | Auto | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\CVPNDrv.sys -> [2002/10/04 11:18:26 | 000,263,749 | ---- | M] (Cisco Systems, Inc.) (vsdatant) vsdatant [Kernel | On_Demand | Stopped] -> C:\WINDOWS\SYSTEM32\vsdatant.sys -> [2002/07/12 18:40:06 | 000,141,752 | ---- | M] (Zone Labs Inc.) (DNE) Deterministic Network Enhancer Miniport [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\dne2000.sys -> [2002/01/09 16:10:30 | 000,128,380 | ---- | M] (Deterministic Networks, Inc.) (Sparrow) Sparrow [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\sparrow.sys -> [2001/08/17 12:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) (sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\sym_u3.sys -> [2001/08/17 12:07:42 | 000,030,688 | ---- | M] (LSI Logic) (sym_hi) sym_hi [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\sym_hi.sys -> [2001/08/17 12:07:40 | 000,028,384 | ---- | M] (LSI Logic) (symc8xx) symc8xx [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\symc8xx.sys -> [2001/08/17 12:07:36 | 000,032,640 | ---- | M] (LSI Logic) (symc810) symc810 [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\symc810.sys -> [2001/08/17 12:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) (MODEMCSA) Unimodem Streaming Filter Device [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -> [2001/08/17 11:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) (ultra) ultra [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\ultra.sys -> [2001/08/17 11:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) (ql12160) ql12160 [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\ql12160.sys -> [2001/08/17 11:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) (ql1080) ql1080 [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\ql1080.sys -> [2001/08/17 11:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) (ql1280) ql1280 [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\ql1280.sys -> [2001/08/17 11:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) (dac2w2k) dac2w2k [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -> [2001/08/17 11:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) (mraid35x) mraid35x [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\mraid35x.sys -> [2001/08/17 11:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) (asc) asc [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\asc.sys -> [2001/08/17 11:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) (asc3550) asc3550 [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\asc3550.sys -> [2001/08/17 11:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) (AliIde) AliIde [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\aliide.sys -> [2001/08/17 11:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) (CmdIde) CmdIde [Kernel | Disabled | Stopped] -> C:\WINDOWS\System32\DRIVERS\cmdide.sys -> [2001/08/17 11:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Registry - Safe List] < Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm -> HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> -> HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://www.dell4me.com/myway -> HKEY_LOCAL_MACHINE\: Search\\"CustomSearch" -> http://red.clientapps.yahoo.com/customize/ie/defaults/cs/ymsgr6/*http://www.yahoo.com/ext/search/search.html -> HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://www.google.com/ie -> < Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> -> HKEY_USERS\.DEFAULT\: Main\\"Default_Page_URL" -> http://www.dell4me.com/myway -> HKEY_USERS\.DEFAULT\: Main\\"First Home Page" -> http://www.dell4me.com/myway -> HKEY_USERS\.DEFAULT\: Main\\"Start Page" -> http://www.dell4me.com/myway -> HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 -> < Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> -> HKEY_USERS\S-1-5-18\: Main\\"Default_Page_URL" -> http://www.dell4me.com/myway -> HKEY_USERS\S-1-5-18\: Main\\"First Home Page" -> http://www.dell4me.com/myway -> HKEY_USERS\S-1-5-18\: Main\\"Start Page" -> http://www.dell4me.com/myway -> HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 -> < Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> -> HKEY_USERS\S-1-5-19\: "ProxyEnable" -> 0 -> < Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> -> HKEY_USERS\S-1-5-20\: "ProxyEnable" -> 0 -> < Internet Explorer Settings [HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\] > -> -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\: Main\\"Search Page" -> http://www.google.com -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\: Main\\"SearchMigratedDefaultName" -> Google -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\: Main\\"SearchMigratedDefaultURL" -> http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\: Main\\"Start Page" -> http://www.hbo.com/ -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\: SearchURL\\"" -> http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\: SearchURL\\"provider" -> gogl -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\: "ProxyEnable" -> 0 -> < FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Greg Taal\Application Data\Mozilla\FireFox\Profiles\1gpn2kri.default\prefs.js -> browser.search.defaultenginename -> "Google" -> browser.search.defaulturl -> "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=" -> browser.search.selectedEngine -> "search" -> browser.startup.homepage -> "http://traffic.511.org/sfgate/|http://www.dlisted.com/" -> extensions.enabledItems -> {46868735-c3fa-47ce-8ce7-cce51a66aceb}:1.2 -> < FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla HKLM\software\mozilla\Firefox\Extensions -> -> HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758} -> C:\Program Files\Real\RealPlayer\browserrecord [C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD] -> [2008/10/17 11:30:12 | 000,000,000 | ---D | M] HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions -> -> HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components -> C:\Program Files\Mozilla Firefox\components [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2010/03/25 07:30:37 | 000,000,000 | ---D | M] HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins -> C:\Program Files\Mozilla Firefox\plugins [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2010/03/25 07:30:37 | 000,000,000 | ---D | M] < FireFox Extensions [User Folders] > -> -> C:\Documents and Settings\Greg Taal\Application Data\Mozilla\Extensions -> [2009/09/22 23:51:25 | 000,000,000 | ---D | M] -> C:\Documents and Settings\Greg Taal\Application Data\Mozilla\Extensions\uploadr@flickr.com -> [2009/09/22 23:51:25 | 000,000,000 | ---D | M] -> C:\Documents and Settings\Greg Taal\Application Data\Mozilla\Firefox\Profiles\1gpn2kri.default\extensions -> [2010/03/28 12:30:36 | 000,000,000 | ---D | M] oldbar -> C:\Documents and Settings\Greg Taal\Application Data\Mozilla\Firefox\Profiles\1gpn2kri.default\extensions\{46868735-c3fa-47ce-8ce7-cce51a66aceb} -> [2008/12/01 00:35:50 | 000,000,000 | ---D | M] -> C:\Documents and Settings\Greg Taal\Application Data\Mozilla\Firefox\Profiles\1gpn2kri.default\extensions\hide.unvisited@agadak.net -> [2008/12/01 00:38:54 | 000,000,000 | ---D | M] < FireFox Extensions [Program Folders] > -> -> C:\Program Files\Mozilla Firefox\extensions -> [2010/03/20 12:26:59 | 000,000,000 | ---D | M] < HOSTS File > ([2010/03/20 12:22:40 | 000,222,566 | R--- | M] - 7855 lines) -> C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts -> First 25 entries... Reset Hosts 127.0.0.1 localhost 127.0.0.1 007guard.com 127.0.0.1 www.007guard.com 127.0.0.1 008i.com 127.0.0.1 008k.com 127.0.0.1 www.008k.com 127.0.0.1 00hq.com 127.0.0.1 www.00hq.com 127.0.0.1 010402.com 127.0.0.1 032439.com 127.0.0.1 www.032439.com 127.0.0.1 1001-search.info 127.0.0.1 www.1001-search.info 127.0.0.1 100888290cs.com 127.0.0.1 www.100888290cs.com 127.0.0.1 100sexlinks.com 127.0.0.1 www.100sexlinks.com 127.0.0.1 10sek.com 127.0.0.1 www.10sek.com 127.0.0.1 123topsearch.com 127.0.0.1 www.123topsearch.com 127.0.0.1 132.com 127.0.0.1 www.132.com 127.0.0.1 136136.net < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> {0347C33E-8762-4905-BF09-768834316C61} [HKLM] -> C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [HP Print Enhancer] -> [2007/11/06 02:50:44 | 000,322,880 | ---- | M] (Hewlett-Packard Co.) {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> [2003/05/15 01:47:54 | 000,050,376 | ---- | M] (Adobe Systems Incorporated) {3049C3E9-B461-4BC5-8870-4C09146192CA} [HKLM] -> C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [RealPlayer Download and Record Plugin for Internet Explorer] -> [2008/10/17 11:30:11 | 000,308,856 | ---- | M] (RealPlayer) {5CA3D70E-1895-11CF-8E15-001234567890} [HKLM] -> C:\WINDOWS\SYSTEM32\dla\tfswshx.dll [DriveLetterAccess] -> [2004/03/14 23:04:00 | 000,118,836 | ---- | M] (Sonic Solutions) {AE7CD045-E861-484f-8273-0445EE161910} [HKLM] -> C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [AcroIEToolbarHelper Class] -> [2003/05/15 02:03:46 | 000,147,456 | ---- | M] () {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} [HKLM] -> C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [HP Smart BHO Class] -> [2007/11/06 02:50:44 | 000,542,016 | ---- | M] (Hewlett-Packard Co.) < Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> "{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [2003/05/15 02:03:46 | 000,147,456 | ---- | M] () < Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\ -> WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found < Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\ -> WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found < Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\] > -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\Software\Microsoft\Internet Explorer\Toolbar\ -> ShellBrowser\\"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [2003/05/15 02:03:46 | 000,147,456 | ---- | M] () WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found WebBrowser\\"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [2003/05/15 02:03:46 | 000,147,456 | ---- | M] () WebBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> "ConnectionCenter" -> C:\Program Files\Citrix\ICA Client\concentr.exe ["C:\Program Files\Citrix\ICA Client\concentr.exe" /startup] -> [2009/09/13 00:09:10 | 000,103,768 | ---- | M] (Citrix Systems, Inc.) "hpqSRMon" -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe [C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe] -> File not found "Logitech Utility" -> C:\WINDOWS\LOGI_MWX.EXE [Logi_MwX.Exe] -> [2003/11/07 02:50:00 | 000,019,968 | ---- | M] (Logitech Inc.) "Symantec PIF AlertEng" -> C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe ["C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"] -> [2010/03/24 01:51:13 | 000,583,048 | ---- | M] (Symantec Corporation) < RunOnce [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce -> "RealUpgradeHelper" -> C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe ["C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0"] -> [2008/10/17 11:29:51 | 000,136,768 | ---- | M] (RealNetworks, Inc.) < RunOnce [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce -> "RealUpgradeHelper" -> C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe ["C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0"] -> [2008/10/17 11:29:51 | 000,136,768 | ---- | M] (RealNetworks, Inc.) < Administrator Startup Folder > -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup -> < All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> < Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup -> < Greg Taal Startup Folder > -> C:\Documents and Settings\Greg Taal\Start Menu\Programs\Startup -> < Guest Startup Folder > -> C:\Documents and Settings\Guest\Start Menu\Programs\Startup -> < CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer \\"HonorAutoRunSetting" -> [1] -> File not found < CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System \\"ConsentPromptBehaviorAdmin" -> [0] -> File not found < CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer \\"NoDriveTypeAutoRun" -> [145] -> File not found \\"CDRAutoRun" -> [0] -> File not found < CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer \\"NoDriveTypeAutoRun" -> [145] -> File not found \\"CDRAutoRun" -> [0] -> File not found < CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer \\"NoDriveTypeAutoRun" -> [145] -> File not found < CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer \\"NoDriveTypeAutoRun" -> [145] -> File not found < CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008] > -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer \\"NoDriveTypeAutoRun" -> [145] -> File not found < CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008] > -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> < Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> {d81ca86b-ef63-42af-bee3-4502d9a03c2d}:http://wwws.musicmatch.com/mmz/openWebRadio.html [HKLM] -> [Button: MUSICMATCH MX Web Player] -> File not found {DDE87865-83C5-48c4-8357-2F5B1AA84522}:{DDE87865-83C5-48c4-8357-2F5B1AA84522} [HKLM] -> C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [Button: HP Smart Select] -> [2007/11/06 02:50:44 | 000,542,016 | ---- | M] (Hewlett-Packard Co.) < Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\ -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.] -> File not found CmdMapping\\"{DDE87865-83C5-48c4-8357-2F5B1AA84522}" [HKLM] -> C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [ClipBookBtn Class] -> [2007/11/06 02:50:44 | 000,542,016 | ---- | M] (Hewlett-Packard Co.) CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> [Reg Error: Key error.] -> File not found < Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\ -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.] -> File not found CmdMapping\\"{DDE87865-83C5-48c4-8357-2F5B1AA84522}" [HKLM] -> C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [ClipBookBtn Class] -> [2007/11/06 02:50:44 | 000,542,016 | ---- | M] (Hewlett-Packard Co.) CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> [Reg Error: Key error.] -> File not found < Internet Explorer Extensions [HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\] > -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\Software\Microsoft\Internet Explorer\Extensions\ -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.] -> File not found CmdMapping\\"{4528BBE0-4E08-11D5-AD55-00010333D0AD}" [HKLM] -> [Reg Error: Key error.] -> File not found CmdMapping\\"{DDE87865-83C5-48c4-8357-2F5B1AA84522}" [HKLM] -> C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [ClipBookBtn Class] -> [2007/11/06 02:50:44 | 000,542,016 | ---- | M] (Hewlett-Packard Co.) CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> [Reg Error: Key error.] -> File not found < Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> Extension\.efp -> C:\Program Files\Internet Explorer\PLUGINS\NPEFPrn.dll [Reg Error: Value error.] -> [2002/07/29 09:32:00 | 000,090,112 | ---- | M] (EFiling) Extension\.efv -> C:\Program Files\Internet Explorer\PLUGINS\NPEFV.dll [Reg Error: Value error.] -> [2002/05/15 14:30:36 | 000,045,056 | ---- | M] (E-Filing) Extension\.fmp -> C:\Program Files\Internet Explorer\PLUGINS\NPFMP.dll [Reg Error: Value error.] -> [2002/01/25 16:26:48 | 000,078,848 | ---- | M] (E-Filing) Extension\.fmr -> C:\Program Files\Internet Explorer\PLUGINS\NPFME.dll [Reg Error: Value error.] -> [2002/01/25 16:25:46 | 000,078,848 | ---- | M] (E-Filing) Extension\.ifx -> C:\Program Files\Internet Explorer\PLUGINS\NPWebPrn.dll [Reg Error: Value error.] -> [1998/11/11 12:39:26 | 000,032,768 | ---- | M] (IMAGE-X) Extension\.lfx -> C:\Program Files\Internet Explorer\PLUGINS\NPLaunch.dll [Reg Error: Value error.] -> [1999/07/23 12:30:48 | 000,019,968 | ---- | M] (IMAGE-X) Extension\.mwp -> C:\Program Files\Internet Explorer\PLUGINS\NPMWPrn.dll [Reg Error: Value error.] -> [2002/07/25 15:17:00 | 000,069,632 | ---- | M] (IMAGE-X) < Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix "" -> http:// < Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4123 domain(s) found. -> < Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> < Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4122 domain(s) found. -> < Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> < Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4122 domain(s) found. -> < Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> < Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4152 domain(s) found. -> < Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> < Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4152 domain(s) found. -> < Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> < Trusted Sites Domains [HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\] > -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4124 domain(s) found. -> www_nba.com [https] -> Trusted sites -> secure_thebancorphsa-ehealth.com [https] -> Trusted sites -> < Trusted Sites Ranges [HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\] > -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> < Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> {166B1BCA-3F9C-11CF-8075-444553540000} [HKLM] -> http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab [Shockwave ActiveX Control] -> {17492023-C23A-453E-A040-C7C580BBF700} [HKLM] -> http://go.microsoft.com/fwlink/?linkid=39204 [Windows Genuine Advantage Validation Tool] -> {4871A87A-BFDD-4106-8153-FFDE2BAC2967} [HKLM] -> http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab [DLM Control] -> {8100D56A-5661-482C-BEE8-AFECE305D968} [HKLM] -> http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab [Facebook Photo Uploader 5 Control] -> {8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab [Java Plug-in 1.4.0] -> {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab [Java Plug-in 1.4.0] -> {D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] -> {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} [HKLM] -> http://download.abacast.com/download/files/abasetup152.cab [Reg Error: Key error.] -> {FC6703A7-5B7E-4f58-BE6D-2693AA3906AE} [HKLM] -> http://h30299.www3.hp.com/ediags/hpnar/en/app/17/install/gtdownhp.cab?1,0,0,94 [HP Content Update] -> < Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> DhcpNameServer -> 68.87.76.182 68.87.78.134 -> < Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> {0B37D7F5-AC1E-4A59-B67F-3A74EC2983C2}\\DhcpNameServer -> 68.87.76.182 68.87.78.134 (Broadcom NetXtreme 57xx Gigabit Controller) -> < Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> *Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> Explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) *MultiFile Done* -> -> < Winlogon settings [HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008] > -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> *Shell* -> HKEY_USERS\S-1-5-21-2485814239-3077572411-771695662-1008\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> "C:\Documents and Settings\All Users\Application Data\23c8bad\SG23c8.exe" -> C:\Documents and Settings\All Users\Application Data\23c8bad\SG23c8.exe -> File not found /s /d -> -> File not found *MultiFile Done* -> -> < Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> < Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> "C:\Program Files\Bonjour\mDNSResponder.exe" -> C:\Program Files\Bonjour\mDNSResponder.exe [C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour] -> File not found "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpiscnapp.exe" -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpiscnapp.exe [C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe] -> File not found "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoews01.exe" -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoews01.exe [C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe] -> File not found "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpofxm08.exe" -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpofxm08.exe [C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe] -> [2007/11/02 19:44:16 | 000,283,992 | ---- | M] (Hewlett-Packard Co.) "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposfx08.exe" -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposfx08.exe [C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe] -> [2007/11/02 19:44:16 | 000,053,248 | ---- | M] (Hewlett-Packard Co.) "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposid01.exe" -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposid01.exe [C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe] -> File not found "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqkygrp.exe" -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqkygrp.exe [C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe] -> [2007/10/31 15:45:22 | 000,147,456 | ---- | M] (Hewlett-Packard) "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqscnvw.exe" -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqscnvw.exe [C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe] -> [2002/10/18 05:41:36 | 000,622,592 | ---- | M] () "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe" -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe [C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe] -> File not found "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe" -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe] -> File not found "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpzwiz01.exe" -> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpzwiz01.exe [C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe] -> File not found "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqPhUnl.exe" -> C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqPhUnl.exe [C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe] -> [2002/10/07 00:22:34 | 000,454,656 | ---- | M] () "C:\Program Files\iTunes\iTunes.exe" -> C:\Program Files\iTunes\iTunes.exe [C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes] -> [2008/02/19 13:10:26 | 019,897,640 | ---- | M] (Apple Inc.) "C:\Program Files\LimeWire\LimeWire.exe" -> C:\Program Files\LimeWire\LimeWire.exe [C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire] -> [2008/06/18 11:46:56 | 000,147,456 | ---- | M] (Lime Wire, LLC) "C:\Program Files\Yahoo!\Messenger\YPager.exe" -> C:\Program Files\Yahoo!\Messenger\YPager.exe [C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger] -> File not found "C:\Program Files\Yahoo!\Messenger\YServer.exe" -> C:\Program Files\Yahoo!\Messenger\YServer.exe [C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server] -> File not found "E:\setup\HPZNUI01.EXE" -> E:\setup\HPZNUI01.EXE [E:\setup\HPZNUI01.EXE:*:Enabled:hpznui01.exe] -> File not found < SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> < CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom -> "AutoRun" -> 1 -> "DisplayName" -> CD-ROM Driver -> "ImagePath" -> [System32\DRIVERS\cdrom.sys] -> File not found < Drives with AutoRun files > -> -> C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2004/03/20 10:58:32 | 000,000,000 | ---- | M] () < MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> \{7d798494-4e38-11db-8a05-00111136cb17} HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7d798494-4e38-11db-8a05-00111136cb17}\Shell \{7d798494-4e38-11db-8a05-00111136cb17}\Shell\\"" -> [AutoRun] -> File not found HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7d798494-4e38-11db-8a05-00111136cb17}\Shell\AutoRun \{7d798494-4e38-11db-8a05-00111136cb17}\Shell\AutoRun\\"" -> [Auto&Play] -> File not found HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7d798494-4e38-11db-8a05-00111136cb17}\Shell\AutoRun\command \{7d798494-4e38-11db-8a05-00111136cb17}\Shell\AutoRun\command\\"" -> F:\LaunchU3.exe [F:\LaunchU3.exe -a] -> File not found < Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> comfile [open] -> "%1" %* -> exefile [open] -> "%1" %* -> < File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> .com [@ = comfile] -> "%1" %* -> .exe [@ = exefile] -> "%1" %* -> [Registry - Additional Scans - Safe List] < Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> batfile [open] -> "%1" %* -> cmdfile [open] -> "%1" %* -> comfile [open] -> "%1" %* -> exefile [open] -> "%1" %* -> htmlfile  -> "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 -> [2003/07/14 20:52:56 | 000,055,360 | ---- | M] (Microsoft Corporation) htmlfile [print] -> "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 -> [2003/07/14 20:52:56 | 000,055,360 | ---- | M] (Microsoft Corporation) piffile [open] -> "%1" %* -> scrfile [config] -> "%1" -> scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l -> [2008/04/13 17:12:41 | 000,135,168 | ---- | M] (Microsoft Corporation) scrfile [open] -> "%1" /S -> Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 -> Directory [AddToPlaylistVLC] -> C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" -> [2008/10/06 13:00:34 | 000,094,208 | ---- | M] () Directory [find] -> %SystemRoot%\Explorer.exe -> [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) Directory [PlayWithVLC] -> C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" -> [2008/10/06 13:00:34 | 000,094,208 | ---- | M] () Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L -> [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L -> [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) Drive [find] -> %SystemRoot%\Explorer.exe -> [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) < EventViewer Logs - Last 10 Errors > -> Event Information -> Description Application [ Error ] 3/22/2010 3:19:12 AM Computer Name = GRAHAM | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation. Application [ Error ] 3/22/2010 3:19:13 AM Computer Name = GRAHAM | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation. Application [ Error ] 3/22/2010 3:19:15 AM Computer Name = GRAHAM | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation. Application [ Error ] 3/22/2010 3:19:18 AM Computer Name = GRAHAM | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation. Application [ Error ] 3/22/2010 4:47:39 AM Computer Name = GRAHAM | Source = Windows Product Activation | ID = 1010 -> Description = The Windows license was restored due to a system error. You might need to reactivate your Windows product. Application [ Error ] 3/25/2010 10:41:44 AM Computer Name = GRAHAM | Source = MsiInstaller | ID = 11704 -> Description = Product: HiJackThis -- Error 1704. An installation for Microsoft Office 2000 Premium is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes? Application [ Error ] 3/25/2010 10:42:40 AM Computer Name = GRAHAM | Source = MsiInstaller | ID = 11704 -> Description = Product: HiJackThis -- Error 1704. An installation for Microsoft Office 2000 Premium is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes? Application [ Error ] 3/26/2010 12:23:15 AM Computer Name = GRAHAM | Source = Application Hang | ID = 1002 -> Description = Hanging application EXCEL.EXE, version 11.0.6355.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Application [ Error ] 3/29/2010 1:20:30 AM Computer Name = GRAHAM | Source = Automatic LiveUpdate Scheduler | ID = 101 -> Description = Application [ Error ] 3/29/2010 1:21:15 AM Computer Name = GRAHAM | Source = pctsSvc.exe | ID = 0 -> Description = System [ Error ] 3/19/2010 3:25:45 AM Computer Name = GRAHAM | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046} System [ Error ] 3/19/2010 3:51:16 AM Computer Name = GRAHAM | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046} System [ Error ] 3/19/2010 4:59:50 AM Computer Name = GRAHAM | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046} System [ Error ] 3/19/2010 6:30:23 AM Computer Name = GRAHAM | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} System [ Error ] 3/19/2010 11:26:39 AM Computer Name = GRAHAM | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} System [ Error ] 3/19/2010 12:12:59 PM Computer Name = GRAHAM | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} System [ Error ] 3/19/2010 1:05:29 PM Computer Name = GRAHAM | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046} System [ Error ] 3/19/2010 2:08:19 PM Computer Name = GRAHAM | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046} System [ Error ] 3/19/2010 3:37:50 PM Computer Name = GRAHAM | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046} System [ Error ] 3/19/2010 4:24:53 PM Computer Name = GRAHAM | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} [Files/Folders - Created Within 30 Days] OTS.exe -> C:\Documents and Settings\Greg Taal\Desktop\OTS.exe -> [2010/03/28 22:48:24 | 000,637,440 | ---- | C] (OldTimer Tools) Recent -> C:\Documents and Settings\Greg Taal\Recent -> [2010/03/25 22:37:51 | 000,000,000 | RH-D | C] kayh -> C:\kayh -> [2010/03/25 21:28:12 | 000,000,000 | ---D | C] jogagub -> C:\jogagub -> [2010/03/25 21:21:26 | 000,000,000 | ---D | C] TrendMicro -> C:\Program Files\TrendMicro -> [2010/03/25 07:42:46 | 000,000,000 | ---D | C] bootdelete.exe -> C:\WINDOWS\System32\bootdelete.exe -> [2010/03/22 02:15:48 | 000,012,872 | ---- | C] (SurfRight B.V.) MD5.dll -> C:\Documents and Settings\Greg Taal\MD5.dll -> [2010/03/22 02:02:35 | 000,016,896 | ---- | C] (freaked) Hitman Pro 3.5 -> C:\Program Files\Hitman Pro 3.5 -> [2010/03/22 00:18:10 | 000,000,000 | ---D | C] Hitman Pro -> C:\Documents and Settings\All Users\Application Data\Hitman Pro -> [2010/03/22 00:18:10 | 000,000,000 | ---D | C] Downloads -> C:\Documents and Settings\Greg Taal\My Documents\Downloads -> [2010/03/20 18:03:55 | 000,000,000 | ---D | C] setup-spybotsd162.exe -> C:\Documents and Settings\Greg Taal\Desktop\setup-spybotsd162.exe -> [2010/03/20 01:51:54 | 016,409,960 | ---- | C] (Safer Networking Limited ) Sun -> C:\Documents and Settings\All Users\Application Data\Sun -> [2010/03/20 01:41:53 | 000,000,000 | ---D | C] Lbd.sys -> C:\WINDOWS\System32\drivers\Lbd.sys -> [2010/03/19 23:57:37 | 000,064,288 | ---- | C] (Lavasoft AB) SBREDrv.sys -> C:\WINDOWS\System32\drivers\SBREDrv.sys -> [2010/03/19 23:57:32 | 000,095,024 | ---- | C] (Sunbelt Software) {74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} -> C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} -> [2010/03/19 23:51:51 | 000,000,000 | -H-D | C] Ad-AwareInstaller(2).exe -> C:\Documents and Settings\Greg Taal\Desktop\Ad-AwareInstaller(2).exe -> [2010/03/19 23:48:56 | 097,364,760 | ---- | C] (Lavasoft ) Ad-AwareInstaller.exe -> C:\Documents and Settings\Greg Taal\Desktop\Ad-AwareInstaller.exe -> [2010/03/19 23:31:45 | 097,364,760 | ---- | C] (Lavasoft ) SGNND -> C:\Documents and Settings\All Users\Application Data\SGNND -> [2010/03/19 20:04:25 | 000,000,000 | -HSD | C] 23c8bad -> C:\Documents and Settings\All Users\Application Data\23c8bad -> [2010/03/19 20:03:53 | 000,000,000 | -HSD | C] Macromedia -> C:\Documents and Settings\LocalService\Application Data\Macromedia -> [2010/03/19 18:03:12 | 000,000,000 | ---D | M] Adobe -> C:\Documents and Settings\LocalService\Application Data\Adobe -> [2010/03/19 17:44:23 | 000,000,000 | ---D | M] Apple Computer -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer -> [2010/03/18 22:52:12 | 000,000,000 | ---D | M] Malwarebytes' Anti-Malware -> C:\Program Files\Malwarebytes' Anti-Malware -> [2010/03/18 22:52:10 | 000,000,000 | ---D | C] Malwarebytes' Anti-Malware(2) -> C:\Program Files\Malwarebytes' Anti-Malware(2) -> [2010/03/18 22:40:49 | 000,000,000 | ---D | C] CSC -> C:\WINDOWS\CSC -> [2010/03/16 08:35:00 | 000,000,000 | -HSD | C] Apple Computer -> C:\Documents and Settings\NetworkService\Application Data\Apple Computer -> [2010/03/15 09:07:56 | 000,000,000 | ---D | M] Sun -> C:\Documents and Settings\NetworkService\Application Data\Sun -> [2010/03/14 13:28:48 | 000,000,000 | ---D | M] Macromedia -> C:\Documents and Settings\NetworkService\Application Data\Macromedia -> [2010/03/14 10:45:16 | 000,000,000 | ---D | M] Adobe -> C:\Documents and Settings\NetworkService\Application Data\Adobe -> [2010/03/14 10:45:03 | 000,000,000 | ---D | M] SupportSoft -> C:\Documents and Settings\Greg Taal\Local Settings\Application Data\SupportSoft -> [2010/03/09 17:21:02 | 000,000,000 | ---D | C] ComcastUI -> C:\Program Files\ComcastUI -> [2010/03/09 17:20:48 | 000,000,000 | ---D | C] Comcast_Desktop_Software_activation3.exe -> C:\Documents and Settings\Greg Taal\Desktop\Comcast_Desktop_Software_activation3.exe -> [2010/03/09 17:19:31 | 001,378,040 | ---- | C] (Comcast ) Google -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google -> [2010/01/11 22:44:50 | 000,000,000 | ---D | M] Google -> C:\Documents and Settings\LocalService\Local Settings\Application Data\Google -> [2009/12/21 16:07:57 | 000,000,000 | ---D | M] Apple -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple -> [2007/11/17 20:11:01 | 000,000,000 | ---D | M] Microsoft -> C:\Documents and Settings\LocalService\Application Data\Microsoft -> [2007/04/22 12:37:08 | 000,000,000 | --SD | M] Symantec -> C:\Documents and Settings\NetworkService\Application Data\Symantec -> [2005/02/13 18:44:25 | 000,000,000 | ---D | M] Microsoft -> C:\Documents and Settings\NetworkService\Application Data\Microsoft -> [2005/02/12 22:45:20 | 000,000,000 | --SD | M] Microsoft -> C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft -> [2004/11/07 23:34:57 | 000,000,000 | ---D | M] Microsoft -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft -> [2004/08/09 05:44:24 | 000,000,000 | ---D | M] 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> [Files/Folders - Modified Within 30 Days] OTS.exe -> C:\Documents and Settings\Greg Taal\Desktop\OTS.exe -> [2010/03/28 22:48:28 | 000,637,440 | ---- | M] (OldTimer Tools) ResetTeaTimer.zip -> C:\Documents and Settings\Greg Taal\Desktop\ResetTeaTimer.zip -> [2010/03/28 22:47:30 | 000,000,668 | ---- | M] () Ad-Aware Update (Weekly).job -> C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job -> [2010/03/28 22:45:18 | 000,000,472 | ---- | M] () wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2010/03/28 22:43:33 | 000,002,148 | ---- | M] () GoogleUpdateTaskMachineCore.job -> C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job -> [2010/03/28 22:42:48 | 000,000,892 | ---- | M] () SA.DAT -> C:\WINDOWS\tasks\SA.DAT -> [2010/03/28 22:42:46 | 000,000,006 | -H-- | M] () BOOTSTAT.DAT -> C:\WINDOWS\BOOTSTAT.DAT -> [2010/03/28 22:42:39 | 000,002,048 | --S- | M] () hiberfil.sys -> C:\hiberfil.sys -> [2010/03/28 22:42:38 | 1071,812,608 | -HS- | M] () ntuser.dat -> C:\Documents and Settings\Greg Taal\ntuser.dat -> [2010/03/28 22:41:30 | 007,602,176 | ---- | M] () NTUSER.INI -> C:\Documents and Settings\Greg Taal\NTUSER.INI -> [2010/03/28 22:41:30 | 000,000,278 | -HS- | M] () config.nt -> C:\WINDOWS\System32\config.nt -> [2010/03/28 22:18:26 | 000,000,000 | ---- | M] () WebReg 20040928213628.job -> C:\WINDOWS\tasks\WebReg 20040928213628.job -> [2010/03/28 21:36:00 | 000,000,472 | ---- | M] () GoogleUpdateTaskMachineUA.job -> C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job -> [2010/03/28 21:28:00 | 000,000,896 | ---- | M] () FRU Task #Hewlett-Packard#hp officejet 6100 series#1096428575.job -> C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1096428575.job -> [2010/03/28 20:30:00 | 000,000,414 | ---- | M] () hitmanpro35.sys -> C:\WINDOWS\System32\drivers\hitmanpro35.sys -> [2010/03/25 21:26:03 | 000,015,944 | ---- | M] () tdsskiller.zip -> C:\Documents and Settings\Greg Taal\Desktop\tdsskiller.zip -> [2010/03/25 21:22:37 | 000,154,469 | ---- | M] () HijackThis.msi -> C:\Documents and Settings\Greg Taal\Desktop\HijackThis.msi -> [2010/03/25 07:41:16 | 001,401,344 | ---- | M] () AppleSoftwareUpdate.job -> C:\WINDOWS\tasks\AppleSoftwareUpdate.job -> [2010/03/24 07:14:01 | 000,000,284 | ---- | M] () hpfr5550.xml -> C:\hpfr5550.xml -> [2010/03/22 22:04:19 | 000,000,494 | ---- | M] () bootdelete.exe -> C:\WINDOWS\System32\bootdelete.exe -> [2010/03/22 08:01:34 | 000,012,872 | ---- | M] (SurfRight B.V.) rkill - RUN THIS AFTER YOU START.pif -> C:\Documents and Settings\Greg Taal\Desktop\rkill - RUN THIS AFTER YOU START.pif -> [2010/03/22 02:14:45 | 000,363,008 | ---- | M] () MD5.dll -> C:\Documents and Settings\Greg Taal\MD5.dll -> [2010/03/22 02:02:35 | 000,016,896 | ---- | M] (freaked) immunize.reg -> C:\Documents and Settings\Greg Taal\immunize.reg -> [2010/03/22 02:02:30 | 001,051,181 | ---- | M] () virus-list -> C:\Documents and Settings\Greg Taal\virus-list -> [2010/03/22 02:02:30 | 000,116,003 | ---- | M] () reg-list.reg -> C:\Documents and Settings\Greg Taal\reg-list.reg -> [2010/03/22 02:02:30 | 000,088,191 | ---- | M] () ToolbarIE.exe -> C:\Documents and Settings\Greg Taal\ToolbarIE.exe -> [2010/03/22 02:02:24 | 001,313,040 | ---- | M] () ToolbarFirefox.xpi -> C:\Documents and Settings\Greg Taal\ToolbarFirefox.xpi -> [2010/03/22 02:02:24 | 000,535,881 | ---- | M] () Fix UAC.reg -> C:\Documents and Settings\Greg Taal\Fix UAC.reg -> [2010/03/22 02:02:24 | 000,000,346 | ---- | M] () IASTOR.SYS -> C:\WINDOWS\System32\drivers\IASTOR.SYS -> [2010/03/22 00:28:33 | 000,467,200 | ---- | M] (Intel Corporation) Mozilla Firefox.lnk -> C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk -> [2010/03/20 12:27:00 | 000,001,602 | ---- | M] () hosts -> C:\WINDOWS\System32\drivers\ETC\hosts -> [2010/03/20 12:22:40 | 000,222,566 | R--- | M] () hosts.20100320-122240.backup -> C:\WINDOWS\System32\drivers\ETC\hosts.20100320-122240.backup -> [2010/03/20 12:22:39 | 000,222,768 | R--- | M] () Spybot - Search & Destroy.lnk -> C:\Documents and Settings\Greg Taal\Desktop\Spybot - Search & Destroy.lnk -> [2010/03/20 02:04:16 | 000,000,933 | ---- | M] () setup-spybotsd162.exe -> C:\Documents and Settings\Greg Taal\Desktop\setup-spybotsd162.exe -> [2010/03/20 01:57:40 | 016,409,960 | ---- | M] (Safer Networking Limited ) SBREDrv.sys -> C:\WINDOWS\System32\drivers\SBREDrv.sys -> [2010/03/19 23:57:32 | 000,095,024 | ---- | M] (Sunbelt Software) lsdelete.exe -> C:\WINDOWS\System32\lsdelete.exe -> [2010/03/19 23:57:29 | 000,015,880 | ---- | M] () Ad-AwareInstaller(2).exe -> C:\Documents and Settings\Greg Taal\Desktop\Ad-AwareInstaller(2).exe -> [2010/03/19 23:51:55 | 097,364,760 | ---- | M] (Lavasoft ) Ad-Aware.lnk -> C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk -> [2010/03/19 23:51:50 | 000,000,867 | ---- | M] () Ad-AwareInstaller.exe -> C:\Documents and Settings\Greg Taal\Desktop\Ad-AwareInstaller.exe -> [2010/03/19 23:37:08 | 097,364,760 | ---- | M] (Lavasoft ) hosts.20100320-122239.backup -> C:\WINDOWS\System32\drivers\ETC\hosts.20100320-122239.backup -> [2010/03/19 20:05:14 | 000,223,166 | RHS- | M] () IconCache.db -> C:\Documents and Settings\Greg Taal\Local Settings\Application Data\IconCache.db -> [2010/03/18 23:13:00 | 003,184,656 | -H-- | M] () d3d9caps.dat -> C:\WINDOWS\System32\d3d9caps.dat -> [2010/03/18 21:35:47 | 000,000,664 | ---- | M] () QTFont.qfn -> C:\WINDOWS\QTFont.qfn -> [2010/03/18 21:34:02 | 000,054,156 | -H-- | M] () QTFont.for -> C:\WINDOWS\QTFont.for -> [2010/03/18 21:34:02 | 000,001,409 | ---- | M] () iTunes.lnk -> C:\Documents and Settings\All Users\Desktop\iTunes.lnk -> [2010/03/09 19:23:34 | 000,002,137 | ---- | M] () Comcast Email.url -> C:\Documents and Settings\Greg Taal\Desktop\Comcast Email.url -> [2010/03/09 17:21:03 | 000,000,244 | ---- | M] () Comcast Security.url -> C:\Documents and Settings\Greg Taal\Desktop\Comcast Security.url -> [2010/03/09 17:21:03 | 000,000,238 | ---- | M] () Comcast_Desktop_Software_activation3.exe -> C:\Documents and Settings\Greg Taal\Desktop\Comcast_Desktop_Software_activation3.exe -> [2010/03/09 17:19:31 | 001,378,040 | ---- | M] (Comcast ) DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Greg Taal\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2010/03/09 01:37:56 | 000,034,816 | ---- | M] () 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 1 C:\Documents and Settings\Greg Taal\Local Settings\Temp\is-PVJ66.tmp\_isetup\*.tmp files -> C:\Documents and Settings\Greg Taal\Local Settings\Temp\is-PVJ66.tmp\_isetup\*.tmp -> [Files - No Company Name] ResetTeaTimer.zip -> C:\Documents and Settings\Greg Taal\Desktop\ResetTeaTimer.zip -> [2010/03/28 22:47:21 | 000,000,668 | ---- | C] () config.nt -> C:\WINDOWS\System32\config.nt -> [2010/03/28 22:18:26 | 000,000,000 | ---- | C] () lsdelete.exe -> C:\WINDOWS\System32\lsdelete.exe -> [2010/03/26 22:12:27 | 000,015,880 | ---- | C] () tdsskiller.zip -> C:\Documents and Settings\Greg Taal\Desktop\tdsskiller.zip -> [2010/03/25 21:22:37 | 000,154,469 | ---- | C] () HijackThis.msi -> C:\Documents and Settings\Greg Taal\Desktop\HijackThis.msi -> [2010/03/25 07:41:14 | 001,401,344 | ---- | C] () rkill - RUN THIS AFTER YOU START.pif -> C:\Documents and Settings\Greg Taal\Desktop\rkill - RUN THIS AFTER YOU START.pif -> [2010/03/22 02:14:44 | 000,363,008 | ---- | C] () immunize.reg -> C:\Documents and Settings\Greg Taal\immunize.reg -> [2010/03/22 02:02:30 | 001,051,181 | ---- | C] () virus-list -> C:\Documents and Settings\Greg Taal\virus-list -> [2010/03/22 02:02:30 | 000,116,003 | ---- | C] () reg-list.reg -> C:\Documents and Settings\Greg Taal\reg-list.reg -> [2010/03/22 02:02:30 | 000,088,191 | ---- | C] () ToolbarIE.exe -> C:\Documents and Settings\Greg Taal\ToolbarIE.exe -> [2010/03/22 02:02:24 | 001,313,040 | ---- | C] () ToolbarFirefox.xpi -> C:\Documents and Settings\Greg Taal\ToolbarFirefox.xpi -> [2010/03/22 02:02:24 | 000,535,881 | ---- | C] () Fix UAC.reg -> C:\Documents and Settings\Greg Taal\Fix UAC.reg -> [2010/03/22 02:02:24 | 000,000,346 | ---- | C] () wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2010/03/22 01:47:39 | 000,002,148 | ---- | C] () hitmanpro35.sys -> C:\WINDOWS\System32\drivers\hitmanpro35.sys -> [2010/03/22 00:18:19 | 000,015,944 | ---- | C] () Mozilla Firefox.lnk -> C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk -> [2010/03/20 12:27:00 | 000,001,602 | ---- | C] () Ad-Aware Update (Weekly).job -> C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job -> [2010/03/19 23:58:44 | 000,000,472 | ---- | C] () Ad-Aware.lnk -> C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk -> [2010/03/19 23:51:50 | 000,000,867 | ---- | C] () hiberfil.sys -> C:\hiberfil.sys -> [2010/03/19 13:25:35 | 1071,812,608 | -HS- | C] () d3d9caps.dat -> C:\WINDOWS\System32\d3d9caps.dat -> [2010/03/18 21:35:47 | 000,000,664 | ---- | C] () QTFont.qfn -> C:\WINDOWS\QTFont.qfn -> [2010/03/18 21:34:02 | 000,054,156 | -H-- | C] () QTFont.for -> C:\WINDOWS\QTFont.for -> [2010/03/18 21:34:02 | 000,001,409 | ---- | C] () ntuser.dat -> C:\Documents and Settings\Greg Taal\ntuser.dat -> [2010/03/11 04:04:06 | 007,602,176 | ---- | C] () Comcast Security.url -> C:\Documents and Settings\Greg Taal\Desktop\Comcast Security.url -> [2010/03/09 17:21:03 | 000,000,238 | ---- | C] () Comcast Email.url -> C:\Documents and Settings\Greg Taal\Desktop\Comcast Email.url -> [2010/03/09 17:21:02 | 000,000,244 | ---- | C] () xvidcore.dll -> C:\WINDOWS\System32\xvidcore.dll -> [2008/11/10 01:39:54 | 000,765,952 | ---- | C] () xvidvfw.dll -> C:\WINDOWS\System32\xvidvfw.dll -> [2008/11/10 01:39:54 | 000,180,224 | ---- | C] () Mwsblk07.dll -> C:\WINDOWS\System32\Mwsblk07.dll -> [2007/06/03 17:10:30 | 000,029,696 | ---- | C] () Decompnt.dll -> C:\WINDOWS\System32\Decompnt.dll -> [2007/06/03 17:10:29 | 000,355,840 | R--- | C] () Efile.dll -> C:\WINDOWS\System32\Efile.dll -> [2007/06/03 17:10:29 | 000,000,266 | ---- | C] () BASSMOD.dll -> C:\WINDOWS\System32\BASSMOD.dll -> [2007/06/01 09:27:32 | 000,014,848 | ---- | C] () saplogon.ini -> C:\WINDOWS\saplogon.ini -> [2006/06/05 23:23:33 | 000,000,034 | ---- | C] () nlsxdsgn.dll -> C:\WINDOWS\System32\nlsxdsgn.dll -> [2006/06/05 21:46:22 | 000,081,920 | ---- | C] () lcppn201.dll -> C:\WINDOWS\System32\lcppn201.dll -> [2006/06/05 21:46:21 | 003,203,072 | ---- | C] () h5krnl32.dll -> C:\WINDOWS\System32\h5krnl32.dll -> [2006/06/05 20:47:45 | 001,064,960 | ---- | C] () h5icon32.dll -> C:\WINDOWS\System32\h5icon32.dll -> [2006/06/05 20:47:45 | 000,188,928 | ---- | C] () h5menu32.dll -> C:\WINDOWS\System32\h5menu32.dll -> [2006/06/05 20:47:45 | 000,175,616 | ---- | C] () h5rtf32.dll -> C:\WINDOWS\System32\h5rtf32.dll -> [2006/06/05 20:47:45 | 000,095,744 | ---- | C] () h5tool32.dll -> C:\WINDOWS\System32\h5tool32.dll -> [2006/06/05 20:47:45 | 000,051,200 | ---- | C] () vtssm32.dll -> C:\WINDOWS\System32\vtssm32.dll -> [2006/06/05 20:45:34 | 000,015,872 | ---- | C] () ssmute.ini -> C:\WINDOWS\System32\ssmute.ini -> [2005/06/23 16:15:53 | 000,002,158 | ---- | C] () bqformat.ini -> C:\WINDOWS\bqformat.ini -> [2005/02/20 16:40:37 | 000,028,139 | ---- | C] () bqmeta0.ini -> C:\WINDOWS\bqmeta0.ini -> [2005/02/20 16:40:37 | 000,021,771 | ---- | C] () brioqry6.ini -> C:\WINDOWS\brioqry6.ini -> [2005/02/20 13:38:41 | 000,006,743 | ---- | C] () hpqEmlsz.INI -> C:\WINDOWS\hpqEmlsz.INI -> [2004/11/21 10:35:10 | 000,000,000 | ---- | C] () univcomm.ini -> C:\WINDOWS\univcomm.ini -> [2004/11/04 23:27:47 | 000,000,027 | ---- | C] () msoffice.ini -> C:\WINDOWS\msoffice.ini -> [2004/10/10 07:51:43 | 000,000,002 | ---- | C] () cdPlayer.ini -> C:\WINDOWS\cdPlayer.ini -> [2004/10/09 12:21:07 | 000,005,373 | ---- | C] () CSGina.dll -> C:\WINDOWS\System32\CSGina.dll -> [2004/10/09 08:27:52 | 000,122,944 | ---- | C] () smscfg.ini -> C:\WINDOWS\smscfg.ini -> [2004/08/09 06:30:38 | 000,000,061 | ---- | C] () ODBC.INI -> C:\WINDOWS\ODBC.INI -> [2004/08/09 06:20:02 | 000,000,376 | ---- | C] () wininit.ini -> C:\WINDOWS\wininit.ini -> [2004/08/09 06:15:04 | 000,000,138 | ---- | C] () AC3API.INI -> C:\WINDOWS\AC3API.INI -> [2004/08/09 06:13:16 | 000,000,231 | ---- | C] () P17.dll -> C:\WINDOWS\System32\P17.dll -> [2004/08/09 06:13:10 | 000,060,928 | ---- | C] () P17CPI.dll -> C:\WINDOWS\System32\P17CPI.dll -> [2004/08/09 06:13:10 | 000,053,248 | ---- | C] () LudaP17.ini -> C:\WINDOWS\System32\LudaP17.ini -> [2004/08/09 06:13:10 | 000,003,278 | ---- | C] () ctzapxx.ini -> C:\WINDOWS\System32\ctzapxx.ini -> [2004/08/09 06:13:10 | 000,000,029 | ---- | C] () SBWIN.INI -> C:\WINDOWS\SBWIN.INI -> [2004/08/09 06:13:05 | 000,000,072 | ---- | C] () psisdecd.dll -> C:\WINDOWS\System32\psisdecd.dll -> [2004/08/09 06:00:52 | 000,363,520 | ---- | C] () OEMINFO.INI -> C:\WINDOWS\System32\OEMINFO.INI -> [2004/08/09 05:46:12 | 000,000,547 | ---- | C] () px.ini -> C:\WINDOWS\System32\px.ini -> [2004/03/26 14:59:22 | 000,000,000 | ---- | C] () ORUN32.INI -> C:\WINDOWS\ORUN32.INI -> [2004/03/20 11:21:34 | 000,000,791 | ---- | C] () FXSPERF.INI -> C:\WINDOWS\System32\FXSPERF.INI -> [2004/03/19 15:37:28 | 000,001,793 | ---- | C] () 4482842.sys -> C:\WINDOWS\System32\drivers\4482842.sys -> [2003/05/01 09:56:12 | 000,752,768 | ---- | C] () hpotscl.dll -> C:\WINDOWS\System32\hpotscl.dll -> [2003/03/08 21:31:04 | 000,561,152 | ---- | C] () OUTLPERF.INI -> C:\WINDOWS\System32\OUTLPERF.INI -> [2003/01/07 13:05:08 | 000,002,695 | ---- | C] () apndya00.dll -> C:\WINDOWS\System32\apndya00.dll -> [2002/01/22 15:18:00 | 000,077,824 | ---- | C] () oraodbc.ini -> C:\WINDOWS\oraodbc.ini -> [1999/07/30 09:24:34 | 000,000,218 | ---- | C] () MSRTEDIT.DLL -> C:\WINDOWS\System32\MSRTEDIT.DLL -> [1999/01/22 19:46:58 | 000,065,536 | ---- | C] () ati2evxx.dll -> C:\WINDOWS\System32\ati2evxx.dll -> [1979/12/31 22:00:00 | 000,086,016 | ---- | C] () [File - Lop Check] 23c8bad -> C:\Documents and Settings\All Users\Application Data\23c8bad -> [2010/03/19 23:19:02 | 000,000,000 | -HSD | M] Alwil Software -> C:\Documents and Settings\All Users\Application Data\Alwil Software -> [2010/03/21 17:50:19 | 000,000,000 | ---D | M] Azureus -> C:\Documents and Settings\All Users\Application Data\Azureus -> [2007/05/31 01:46:23 | 000,000,000 | ---D | M] Citrix -> C:\Documents and Settings\All Users\Application Data\Citrix -> [2010/01/27 02:21:20 | 000,000,000 | ---D | M] Hitman Pro -> C:\Documents and Settings\All Users\Application Data\Hitman Pro -> [2010/03/22 00:22:42 | 000,000,000 | ---D | M] MSScanAppDataDir -> C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir -> [2005/01/17 23:18:21 | 000,000,000 | ---D | M] Napster -> C:\Documents and Settings\All Users\Application Data\Napster -> [2008/01/06 12:19:55 | 000,000,000 | ---D | M] SGNND -> C:\Documents and Settings\All Users\Application Data\SGNND -> [2010/03/19 20:04:25 | 000,000,000 | -HSD | M] TEMP -> C:\Documents and Settings\All Users\Application Data\TEMP -> [2010/03/28 22:21:17 | 000,000,000 | ---D | M] Viewpoint -> C:\Documents and Settings\All Users\Application Data\Viewpoint -> [2007/06/12 19:13:11 | 000,000,000 | ---D | M] {74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} -> C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} -> [2010/03/19 23:51:59 | 000,000,000 | -H-D | M] Azureus -> C:\Documents and Settings\Greg Taal\Application Data\Azureus -> [2010/03/20 01:35:25 | 000,000,000 | ---D | M] Flickr -> C:\Documents and Settings\Greg Taal\Application Data\Flickr -> [2009/09/22 23:51:20 | 000,000,000 | ---D | M] ICAClient -> C:\Documents and Settings\Greg Taal\Application Data\ICAClient -> [2010/01/27 03:00:39 | 000,000,000 | ---D | M] Leadertech -> C:\Documents and Settings\Greg Taal\Application Data\Leadertech -> [2004/12/26 12:54:01 | 000,000,000 | ---D | M] Uniblue -> C:\Documents and Settings\Greg Taal\Application Data\Uniblue -> [2008/10/28 10:37:23 | 000,000,000 | ---D | M] Viewpoint -> C:\Documents and Settings\Greg Taal\Application Data\Viewpoint -> [2007/06/12 19:13:12 | 000,000,000 | ---D | M] Ad-Aware Update (Weekly).job -> C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job -> [2010/03/28 22:45:18 | 000,000,472 | ---- | M] () FRU Task #Hewlett-Packard#hp officejet 6100 series#1096428575.job -> C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1096428575.job -> [2010/03/28 20:30:00 | 000,000,414 | ---- | M] () ISP signup reminder 1.job -> C:\WINDOWS\Tasks\ISP signup reminder 1.job -> [2004/09/29 23:45:00 | 000,000,258 | ---- | M] () [File - Purity Scan] [Custom Scans] < netsvcs > < %SYSTEMDRIVE%\*.exe > StubInstaller.exe -> C:\StubInstaller.exe -> [2005/10/31 08:56:00 | 000,700,416 | ---- | M] (LimeWire) < %SYSTEMDRIVE%\*.* > 2007LWRInstructors&TAs.doc -> C:\2007LWRInstructors&TAs.doc -> [2007/08/14 20:53:17 | 000,122,880 | ---- | M] () aaw7boot.log -> C:\aaw7boot.log -> [2010/03/28 22:42:35 | 000,002,576 | ---- | M] () AUTOEXEC.BAT -> C:\AUTOEXEC.BAT -> [2004/03/20 10:58:32 | 000,000,000 | ---- | M] () BOOT.INI -> C:\BOOT.INI -> [2008/11/10 22:35:58 | 000,000,211 | RHS- | M] () CONFIG.SYS -> C:\CONFIG.SYS -> [2004/03/20 10:58:32 | 000,000,000 | ---- | M] () DELL.SDR -> C:\DELL.SDR -> [2004/08/09 05:51:56 | 000,005,972 | RH-- | M] () hiberfil.sys -> C:\hiberfil.sys -> [2010/03/28 22:42:38 | 1071,812,608 | -HS- | M] () hpfr5550.xml -> C:\hpfr5550.xml -> [2010/03/22 22:04:19 | 000,000,494 | ---- | M] () hpothb07.dat -> C:\hpothb07.dat -> [2005/11/26 23:40:30 | 000,000,532 | -H-- | M] () hpothb07.tif -> C:\hpothb07.tif -> [2005/11/26 23:40:30 | 000,000,999 | -H-- | M] () IO.SYS -> C:\IO.SYS -> [2004/03/20 10:58:32 | 000,000,000 | -H-- | M] () MSDOS.SYS -> C:\MSDOS.SYS -> [2004/03/20 10:58:32 | 000,000,000 | -H-- | M] () NTDETECT.COM -> C:\NTDETECT.COM -> [2004/10/07 19:11:24 | 000,047,564 | RHS- | M] () NTLDR -> C:\NTLDR -> [2008/11/16 21:43:35 | 000,250,048 | RHS- | M] () pagefile.sys -> C:\pagefile.sys -> [2010/03/28 22:42:35 | 3145,728,000 | -HS- | M] () rkill.log -> C:\rkill.log -> [2010/03/25 07:41:58 | 000,000,558 | ---- | M] () StubInstaller.exe -> C:\StubInstaller.exe -> [2005/10/31 08:56:00 | 000,700,416 | ---- | M] (LimeWire) SystemInfo.ini -> C:\SystemInfo.ini -> [2004/08/09 06:16:12 | 000,000,087 | ---- | M] () TDSSKiller.2.2.8.1_25.03.2010_21.19.47_log.txt -> C:\TDSSKiller.2.2.8.1_25.03.2010_21.19.47_log.txt -> [2010/03/25 21:19:49 | 000,015,706 | ---- | M] () TDSSKiller.2.2.8.1_25.03.2010_21.20.37_log.txt -> C:\TDSSKiller.2.2.8.1_25.03.2010_21.20.37_log.txt -> [2010/03/25 21:20:38 | 000,015,706 | ---- | M] () TDSSKiller.2.2.8.1_25.03.2010_21.21.37_log.txt -> C:\TDSSKiller.2.2.8.1_25.03.2010_21.21.37_log.txt -> [2010/03/25 21:21:38 | 000,015,706 | ---- | M] () TDSSKiller.2.2.8.1_25.03.2010_21.28.25_log.txt -> C:\TDSSKiller.2.2.8.1_25.03.2010_21.28.25_log.txt -> [2010/03/25 21:28:27 | 000,015,706 | ---- | M] () updatedatfix.log -> C:\updatedatfix.log -> [2008/11/17 22:20:04 | 000,000,620 | ---- | M] () wizard.txt -> C:\wizard.txt -> [2006/09/02 17:06:31 | 000,000,002 | ---- | M] () < %ProgramFiles%\Movie Maker\*.dll > wmm2ae.dll -> C:\Program Files\Movie Maker\wmm2ae.dll -> [2008/04/13 17:12:09 | 000,167,936 | ---- | M] (Microsoft Corporation) wmm2eres.dll -> C:\Program Files\Movie Maker\wmm2eres.dll -> [2008/04/13 17:12:09 | 000,004,096 | ---- | M] (Microsoft Corporation) wmm2ext.dll -> C:\Program Files\Movie Maker\wmm2ext.dll -> [2008/04/13 17:12:09 | 000,007,680 | ---- | M] (Microsoft Corporation) wmm2filt.dll -> C:\Program Files\Movie Maker\wmm2filt.dll -> [2008/04/13 17:12:09 | 000,402,432 | ---- | M] (Microsoft Corporation) wmm2fxa.dll -> C:\Program Files\Movie Maker\wmm2fxa.dll -> [2008/04/13 17:12:09 | 000,502,272 | ---- | M] (Microsoft Corporation) wmm2fxb.dll -> C:\Program Files\Movie Maker\wmm2fxb.dll -> [2008/04/13 17:12:09 | 000,325,632 | ---- | M] (Microsoft Corporation) wmm2res.dll -> C:\Program Files\Movie Maker\wmm2res.dll -> [2008/04/13 17:12:09 | 004,256,768 | ---- | M] (Microsoft Corporation) wmm2res2.dll -> C:\Program Files\Movie Maker\wmm2res2.dll -> [2008/04/13 17:12:09 | 000,005,632 | ---- | M] (Microsoft Corporation) WMMFILT.DLL -> C:\Program Files\Movie Maker\WMMFILT.DLL -> [2004/03/19 15:44:56 | 000,110,648 | ---- | M] (Microsoft Corporation) WMMRES.DLL -> C:\Program Files\Movie Maker\WMMRES.DLL -> [2004/03/19 15:44:56 | 000,319,542 | ---- | M] (Microsoft Corporation) WMMUTIL.DLL -> C:\Program Files\Movie Maker\WMMUTIL.DLL -> [2004/03/19 15:44:56 | 000,163,897 | ---- | M] (Microsoft Corporation) Invalid Environment Variable: ALLUSERSAPPDATA < %SYSTEMROOT%\*.tmp > 2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> < %PROGRAMFILES%\Internet Explorer\*.dll > hmmapi.dll -> C:\Program Files\Internet Explorer\hmmapi.dll -> [2008/04/13 17:11:54 | 000,038,912 | ---- | M] (Microsoft Corporation) Invalid Environment Variable: DriveLetter < %systemroot%\system32\*.dll /lockedfiles > 2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> < MD5 Scans Start> < %systemdrive%\AGP440.SYS /md5 /s > AGP440.sys : .cab file -> C:\WINDOWS\Driver Cache\I386\sp2.cab:AGP440.sys -> [2004/10/07 19:08:46 | 022,245,337 | ---- | M] () AGP440.sys : .cab file -> C:\WINDOWS\Driver Cache\I386\sp3.cab:AGP440.sys -> [2008/11/16 21:39:50 | 023,852,652 | ---- | M] () AGP440.sys : .cab file -> C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys -> [2004/10/07 19:08:46 | 022,245,337 | ---- | M] () AGP440.sys : .cab file -> C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys -> [2008/11/16 21:39:50 | 023,852,652 | ---- | M] () agp440.sys : MD5=08FD04AA961BDC77FB983F328334E3D7 -> C:\WINDOWS\ServicePackFiles\i386\agp440.sys -> [2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) agp440.sys : MD5=08FD04AA961BDC77FB983F328334E3D7 -> C:\WINDOWS\SYSTEM32\DRIVERS\agp440.sys -> [2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) agp440.sys : MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -> C:\WINDOWS\$NtServicePackUninstall$\agp440.sys -> [2004/08/03 23:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) AGP440.SYS : MD5=65880045C51AA36184841CEE915A61DF -> C:\I386\AGP440.SYS -> [2001/08/17 11:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) < %systemdrive%\ATAPI.SYS /md5 /s > atapi.sys : .cab file -> C:\I386\sp1.cab:atapi.sys -> [2004/03/19 15:43:04 | 010,158,890 | ---- | M] () atapi.sys : .cab file -> C:\WINDOWS\Driver Cache\I386\sp1.cab:atapi.sys -> [2004/03/19 15:43:04 | 010,158,890 | ---- | M] () atapi.sys : .cab file -> C:\WINDOWS\Driver Cache\I386\sp2.cab:atapi.sys -> [2004/10/07 19:08:46 | 022,245,337 | ---- | M] () atapi.sys : .cab file -> C:\WINDOWS\Driver Cache\I386\sp3.cab:atapi.sys -> [2008/11/16 21:39:50 | 023,852,652 | ---- | M] () atapi.sys : .cab file -> C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys -> [2004/10/07 19:08:46 | 022,245,337 | ---- | M] () atapi.sys : .cab file -> C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys -> [2008/11/16 21:39:50 | 023,852,652 | ---- | M] () ATAPI.SYS : MD5=95B858761A00E1D4F81F79A0DA019ACA -> C:\WINDOWS\$NtUninstallQ331060$\ATAPI.SYS -> [2004/03/19 15:43:04 | 000,086,912 | ---- | M] (Microsoft Corporation) atapi.sys : MD5=95B858761A00E1D4F81F79A0DA019ACA -> C:\WINDOWS\SYSTEM32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys -> [2002/08/28 23:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) atapi.sys : MD5=9F3A2F5AA6875C72BF062C712CFA2674 -> C:\WINDOWS\ServicePackFiles\i386\atapi.sys -> [2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) atapi.sys : MD5=9F3A2F5AA6875C72BF062C712CFA2674 -> C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys -> [2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) atapi.sys : MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -> C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -> [2004/08/03 22:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) atapi.sys : MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -> C:\I386\atapi.sys -> [2003/04/23 07:29:54 | 000,087,296 | ---- | M] (Microsoft Corporation) < %systemdrive%\EVENTLOG.DLL /md5 /s > eventlog.dll : MD5=6D4FEB43EE538FC5428CC7F0565AA656 -> C:\WINDOWS\ServicePackFiles\i386\eventlog.dll -> [2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) eventlog.dll : MD5=6D4FEB43EE538FC5428CC7F0565AA656 -> C:\WINDOWS\SYSTEM32\eventlog.dll -> [2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) eventlog.dll : MD5=82B24CB70E5944E6E34662205A2A5B78 -> C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -> [2004/08/04 00:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) EVENTLOG.DLL : MD5=BF3C8CF53C77B48206B39910B6D6CBCC -> C:\I386\EVENTLOG.DLL -> [2004/03/19 15:37:08 | 000,049,152 | ---- | M] (Microsoft Corporation) < %systemdrive%\IASTOR.SYS /md5 /s > IASTOR.SYS : MD5=F26BFD48B1C314E0F23BF77ACFA75940 -> C:\DRIVERS\STORAGE\SATA\ONBOARD\IASTOR.SYS -> [2004/03/23 10:13:58 | 000,467,200 | ---- | M] (Intel Corporation) IASTOR.SYS : MD5=F26BFD48B1C314E0F23BF77ACFA75940 -> C:\I386\IASTOR.SYS -> [2004/03/23 10:13:58 | 000,467,200 | ---- | M] (Intel Corporation) IASTOR.SYS : MD5=F26BFD48B1C314E0F23BF77ACFA75940 -> C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS -> [2010/03/22 00:28:33 | 000,467,200 | ---- | M] (Intel Corporation) < %systemdrive%\NETLOGON.DLL /md5 /s > netlogon.dll : MD5=1B7F071C51B77C272875C3A23E1E4550 -> C:\WINDOWS\ServicePackFiles\i386\netlogon.dll -> [2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) netlogon.dll : MD5=1B7F071C51B77C272875C3A23E1E4550 -> C:\WINDOWS\SYSTEM32\netlogon.dll -> [2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) NETLOGON.DLL : MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -> C:\I386\NETLOGON.DLL -> [2004/03/19 15:40:30 | 000,399,360 | ---- | M] (Microsoft Corporation) netlogon.dll : MD5=96353FCECBA774BB8DA74A1C6507015A -> C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -> [2004/08/04 00:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) < %systemdrive%\SCECLI.DLL /md5 /s > scecli.dll : MD5=0F78E27F563F2AAF74B91A49E2ABF19A -> C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -> [2004/08/04 00:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) SCECLI.DLL : MD5=97418A5C642A5C748A28BD7CF6860B57 -> C:\I386\SCECLI.DLL -> [2004/03/19 15:42:24 | 000,174,592 | ---- | M] (Microsoft Corporation) scecli.dll : MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -> C:\WINDOWS\ServicePackFiles\i386\scecli.dll -> [2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) scecli.dll : MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -> C:\WINDOWS\SYSTEM32\scecli.dll -> [2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) < MD5 Scans End> < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > 2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> < %systemroot%\Tasks\*.job /lockedfiles > < c:\$recycle.bin\*.* /s >
Restore point Set: OTS Restore Point (0)

[Alternate Data Streams]
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 88 bytes -> C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe:SummaryInformation
< End of report >

### #6 yoyoyoda

yoyoyoda
• Topic Starter

• Members
• 9 posts
• OFFLINE
•
• Local time:06:59 PM

Posted 30 March 2010 - 01:27 AM

Sorry for the delay, but I haven't had much luck with the GMER scan. I can't get it to produce a log. I've followed the directions and ran the GMER scan 5 times now and either I come back and its closed or it freezes during the scan. I noticed when I downloaded it the MS-DOS prompt opens and immediately closes and I cannot see what the prompt says (not sure whether that is normal or not).

Anyways, I still get redirected when I use any search engine on any browser.

### #7 Ltangelic

Ltangelic

Angel Annihilator of Malware

• Members
• 348 posts
• OFFLINE
•
• Gender:Female
• Location:Somewhere
• Local time:07:59 AM

Posted 30 March 2010 - 08:46 AM

Hey yoyoyoda,

From your log, you seem to have multiple anti-spyware running on your computer. This is not recommended as multiple protection of the same kind can cause conflicts and reduce the efficiency of the softwares. Please disable/uninstall one of the following:

Spybot Search and Destroy
Spyware Doctor

Since GMER won't run, we'll try a different rootkit scanning tool. Now let's go on to fixing your computer.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Avast anti-virus and your anti-spyware program) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run ComboFix

* IMPORTANT !!! Save ComboFix.exe to your Desktop
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2) Run RootRepeal

• Double click to start the program
• Click on the Report tab at the bottom of the program window
• Click the button
• In the Select Scan dialog, check:
• Drivers
• Files
• Processes
• SSDT
• Stealth Objects
• Hidden Services
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
• When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

ComboFix.txt
RootRepeal log (attached)

Bleepingcomputer Malware Response Team

### #8 yoyoyoda

yoyoyoda
• Topic Starter

• Members
• 9 posts
• OFFLINE
•
• Local time:06:59 PM

Posted 31 March 2010 - 12:18 AM

So, here is the ComboFix log. I downloaded RootRepeal, but when I open it to run it, it has an error message that says "Error -invalid PE image found!" I then hit scan and save to create a log file, so not sure if it works properly.

I even have a hard time reaching this site to login and post this (it redirects even when I try and type an address in correctly and it seems to interfere with downloads sometimes).

### #9 yoyoyoda

yoyoyoda
• Topic Starter

• Members
• 9 posts
• OFFLINE
•
• Local time:06:59 PM

Posted 31 March 2010 - 12:21 AM

OH and I shouldn't have conflicting spyware software. I've disabled the Tea Timer from Spybot and I don't have Spy Doctor on my computer, so not sure why it shows up on that OTS log. If I go to C:\Program Files\Spyware Doctor\pctsAuxs.exe, it says "cannot find file" I think it was uninstalled a long time ago.

### #10 Ltangelic

Ltangelic

Angel Annihilator of Malware

• Members
• 348 posts
• OFFLINE
•
• Gender:Female
• Location:Somewhere
• Local time:07:59 AM

Posted 31 March 2010 - 04:20 AM

Hey yoyoyoda,

No worries about Spybot and Spyware Doctor, as long as you only have one of them active, it's fine.

Looks like we have a hard case here. Let's remove the baddies first.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Avast anti-virus and Spybot) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run CFScript

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
HJT::

Folder::
C:\kayh
C:\jogagub

Dirlook::
c:\documents and settings\All Users\Application Data\SGNND

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Uniblue RegistryBooster 2009"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

• Combofix.txt .

2) Run Malwarebytes' Anti-Malware
• Open Malwarebytes by clicking on its shortcut on desktop. Please click on the "Update" tab and click "Check for Updates".
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

To enable the viewing of Hidden files follow these steps:
• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon.
• Select the Tools menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and close My Computer.
• Now your computer is configured to show all hidden files.
NEXT
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
• C:\Documents and Settings\Greg Taal\MD5.dll
• Click on the Upload button
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Please do the same for the files below:

c:\documents and settings\Greg Taal\Fix UAC.reg
c:\documents and settings\Greg Taal\ToolbarIE.exe
C:\WINDOWS\System32\bootdelete.exe

New OTS.txt (re-run OTS with quick scan)
ComboFix.txt
MBAM scan log
4 Virscan reports

Bleepingcomputer Malware Response Team

### #11 yoyoyoda

yoyoyoda
• Topic Starter

• Members
• 9 posts
• OFFLINE
•
• Local time:06:59 PM

Posted 01 April 2010 - 01:24 AM

Hi LTangelic,

Here are the logs. A couple issues I had:

When I initially tried to run the CFText by dragging to ComboFix it kept coming up with an error saying "invalid command" in the MSDOS prompt. After restarting, however, it finally ran and made a log.

Also, when I tried to upload MD5.dll it didn't exist at that location. When I searched for it, it turned up at C:\Qoobox\Quarantine\C\Documents and Settings\Greg Taal\MD5.dll.vir (I'm assuming ComboFix put it there) I uploaded the file from there and included that log, but it said "no malware found" for MD5.dll

### #12 Ltangelic

Ltangelic

Angel Annihilator of Malware

• Members
• 348 posts
• OFFLINE
•
• Gender:Female
• Location:Somewhere
• Local time:07:59 AM

Posted 01 April 2010 - 05:22 AM

Hey yoyoyoda,

Let's try removing the entries with another tool then.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Avast anti-virus and Spybot) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run OTM

• Save it to your desktop.
• Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
• Copy everything in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

CODE
:Folders
C:\kayh
C:\jogagub

:Reg
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Uniblue RegistryBooster 2009"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000

:Commands
[purity]
[emptytemp]
[reboot]

• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the "Results" window (under the Green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your computer.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

2) Run AVP tool by Kaspersky

• Save it to your desktop.
• Reboot your computer into SafeMode.
You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit enter
.
• Double click the setup file to run it.
• Click Next to continue.
• It will by default install it to your desktop folder.Click Next.
• It will then open a box There will be a tab that says AutoScan.
• Under AutoScan make sure these are checked.
• System Memory
• Hidden Startup Objects
• Disk Boot Sectors.
• My Computer.
• Also any other drives (Removable that you may have)

After that click on Security level then choose Settings then click on the tab that says Additional then choose Deep Scan under Rootkit Scan[/b] then choose ok.
Then choose OK again then you are back to the main screen.
• Then click on Start Scan at the to right hand Corner.
• It will automatically Neutralize any objects found.
• If some objects are left un-neutralized then click the button that says Neutralize all
• If it says it cannot be Neutralized then chooose The delete option when prompted.
• After that is done click on the Report button at the bottom and save it to file name it Kas.
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

OTM.txt
AVP scan log
Tell me how your computer is running

Bleepingcomputer Malware Response Team

### #13 yoyoyoda

yoyoyoda
• Topic Starter

• Members
• 9 posts
• OFFLINE
•
• Local time:06:59 PM

Posted 02 April 2010 - 10:04 AM

Here are the logs, it looks like it found and removed stuff, but after I restarted and opened google and searched it started redirecting again!

### #14 Ltangelic

Ltangelic

Angel Annihilator of Malware

• Members
• 348 posts
• OFFLINE
•
• Gender:Female
• Location:Somewhere
• Local time:07:59 AM

Posted 03 April 2010 - 05:18 AM

Hey yoyoyoda,

We'll need to dig deeper.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Avast anti-virus and Spybot) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Re-run OTM
• Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
• Copy everything in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

CODE
:Files
C:\kayh
C:\jogagub

:Commands
[purity]
[emptytemp]
[reboot]

• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the "Results" window (under the Green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your computer.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

2) Run TDSSkiller

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)

3) Reset Hosts File

4) Run MBR

Tell me how your computer is doing
TDSSkiller log
MBR.txt

Bleepingcomputer Malware Response Team

### #15 yoyoyoda

yoyoyoda
• Topic Starter

• Members
• 9 posts
• OFFLINE
•
• Local time:06:59 PM

Posted 03 April 2010 - 09:01 PM

Hey LTangelic,

I'm going to start those scans tonite, but I just found something funny in my Firefox address bar. After I erased my website history, the sites still showed up in the drop down of the address bar, except it had this text in front of each website.

wyciwyg://125

each site that was redirected had that in front of it. Anyways, thought that might help.

#### 0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users