Search hijack/redirect

 
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> HijackThis Logs RSS
Next:  What is the difference between 802.11b,g and n  
Author Message
ASE



Joined: Feb 26, 2010
Posts: 9



PostPosted: Fri Feb 26, 2010 5:46 am    Post subject: Search hijack/redirect

I have what appears to be a common search redirect issue. I've read through quite a few of the threads here and done a bunch of research and haven't been able to get this removed.

I get regular redirects when linking to search pages. Whatever it is is also editing my hosts file with "www.yahoo.com." It re-edits it each time I remove that line. I use Firefox and have tried Goorefix. Hvae run MalwareBytes, Spybot, and Avast multiple times. It removes issues, but they seem to come back. Any help appreciated, thanks much. Hijack This log follows:

----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:54 AM, on 2/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.16\AsRunHelp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: c00AC277 - c00AC277.mat (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Google Update Service (gupdate1c8bbaae045c584) (gupdate1c8bbaae045c584) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10688 bytes
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5924

Location: Brooklyn, NY

PostPosted: Sat Feb 27, 2010 5:58 pm    Post subject:

Welcome to Lockergnome.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

Viewpoint - any entries that has this name in it should be uninstalled unless you use it

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O20 - Winlogon Notify: c00AC277 - c00AC277.mat (file missing)

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
Back to top
AIM Address Yahoo Messenger
ASE



Joined: Feb 26, 2010
Posts: 9



PostPosted: Mon Mar 01, 2010 6:52 am    Post subject:

Thanks a lot for helping.

I removed Viewpoint as you directed. I ran another scan of Hijackthis and the entry you specified was no longer there.

I ran Combofix per the instructions and the log is below.

---

ComboFix 10-02-27.04 - Adam 03/01/2010 1:51.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1470 [GMT -5:00]
Running from: c:\documents and settings\Adam\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100228-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.

2010-02-26 05:07 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-26 05:07 . 2010-02-26 05:07 -------- d-----w- c:\program files\Panda Security
2010-02-26 03:49 . 2010-02-26 03:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-26 02:42 . 2010-02-26 02:42 503808 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-15873106-n\msvcp71.dll
2010-02-26 02:42 . 2010-02-26 02:42 499712 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-15873106-n\jmc.dll
2010-02-26 02:42 . 2010-02-26 02:42 348160 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-15873106-n\msvcr71.dll
2010-02-26 02:42 . 2010-02-26 02:42 61440 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1d702ca7-n\decora-sse.dll
2010-02-26 02:42 . 2010-02-26 02:42 12800 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1d702ca7-n\decora-d3d.dll
2010-02-26 02:31 . 2010-01-23 20:31 2797468 ----a-w- c:\documents and settings\Adam\Application Data\Mozilla\Firefox\Profiles\5xinldv3.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
2010-02-25 05:38 . 2010-02-25 05:38 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-02-25 05:30 . 2010-02-25 05:30 -------- d-----w- c:\windows\ERUNT
2010-02-25 05:26 . 2010-02-26 02:13 -------- d-----w- C:\SDFix
2010-02-25 05:08 . 2010-02-25 05:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-02-25 03:21 . 2010-02-25 04:26 -------- d-----w- c:\documents and settings\Adam\Local Settings\Application Data\Temporary Projects
2010-02-23 00:15 . 2010-02-25 03:02 -------- d-----w- c:\documents and settings\Adam\Application Data\PrimoPDF
2010-02-23 00:15 . 2010-02-23 00:15 -------- d-----w- c:\program files\Nitro PDF
2010-02-23 00:15 . 2009-07-31 01:44 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2010-02-09 01:12 . 2010-02-09 01:12 -------- d-----w- c:\program files\Windower
2010-02-09 01:11 . 2010-02-09 01:11 4096 ----a-w- c:\windows\d3dx.dat
2010-02-09 01:11 . 2010-02-09 01:11 -------- d-----w- c:\program files\directx
2010-02-09 00:48 . 2010-02-09 00:48 -------- d-----w- c:\program files\PlayOnline
2010-02-04 04:42 . 2010-02-04 04:42 -------- d-----w- c:\documents and settings\Adam\Local Settings\Application Data\IsolatedStorage
2010-02-03 08:02 . 2010-02-03 08:02 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2010-02-02 06:02 . 2010-02-25 05:01 844731 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1417001333-1547161642-839522115-1004-0.dat
2010-02-02 06:02 . 2010-02-25 05:01 134438 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2010-02-02 05:17 . 2010-02-02 05:17 -------- d-----w- c:\program files\Microsoft Help
2010-02-02 04:56 . 2008-07-10 07:49 50200 ----a-w- c:\windows\system32\perf-ReportServer$SQLEXPRESS-rsctr.dll
2010-02-02 04:55 . 2010-02-02 04:55 397664 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\SSIS_ScriptComponent\9.0\1033\ResourceCache.dll
2010-02-02 04:55 . 2010-02-02 04:55 397664 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\SSIS_ScriptTask\9.0\1033\ResourceCache.dll
2010-02-02 04:55 . 2008-08-11 19:31 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2010-02-02 04:54 . 2008-08-11 19:31 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2010-02-02 04:53 . 2010-02-02 04:53 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-02-02 04:53 . 2010-02-03 08:03 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2010-02-02 04:53 . 2010-02-03 08:03 121728 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2010-02-02 04:51 . 2010-02-02 04:51 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-02-02 04:50 . 2010-02-02 04:50 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2010-02-02 04:50 . 2010-02-02 04:50 -------- d-----w- c:\documents and settings\Adam\Local Settings\Application Data\Microsoft Help
2010-02-02 04:49 . 2010-02-02 04:49 -------- d-----w- c:\program files\Microsoft SDKs
2010-02-02 04:49 . 2010-02-03 08:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-02 04:47 . 2010-02-02 04:47 -------- d-----w- c:\windows\system32\RsFx
2010-02-02 04:47 . 2010-02-02 04:52 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-02-02 04:47 . 2010-02-02 04:47 -------- d-----w- c:\program files\MSXML 6.0
2010-02-02 04:46 . 2010-02-02 04:48 -------- d-----w- c:\program files\Microsoft.NET
2010-02-02 04:45 . 2010-02-02 04:48 -------- d-----w- c:\program files\Microsoft SQL Server
2010-02-02 04:35 . 2010-02-02 04:36 -------- d-----w- C:\03fbe6b9964aa5c56b38efb1
2010-02-02 04:31 . 2010-02-02 04:31 -------- d-----w- c:\program files\MSBuild
2010-02-02 04:31 . 2010-02-02 04:36 -------- d-----w- c:\windows\system32\XPSViewer
2010-02-02 04:31 . 2010-02-02 04:31 -------- d-----w- c:\program files\Reference Assemblies
2010-02-02 04:31 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-02-02 04:31 . 2006-06-29 18:07 14048 ------w- c:\windows\system32\spmsg2.dll
2010-02-02 04:17 . 2010-02-02 04:17 -------- d-----w- c:\windows\system32\Inetsrv6
2010-02-02 00:40 . 2010-02-02 00:40 -------- d-----w- c:\program files\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 06:38 . 2007-06-08 22:02 -------- d-----w- c:\program files\Viewpoint
2010-03-01 06:18 . 2007-06-08 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-02-26 06:38 . 2007-04-21 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-26 02:42 . 2007-09-05 23:02 -------- d-----w- c:\program files\Common Files\Java
2010-02-26 02:42 . 2007-09-05 23:02 -------- d-----w- c:\program files\Java
2010-02-25 01:48 . 2008-11-25 02:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-25 01:46 . 2009-03-13 06:27 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-23 14:01 . 2008-10-18 22:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-09 01:10 . 2007-04-22 07:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-02 05:17 . 2010-01-26 02:03 187936 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
2010-02-02 05:17 . 2010-01-26 02:02 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2010-02-02 04:44 . 2007-04-21 20:02 20992 -c--a-w- c:\documents and settings\Adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-02 01:41 . 2007-04-21 19:31 -------- d-----w- c:\program files\ASUS
2010-02-02 01:40 . 2008-01-04 01:47 -------- d-----w- c:\program files\Steam
2010-02-02 01:40 . 2009-01-06 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2010-02-02 01:38 . 2007-05-05 19:30 -------- d-----w- c:\program files\World of Warcraft
2010-01-26 03:38 . 2010-01-26 03:38 -------- d-----w- c:\documents and settings\Adam\Application Data\Microsoft Corporation
2010-01-26 02:04 . 2010-01-26 02:04 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-01-26 02:04 . 2010-01-26 02:04 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-01-20 22:14 . 2009-09-30 04:20 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-07 21:07 . 2008-11-25 02:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-11-25 02:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 02:11 . 2009-10-21 00:14 1 ----a-w- c:\documents and settings\Adam\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-07-07 23:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2006-02-28 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-17 22:14 . 2009-10-21 00:11 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2007-04-22 06:49 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2006-02-28 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 06:13 . 2009-12-09 06:13 152576 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-09 06:13 . 2009-12-09 06:13 79488 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-08 19:26 . 2006-02-28 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2006-02-28 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-03 39408]
"Google Update"="c:\documents and settings\Adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-30 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusStartupHelp"="c:\program files\ASUS\AASP\1.00.16\AsRunHelp.exe" [2006-11-14 363008]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 101136]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-28 122880]
"P17Helper"="SPIRun.dll" [2006-07-03 10752]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 101136]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-27 316728]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Documents and Settings\\Adam\\My Documents\\My Received Files\\utorrent.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/26/2010 12:07 AM 28552]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/3/2008 9:33 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/3/2008 9:33 PM 20560]
R2 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSRS10.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe [7/10/2008 2:22 AM 1106968]
S2 clr_optimization_v4.0.21006_32;Microsoft .NET Framework NGEN v4.0.21006_X86;c:\windows\Microsoft.NET\Framework\v4.0.21006\mscorsvw.exe [10/7/2009 2:44 AM 129856]
S2 gupdate1c8bbaae045c584;Google Update Service (gupdate1c8bbaae045c584);c:\program files\Google\Update\GoogleUpdate.exe [7/16/2008 12:43 AM 133104]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe [10/7/2009 2:44 AM 752984]
S4 MSSQLFDLauncher$SQLEXPRESS;SQL Full-text Filter Daemon Launcher (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe [7/10/2008 1:15 AM 31256]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [8/11/2008 2:31 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [8/11/2008 2:31 PM 369688]
.
Contents of the 'Scheduled Tasks' folder

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-16 06:54]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-16 06:54]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-1547161642-839522115-1004Core.job
- c:\documents and settings\Adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-07 22:34]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-1547161642-839522115-1004UA.job
- c:\documents and settings\Adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-07 22:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FF - ProfilePath - c:\documents and settings\Adam\Application Data\Mozilla\Firefox\Profiles\5xinldv3.default\
FF - component: c:\documents and settings\Adam\Application Data\Mozilla\Firefox\Profiles\5xinldv3.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - plugin: c:\documents and settings\Adam\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Adam\Local Settings\Application Data\Spoon\3.11.0.7\npMozillaSpoonPlugin.dll
FF - plugin: c:\documents and settings\Adam\Local Settings\Application Data\Spoon\3.12.0.2\npMozillaSpoonPlugin.dll
FF - plugin: c:\documents and settings\Adam\Local Settings\Application Data\Spoon\3.14.0.5\npMozillaSpoonPlugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 01:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
P17Helper = Rundll32 SPIRun.dll,RunDLLEntry?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(3896)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-01 01:58:27
ComboFix-quarantined-files.txt 2010-03-01 06:58
ComboFix2.txt 2010-02-26 06:45

Pre-Run: 26,049,417,216 bytes free
Post-Run: 26,118,619,136 bytes free

- - End Of File - - AAAB1BDFC91BD13C89B47F7A5319B684
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5924

Location: Brooklyn, NY

PostPosted: Tue Mar 02, 2010 7:08 pm    Post subject:

Delete these two folders:

c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint


Download GMER (http://www.gmer.net/download.php). Note the file's name (randomly generated) and save it to your root folder, such as your C: drive.

* Disconnect from the Internet and close all running programs.
* Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
* Take a look at this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled.
* Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
* Allow the driver to load if asked.
* You may be prompted to scan immediately if it detects rootkit activity.
* If you are prompted to scan your system click "No", save the log and post back the results.
* If not prompted, click the "Rootkit/Malware" tab.
* On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
* Select all drives that are connected to your system to be scanned.
* Click the Scan button to begin. (Please be patient as it can take some time to complete)
* When the scan is finished, click Save to save the scan results to your Desktop.
* Save the file as Results.log and copy/paste the contents in your next reply.
* Exit the program and re-enable all active protection when done.
Back to top
AIM Address Yahoo Messenger
ASE



Joined: Feb 26, 2010
Posts: 9



PostPosted: Wed Mar 03, 2010 2:05 am    Post subject:

GMER log:

---

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-02 20:57:05
Windows 5.1.2600 Service Pack 3
Running: evyss0cn.exe; Driver: C:\DOCUME~1\Adam\LOCALS~1\Temp\uwldipod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB5E996B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB5E99574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB5E99A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB5E9914C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB5E9964E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB5E9908C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB5E990F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB5E9976E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB5E9972E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB5E998AE]

Code \??\C:\DOCUME~1\Adam\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9E84380, 0x346307, 0xE8000020]
init C:\WINDOWS\system32\drivers\p17xfilt.sys entry point in "init" section [0xB9B8E130]
? C:\DOCUME~1\Adam\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[780] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[780] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000a9402a053 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000a9402a053@001c12126575 0xBA 0xF3 0x0B 0x83 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a9402a053
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a9402a053@001c12126575 0xBA 0xF3 0x0B 0x83 ...
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\000a9402a053 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\000a9402a053@001c12126575 0xBA 0xF3 0x0B 0x83 ...

---- EOF - GMER 1.0.15 ----
Back to top
ASE



Joined: Feb 26, 2010
Posts: 9



PostPosted: Wed Mar 03, 2010 2:38 am    Post subject:

Sorry for the double post. Just wanted to update that I'm still getting redirects and popups, though not quite as frequently. I've also got something auto-editing my hosts file. Each time I delete the line "www.yahoo.com," it gets added back.
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5924

Location: Brooklyn, NY

PostPosted: Wed Mar 03, 2010 10:13 pm    Post subject:

Download OTL to your Desktop
http://oldtimer.geekstogo.com/OTL.exe

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste the below bolded text in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Back to top
AIM Address Yahoo Messenger
ASE



Joined: Feb 26, 2010
Posts: 9



PostPosted: Thu Mar 04, 2010 12:25 am    Post subject:

Log files below:

OTL.txt:

---
OTL logfile created on: 3/3/2010 7:17:52 PM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Adam\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.23 Gb Total Space | 24.27 Gb Free Space | 35.06% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: THEGOAT
Current User Name: Adam
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/03 19:13:03 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Adam\Desktop\OTL.exe
PRC - [2009/11/24 18:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/10/07 05:31:18 | 000,035,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.21006\aspnet_state.exe
PRC - [2009/10/07 02:44:58 | 000,752,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe
PRC - [2009/05/09 13:09:24 | 000,606,720 | ---- | M] (http://tortoisesvn.net) -- C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
PRC - [2009/02/02 23:05:02 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/08/11 14:31:14 | 040,999,448 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
PRC - [2008/07/10 02:49:44 | 000,098,840 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/07/10 02:22:18 | 001,106,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSRS10.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/27 00:38:16 | 000,316,728 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2007/04/14 14:46:56 | 000,020,480 | ---- | M] (KSE - Korndörfer Software Engineering) -- C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
PRC - [2006/09/08 12:12:50 | 000,172,032 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
PRC - [2006/09/08 12:10:42 | 000,172,090 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
PRC - [2006/07/28 08:56:48 | 000,122,880 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
PRC - [2006/07/22 20:22:42 | 001,126,400 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
PRC - [2006/07/07 18:14:38 | 000,576,320 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2006/06/01 12:32:12 | 000,094,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
PRC - [2006/03/20 17:34:50 | 000,213,936 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe


========== Modules (SafeList) ==========

MOD - [2010/03/03 19:13:03 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Adam\Desktop\OTL.exe
MOD - [2008/01/27 00:38:25 | 000,062,768 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\patrolpro.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/10/07 05:31:18 | 000,035,144 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.21006\aspnet_state.exe -- (aspnet_state)
SRV - [2009/10/07 02:44:58 | 000,752,984 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2009/10/07 02:44:58 | 000,129,856 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.21006\mscorsvw.exe -- (clr_optimization_v4.0.21006_32)
SRV - [2009/01/05 22:22:56 | 000,658,432 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/08/11 14:31:14 | 040,999,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2008/08/11 14:31:14 | 000,369,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE -- (SQLAgent$SQLEXPRESS) SQL Server Agent (SQLEXPRESS)
SRV - [2008/08/11 14:31:12 | 000,047,128 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE -- (MSSQLServerADHelper100)
SRV - [2008/07/29 13:10:46 | 003,201,024 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon90)
SRV - [2008/07/10 02:49:44 | 000,098,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/07/10 02:49:34 | 000,258,072 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/07/10 02:22:18 | 001,106,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSRS10.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe -- (ReportServer$SQLEXPRESS) SQL Server Reporting Services (SQLEXPRESS)
SRV - [2008/07/10 01:15:32 | 000,031,256 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe -- (MSSQLFDLauncher$SQLEXPRESS) SQL Full-text Filter Daemon Launcher (SQLEXPRESS)
SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 11:31:54 | 000,098,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2007/04/14 14:46:56 | 000,020,480 | ---- | M] (KSE - Korndörfer Software Engineering) [Auto | Running] -- C:\Program Files\KSE\nHancer 32bit\nHancerService.exe -- (nHancer)
SRV - [2006/09/08 12:12:50 | 000,172,032 | ---- | M] () [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM)) ForceWare Intelligent Application Manager (IAM)
SRV - [2006/09/08 12:10:42 | 000,172,090 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe -- (nSvcIp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: firebug DeleteThis @software.joehewitt.com:1.5.2
FF - prefs.js..extensions.enabledItems: {3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}:0.8.6.1
FF - prefs.js..extensions.enabledItems: jqs DeleteThis @sun.com:1.0
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.8

FF - HKLM\software\mozilla\Firefox\Extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files\Google\Google Gears\Firefox\ [2009/11/03 22:56:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/26 02:10:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/25 22:05:46 | 000,000,000 | ---D | M]

[2009/05/31 17:14:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\Mozilla\Extensions
[2010/03/03 01:37:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\Mozilla\Firefox\Profiles\5xinldv3.default\extensions
[2010/02/04 08:56:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Adam\Application Data\Mozilla\Firefox\Profiles\5xinldv3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/25 21:32:02 | 000,000,000 | ---D | M] (Html Validator) -- C:\Documents and Settings\Adam\Application Data\Mozilla\Firefox\Profiles\5xinldv3.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}
[2009/07/20 16:31:59 | 000,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\Adam\Application Data\Mozilla\Firefox\Profiles\5xinldv3.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010/02/25 21:31:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\Mozilla\Firefox\Profiles\5xinldv3.default\extensions\firebug@software.joehewitt.com
[2010/03/03 01:37:14 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2008/08/21 21:04:49 | 000,000,765 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.yahoo.com
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll (Google Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.16\AsRunHelp.exe ()
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [Launch LGDCore] C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe (Logitech Inc.)
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [P17Helper] C:\WINDOWS\System32\SPIRun.dll (Creative Technology Ltd.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [VolPanel] C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\nvappfilter.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\nvappfilter.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\nvappfilter.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\nvappfilter.dll (NVIDIA)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c...4c69108 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-a...403a978 (Reg Error: Key error.)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scan8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoftware.com/activescan/as5free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} http://ak.imgag.com/imgag/cp/install/Crusher.cab (Creative Toolbox Plug-in)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-1...49BE270 (CTAdjust Class)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab (Creative Software AutoUpdate Support Package)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Adam\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Adam\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/22 01:52:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/04/21 22:36:30 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/03/03 19:13:03 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Adam\Desktop\OTL.exe
[2010/03/02 23:48:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Adam\Local Settings\Application Data\Temporary Projects
[2010/03/02 18:09:46 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/03/01 01:45:29 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/02/26 01:27:05 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/26 01:25:09 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/26 01:25:09 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/26 01:25:09 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/26 01:25:09 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/26 01:24:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/26 01:24:26 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/26 00:07:36 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2010/02/26 00:07:17 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2010/02/25 22:56:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Adam\Desktop\GooredFix Backups
[2010/02/25 22:56:18 | 000,070,858 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Adam\Desktop\GooredFix.exe
[2010/02/25 22:49:45 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/02/25 22:46:37 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Adam\Desktop\spybotsd162.exe
[2010/02/25 22:40:55 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Adam\Desktop\HijackThisInstaller.exe
[2010/02/25 22:35:02 | 000,439,808 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Adam\Desktop\TFC.exe
[2010/02/25 21:42:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/02/25 00:30:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2010/02/25 00:26:07 | 000,000,000 | ---D | C] -- C:\SDFix
[2010/02/25 00:08:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2010/02/24 00:36:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2010/02/22 20:19:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/02/22 19:48:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/02/22 19:47:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/02/22 19:15:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Adam\Application Data\PrimoPDF
[2010/02/22 19:15:21 | 000,000,000 | ---D | C] -- C:\Program Files\Nitro PDF
[2010/02/02 00:00:19 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/02/01 23:58:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/11/02 01:51:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Temp
[2009/05/06 09:13:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/03/04 20:29:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/10/01 20:12:26 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Adam\Application Data\pcouffin.sys
[2008/01/19 19:41:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/06/21 18:09:47 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll

========== Files - Modified Within 14 Days ==========

[2010/03/03 19:13:03 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Adam\Desktop\OTL.exe
[2010/03/03 19:04:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-1547161642-839522115-1004UA.job
[2010/03/03 19:01:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/03 00:04:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-1547161642-839522115-1004Core.job
[2010/03/03 00:01:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/02 21:26:47 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/02 21:21:34 | 000,690,432 | ---- | M] () -- C:\WINDOWS\System32\nvdb02.adghz
[2010/03/02 21:21:32 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/02 21:21:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/02 21:19:45 | 009,175,040 | -H-- | M] () -- C:\Documents and Settings\Adam\NTUSER.DAT
[2010/03/02 18:11:10 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Adam\Desktop\evyss0cn.exe
[2010/03/01 05:19:22 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/01 01:56:24 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/01 01:42:17 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Adam\ntuser.ini
[2010/03/01 01:29:15 | 003,874,477 | R--- | M] () -- C:\Documents and Settings\Adam\Desktop\ComboFix.exe
[2010/02/26 01:27:15 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/02/26 01:04:32 | 000,070,858 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Adam\Desktop\GooredFix.exe
[2010/02/26 00:07:11 | 000,177,240 | ---- | M] () -- C:\Documents and Settings\Adam\Desktop\activescan2_en.exe
[2010/02/25 23:20:49 | 000,000,879 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100225-232057.backup
[2010/02/25 22:46:50 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Adam\Desktop\spybotsd162.exe
[2010/02/25 22:41:05 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Adam\Desktop\HijackThis.lnk
[2010/02/25 22:40:55 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Adam\Desktop\HijackThisInstaller.exe
[2010/02/25 22:35:02 | 000,439,808 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Adam\Desktop\TFC.exe
[2010/02/25 00:24:43 | 001,529,241 | ---- | M] () -- C:\Documents and Settings\Adam\Desktop\SDFix.exe
[2010/02/24 00:37:43 | 000,006,656 | -H-- | M] () -- C:\WINDOWS\System32\svchost.suo
[2010/02/24 00:37:43 | 000,000,204 | ---- | M] () -- C:\WINDOWS\System32\svchost.sln
[2010/02/22 19:21:14 | 000,083,502 | ---- | M] () -- C:\Documents and Settings\Adam\Desktop\License Confirmation.pdf
[2010/02/22 19:20:46 | 000,078,891 | ---- | M] () -- C:\Documents and Settings\Adam\Desktop\License Receipt.pdf
[2010/02/22 19:16:11 | 000,118,704 | ---- | M] () -- C:\Documents and Settings\Adam\Desktop\License.pdf
[2010/02/22 19:15:25 | 000,000,798 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PrimoPDF - Drop Files Here to Convert!.lnk
[2010/02/22 19:15:21 | 000,000,314 | ---- | M] () -- C:\WINDOWS\primopdf.ini

========== Files Created - No Company Name ==========

[2010/03/02 18:11:10 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Adam\Desktop\evyss0cn.exe
[2010/02/26 01:27:14 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/02/26 01:27:08 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/26 01:25:09 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/26 01:25:09 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/26 01:25:09 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/26 01:25:09 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/26 01:25:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/26 01:22:10 | 003,874,477 | R--- | C] () -- C:\Documents and Settings\Adam\Desktop\ComboFix.exe
[2010/02/26 00:07:11 | 000,177,240 | ---- | C] () -- C:\Documents and Settings\Adam\Desktop\activescan2_en.exe
[2010/02/25 22:41:05 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Adam\Desktop\HijackThis.lnk
[2010/02/25 00:24:41 | 001,529,241 | ---- | C] () -- C:\Documents and Settings\Adam\Desktop\SDFix.exe
[2010/02/24 00:37:43 | 000,006,656 | -H-- | C] () -- C:\WINDOWS\System32\svchost.suo
[2010/02/24 00:37:43 | 000,000,204 | ---- | C] () -- C:\WINDOWS\System32\svchost.sln
[2010/02/22 19:21:14 | 000,083,502 | ---- | C] () -- C:\Documents and Settings\Adam\Desktop\License Confirmation.pdf
[2010/02/22 19:20:45 | 000,078,891 | ---- | C] () -- C:\Documents and Settings\Adam\Desktop\License Receipt.pdf
[2010/02/22 19:16:10 | 000,118,704 | ---- | C] () -- C:\Documents and Settings\Adam\Desktop\License.pdf
[2010/02/22 19:15:25 | 000,000,798 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PrimoPDF - Drop Files Here to Convert!.lnk
[2010/02/22 19:15:21 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2010/02/02 01:02:12 | 000,844,731 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1417001333-1547161642-839522115-1004-0.dat
[2010/02/02 01:02:12 | 000,134,438 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2009/09/04 00:48:24 | 000,000,292 | ---- | C] () -- C:\WINDOWS\MP32WAV.INI
[2009/07/30 20:58:42 | 000,000,314 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2009/05/04 18:36:15 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Adam\Local Settings\Application Data\fusioncache.dat
[2009/03/30 22:21:06 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2009/02/25 00:56:04 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/12/10 23:10:32 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2008/10/21 07:05:53 | 000,000,038 | ---- | C] () -- C:\WINDOWS\AviSplitter.INI
[2008/10/01 20:12:36 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\Adam\Application Data\vso_ts_preview.xml
[2008/10/01 20:12:29 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\Adam\Application Data\pcouffin.log
[2008/10/01 20:12:26 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Adam\Application Data\pcouffin.cat
[2008/10/01 20:12:26 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Adam\Application Data\pcouffin.inf
[2008/07/27 19:51:40 | 000,136,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2008/07/27 19:51:40 | 000,022,328 | ---- | C] () -- C:\Documents and Settings\Adam\Application Data\PnkBstrK.sys
[2008/06/26 21:04:47 | 000,001,356 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/02/01 22:09:55 | 000,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2007/06/21 18:22:48 | 000,022,478 | ---- | C] () -- C:\WINDOWS\System32\Ludap17.ini
[2007/06/21 18:22:48 | 000,000,054 | R--- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2007/06/21 18:22:31 | 000,137,728 | R--- | C] () -- C:\WINDOWS\System32\OemSpi.dll
[2007/06/21 18:22:31 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\P17CPI.dll
[2007/06/21 18:22:31 | 000,008,251 | ---- | C] () -- C:\WINDOWS\sfsyn.ini
[2007/05/22 10:55:32 | 000,099,328 | ---- | C] () -- C:\Documents and Settings\Adam\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/05/12 16:43:51 | 000,002,819 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/04/24 11:25:35 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/04/22 02:00:54 | 000,000,804 | R--- | C] () -- C:\WINDOWS\System32\AsusSetup.ini
[2007/04/22 02:00:54 | 000,000,400 | R--- | C] () -- C:\WINDOWS\System32\raidmgmt.ini
[2007/04/22 02:00:30 | 000,016,957 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2007/04/22 02:00:12 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2007/04/22 02:00:10 | 000,016,919 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2007/04/22 02:00:03 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/04/21 14:37:09 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/04/21 14:37:09 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/04/21 14:37:09 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/04/21 14:37:09 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/04/21 14:36:49 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/04/21 14:36:47 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2007/04/21 14:31:06 | 000,024,576 | R--- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2007/04/21 14:31:06 | 000,012,664 | R--- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2005/07/15 15:46:06 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/07/15 15:46:02 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/07/15 15:46:02 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/03/01 14:30:20 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini

========== LOP Check ==========

[2009/06/26 01:03:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\Broad Intelligence
[2009/07/07 22:28:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\ColorSchemer
[2009/02/13 22:48:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\CoreFTP
[2009/12/29 00:29:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\FileZilla
[2008/03/04 23:51:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\Image Zone Express
[2008/08/22 14:37:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\ImgBurn
[2007/11/04 21:32:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\InterVideo
[2007/04/21 20:11:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\nHancer
[2009/04/28 23:35:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\Notepad++
[2009/10/20 19:13:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\OpenOffice.org
[2010/02/24 22:02:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\PrimoPDF
[2008/03/04 23:49:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\Printer Info Cache
[2009/08/18 22:42:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\StormFront
[2009/06/08 22:34:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\Subversion
[2009/05/04 18:36:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\Turbine
[2009/07/01 23:48:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
[2009/12/10 23:49:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\uTorrent
[2009/12/11 08:34:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\Vso
[2008/03/09 16:53:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Adam\Application Data\WinPatrol
[2010/02/01 20:40:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rosetta Stone
[2008/10/17 19:22:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/10/01 20:54:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2009/06/11 19:48:58 | 018,591,156 | ---- | M] (Igor Pavlov) -- C:\xampplite-win32-1.7.1.exe


< MD5 for: AGP440.SYS >
[2006/02/28 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/10 19:32:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/09/10 19:32:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2006/02/28 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/10 19:32:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/09/10 19:32:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2006/02/28 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2006/02/28 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2006/02/28 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2006/02/28 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATA.SYS >
[2006/09/21 02:39:16 | 000,105,344 | ---- | M] (NVIDIA Corporation) MD5=DC1F9954B5EDDD147AF7E5C420BE7B93 -- C:\WINDOWS\system32\drivers\nvata.sys
[2006/09/21 02:39:16 | 000,105,344 | R--- | M] (NVIDIA Corporation) MD5=DC1F9954B5EDDD147AF7E5C420BE7B93 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\nvata.sys

< MD5 for: SCECLI.DLL >
[2006/02/28 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007/04/21 22:39:40 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/04/21 22:39:40 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/04/21 22:39:40 | 000,933,888 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >
----

EXTRAS.txt:

---

OTL Extras logfile created on: 3/3/2010 7:17:52 PM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Adam\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.23 Gb Total Space | 24.27 Gb Free Space | 35.06% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: THEGOAT
Current User Name: Adam
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- Reg Error: Value error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe" = C:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe:*:Enabled:Nero Home -- (Nero AG)
"C:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe" = C:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-2.0.3-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Documents and Settings\Adam\My Documents\My Received Files\utorrent.exe" = C:\Documents and Settings\Adam\My Documents\My Received Files\utorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe" = C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe:*:Enabled:Nero ShowTime -- (Nero AG)
"C:\Program Files\InterVideo\DVD8\WinDVD.exe" = C:\Program Files\InterVideo\DVD8\WinDVD.exe:*:Enabled:WinDVD -- (InterVideo Inc.)
"C:\WINDOWS\system32\PnkBstrA.exe" = C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA -- ()
"C:\WINDOWS\system32\PnkBstrB.exe" = C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB -- ()
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01C5A10F-AD9B-405B-853A-6659841A1242}" = Microsoft SQL Server 2008 Policies
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{06A7EA72-0F00-4D53-A81C-A5D925711141}" = Microsoft SQL Server 2008 Full text search
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{09AD0BC1-A8F3-3453-A358-DB3B1E02F81B}" = Microsoft Visual C# 2010 Express Beta 2 - ENU
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{196E77C5-F524-4B50-BD1A-2C21EEE9B8F7}" = Microsoft SQL Server 2008 Common Files
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{1F6423DE-7959-4178-80E0-023C7EAA5347}" = NVIDIA ForceWare Network Access Manager
"{2020045B-8DCF-4449-8D5C-EB5BA37440F1}" = Microsoft SQL Server 2008 Management Studio
"{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = InterVideo WinDVD 8
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23F70562-02F4-4805-ACF5-6E52BAD167C2}" = Microsoft SQL Server 2008 Reporting Services
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 18
"{275ABBA2-4817-4443-9AB8-ED43CA9AAA17}" = Microsoft SQL Server 2008 BI Development Studio
"{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}" = Logitech SetPoint
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java(TM) SE Runtime Environment 6
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java(TM) 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C0619B4-4A2C-4244-8077-488E420DF907}" = FINAL FANTASY XI: Chains of Promathia
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{3FBC5FCA-F989-4D5D-93F6-B185EEE1EC76}" = IIS6 Manager
"{40653574-F426-36BB-A1DC-3AD075E1EB3C}" = Microsoft Help 3.0 Beta 2
"{43602F34-1AA3-44FB-AEB2-D08C2C73743F}" = Paint.NET v3.36
"{43DCF766-6838-4F9A-8C91-D92DA586DFA8}" = Microsoft Windows Journal Viewer
"{47004155-7376-403E-89E9-4C9F44AAF0D0}" = PlayOnline Viewer & Tetra Master
"{4815BD99-96A4-49FE-A885-DCF06E9E4E78}" = Microsoft SQL Server 2008 Database Engine Shared
"{49E98741-B7A4-4A44-A536-6AFCA23106FE}" = Microsoft SQL Server 2008 Reporting Services
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A6F34E2-09E5-4616-B227-4A26A488A6F9}" = Microsoft SQL Server 2008 Common Files
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{53FA14B9-A754-4568-819E-BE4270FDEE13}" = SQL Server 2008 R2 Management Objects
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{57EC5BFE-7CB7-3057-8385-C9D72918511C}" = Microsoft .NET Framework 4 Client Profile Beta 2
"{58721EC3-8D4E-4B79-BC51-1054E2DDCD10}" = Microsoft SQL Server 2008 Database Engine Services
"{5B037ED7-0755-48D4-9554-808E5AF50F17}" = FINAL FANTASY XI: Wings of the Goddess
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{5EFFD8C8-BE42-3A47-A5A6-1B3985FD1EC0}" = Microsoft .NET Framework 4 Multi-Targeting Pack
"{64CDE8F2-3791-46F5-BAD2-72FFF5252FAB}" = Microsoft SQL Server Compact 3.5 SP1 Query Tools English
"{678F6475-D227-432A-94FF-806178A34520}" = FINAL FANTASY XI
"{6AE22174-4FFA-4572-B692-31F0C386ED38}" = Consolas Font Family
"{6C117F31-28A8-4477-BE91-64AC0A2204AD}" = Microsoft IntelliPoint 6.01
"{6E405B40-3879-3C9B-9286-8D5E71258C35}" = Microsoft .NET Framework 4 Extended Beta 2
"{6F7F59D5-12F6-4571-9935-A2921AA17F78}" = Microsoft SQL Server 2008 Setup Support Files (English)
"{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}" = FINAL FANTASY XI: Rise of the Zilart
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76C24F39-B161-498F-BD8B-C64789812D13}_is1" = ConvertXtoDVD 3.2.1.55b
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77A1C7DD-E4F6-4057-92FC-710219215987}" = Logitech G11 Keyboard Software 1.03
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{822A8730-86A7-4CAA-BDE1-7337169BFF2B}" = Sound Blaster X-Fi Xtreme Audio
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}" = CDDRV_Installer
"{90120000-00A4-0409-0000-0000000FF1CE}" = Microsoft Office 2003 Web Components
"{9124E705-6D95-4470-A102-4AA7E2D4D3EB}" = Introduction to Windows Forms Applications - Csharp
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A31876A-DDFA-485D-89A8-53CD01180C0A}" = nHancer 32bit
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{A606C6FF-12E7-40BE-B777-D8F360FF00CD}" = FINAL FANTASY XI: Treasures of Aht Urhgan
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB}" = Microsoft Visual Studio Tools for Applications 2.0 - ENU
"{AA74ED37-681C-4AE8-8D1D-5485EBB3ED3D}" = SQL Server System CLR Types
"{AC54DC1F-EDA7-448C-BA4C-218A92F5E985}" = Microsoft SQL Server 2008 BI Development Studio
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B37C842A-B624-46B8-A727-654E72F1C91A}" = Calculator Powertoy for Windows XP
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4CBFDCE-4EAE-4453-A7D7-6C7F2F32B3EA}" = Absolute Beginner's Series CS Lesson 11
"{B5153233-9AEE-4CD4-9D2C-4FAAC870DBE2}" = Microsoft SQL Server 2008 Database Engine Services
"{B67C01B3-8502-4BE7-AEAB-BBDE910AD3EE}" = Microsoft Web Platform Installer 2.0
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B857D868-F8B0-43EE-BC2B-D9E5ED21F237}" = Microsoft SQL Server VSS Writer
"{BA0C9AAF-1327-3F06-B49C-349B4BE8F740}" = Microsoft Visual Studio 2008 Shell (integrated mode) - ENU
"{BC2FE771-EDBE-3087-A676-2B6C45A2BF7E}" = Google Gears
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{BEF3EFE7-5159-436D-9BF0-CCC633179EB4}" = EVGA Display Driver
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C688457E-03FD-4941-923B-A27F4D42A7DD}" = Microsoft SQL Server 2008 Browser
"{C89C8D86-4423-4A58-AA40-DD259ACE07C1}" = KhalSetup
"{C965F01C-76EA-4BD7-973E-46236AE312D7}" = Sql Server Customer Experience Improvement Program
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D1B7B5F9-4FB7-48BE-9425-1C6930D67DD1}" = Visual Studio 2010 Beta 2 Tools for SQL Server Compact ENU
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{D75915D3-6CFF-445F-A346-18ED6EF2F618}" = Microsoft IntelliType Pro 6.01
"{D9D937B0-E842-4130-9588-B948E876904A}" = Microsoft SQL Server 2008 Native Client
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{EA3E613B-4C7E-4DEF-A838-88C5FA3EED3E}" = CoD Multi Fixer
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{F17F7703-1E72-40C1-A0DD-E5B365661033}" = Nero 7 Essentials
"{F1DC7648-8623-442F-92B7-E118DF61872E}" = Microsoft SQL Server 2008 RsFx Driver
"{F3494AB6-6900-41C6-AF57-823626827ED8}" = Microsoft SQL Server 2008 Database Engine Shared
"{F849775B-F39D-4EDD-A266-1A3E258F0498}" = Microsoft SQL Server Compact 3.5 SP2 Beta English
"{FA9C3624-C693-4423-8A8B-2BC2B9F607AB}" = Microsoft SQL Server 2008 Management Studio
"{FC2C89A7-76E2-32F1-A2C2-428B480F570E}" = Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools Beta 2
"{FCA37CD2-7BA4-4A5A-8979-B64EA712F4CB}" = TortoiseSVN 1.6.2.16344 (32 bit)
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe SVG Viewer" = Adobe SVG Viewer 6.0
"AudioCS" = Creative Audio Console
"AvantBrowser" = Avant Browser (remove only)
"avast!" = avast! Antivirus
"Avi2Dvd" = Avi2Dvd 0.4.5 beta
"Belarc Advisor" = Belarc Advisor 7.2
"ColorSchemerStudio2_is1" = ColorSchemer Studio 2
"Creative Software AutoUpdate" = Creative Software AutoUpdate
"dBpoweramp Music Converter" = dBpoweramp Music Converter
"FileZilla Client" = FileZilla Client 3.3.0.1
"HijackThis" = HijackThis 2.0.2
"HP Photo & Imaging" = HP Image Zone 4.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IETester" = IETester v0.3.5 (remove only)
"ImgBurn" = ImgBurn
"InstallShield_{1F6423DE-7959-4178-80E0-023C7EAA5347}" = NVIDIA ForceWare Network Access Manager
"InstallShield_{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = InterVideo WinDVD 8
"InstallShield_{3C0619B4-4A2C-4244-8077-488E420DF907}" = FINAL FANTASY XI: Chains of Promathia
"InstallShield_{47004155-7376-403E-89E9-4C9F44AAF0D0}" = PlayOnline Viewer & Tetra Master
"InstallShield_{5B037ED7-0755-48D4-9554-808E5AF50F17}" = FINAL FANTASY XI: Wings of the Goddess
"InstallShield_{678F6475-D227-432A-94FF-806178A34520}" = FINAL FANTASY XI
"InstallShield_{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}" = FINAL FANTASY XI: Rise of the Zilart
"InstallShield_{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
"InstallShield_{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
"InstallShield_{A606C6FF-12E7-40BE-B777-D8F360FF00CD}" = FINAL FANTASY XI: Treasures of Aht Urhgan
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaCoder" = MediaCoder 0.7.1.4450
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile Beta 2" = Microsoft .NET Framework 4 Client Profile Beta 2
"Microsoft .NET Framework 4 Extended Beta 2" = Microsoft .NET Framework 4 Extended Beta 2
"Microsoft Help 3.0 Beta 2" = Microsoft Help 3.0 Beta 2
"Microsoft SQL Server 10" = Microsoft SQL Server 2008
"Microsoft SQL Server 10 Release" = Microsoft SQL Server 2008
"Microsoft Visual C# 2010 Express Beta 2 - ENU" = Microsoft Visual C# 2010 Express Beta 2 - ENU
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"MWSnap 3" = MWSnap 3
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Notepad++" = Notepad++
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"PrimoPDF" = PrimoPDF -- by Nitro PDF Software
"RealPlayer 6.0" = RealPlayer
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"StormFront" = StormFront
"SubtitleWorkshop" = Subtitle Workshop 2.51
"SysInfo" = Creative System Information
"SystemRequirementsLab" = System Requirements Lab
"The Regex Coach_is1" = The Regex Coach 0.9.2
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Grep_is1" = Windows Grep 2.3
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinPatrol" = WinPatrol 2007
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yule Log" = Yule Log Screen Saver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"727d1ea1876aa06e" = WowAceUpdater
"Google Chrome" = Google Chrome
"Spoon Sandbox Manager 3.11" = Spoon Sandbox Manager 3.11
"Spoon Sandbox Manager 3.12" = Spoon Sandbox Manager 3.12
"Spoon Sandbox Manager 3.14" = Spoon Sandbox Manager 3.14

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 4/5/2008 10:00:28 PM | Computer Name = THEGOAT | Source = avast! | ID = 33554522
Description = Internal error has occurred in module aswar scan function failed!,
function C0000005.

Error - 4/5/2008 11:30:57 PM | Computer Name = THEGOAT | Source = avast! | ID = 33554522
Description = Internal error has occurred in module aswar scan function failed!,
function C0000005.

Error - 11/7/2008 12:13:42 AM | Computer Name = THEGOAT | Source = avast! | ID = 33554522
Description = Internal error has occurred in module aswar scan function failed!,
function 00000002.

Error - 11/11/2008 7:20:20 PM | Computer Name = THEGOAT | Source = avast! | ID = 33554522
Description = Internal error has occurred in module aswar scan function failed!,
function 00000002.

Error - 11/11/2008 7:53:10 PM | Computer Name = THEGOAT | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestAddFile Error 1753.

Error - 11/13/2008 11:26:30 PM | Computer Name = THEGOAT | Source = avast! | ID = 33554522
Description = Internal error has occurred in module aswar scan function failed!,
Back to top
ASE



Joined: Feb 26, 2010
Posts: 9



PostPosted: Thu Mar 04, 2010 12:27 am    Post subject:

EXTRAS.txt continued:

---

Error - 11/13/2008 11:26:30 PM | Computer Name = THEGOAT | Source = avast! | ID = 33554522
Description = Internal error has occurred in module aswar scan function failed!,
function 00000002.

Error - 11/6/2009 12:11:44 AM | Computer Name = THEGOAT | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://www.youtube.com/get_video_info?&video_id=sJP0u-IL5G4&el...ofilepa
failed, 0000A413.

Error - 11/6/2009 2:44:45 AM | Computer Name = THEGOAT | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://media.mofosex.com/images/newheader/latest-vids-selected.png failed, 0000A413.


Error - 11/21/2009 2:30:46 PM | Computer Name = THEGOAT | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://www.msnbc.msn.com/id/22425448/device/xml/for/config/?.xml failed, 0000A413.


Error - 2/25/2010 8:55:14 PM | Computer Name = THEGOAT | Source = avast! | ID = 33554522
Description = Internal error has occurred in module aswar scan function failed!,
function 00000002.

[ Application Events ]
Error - 2/26/2010 2:37:20 AM | Computer Name = THEGOAT | Source = MSSQL$SQLEXPRESS | ID = 9954
Description = SQL Server failed to communicate with filter daemon launch service
(Windows error: The service cannot be started, either because it is disabled or
because it has no enabled devices associated with it. ). Full-Text filter daemon
process failed to start. Full-text search functionality will not be available.

Error - 2/26/2010 2:37:20 AM | Computer Name = THEGOAT | Source = Report Server Windows Service (SQLEXPRESS) | ID = 107
Description = Report Server Windows Service (SQLEXPRESS) cannot connect to the report
server database.

Error - 3/1/2010 2:08:09 AM | Computer Name = THEGOAT | Source = Report Server Windows Service (SQLEXPRESS) | ID = 107
Description = Report Server Windows Service (SQLEXPRESS) cannot connect to the report
server database.

Error - 3/1/2010 2:08:09 AM | Computer Name = THEGOAT | Source = MSSQL$SQLEXPRESS | ID = 9954
Description = SQL Server failed to communicate with filter daemon launch service
(Windows error: The service cannot be started, either because it is disabled or
because it has no enabled devices associated with it. ). Full-Text filter daemon
process failed to start. Full-text search functionality will not be available.

Error - 3/1/2010 2:08:10 AM | Computer Name = THEGOAT | Source = Report Server Windows Service (SQLEXPRESS) | ID = 107
Description = Report Server Windows Service (SQLEXPRESS) cannot connect to the report
server database.

Error - 3/1/2010 2:38:13 AM | Computer Name = THEGOAT | Source = MSSQL$SQLEXPRESS | ID = 9954
Description = SQL Server failed to communicate with filter daemon launch service
(Windows error: The service cannot be started, either because it is disabled or
because it has no enabled devices associated with it. ). Full-Text filter daemon
process failed to start. Full-text search functionality will not be available.

Error - 3/1/2010 2:43:35 AM | Computer Name = THEGOAT | Source = MSSQL$SQLEXPRESS | ID = 9954
Description = SQL Server failed to communicate with filter daemon launch service
(Windows error: The service cannot be started, either because it is disabled or
because it has no enabled devices associated with it. ). Full-Text filter daemon
process failed to start. Full-text search functionality will not be available.

Error - 3/1/2010 2:43:36 AM | Computer Name = THEGOAT | Source = Report Server Windows Service (SQLEXPRESS) | ID = 107
Description = Report Server Windows Service (SQLEXPRESS) cannot connect to the report
server database.

Error - 3/2/2010 10:21:35 PM | Computer Name = THEGOAT | Source = MSSQL$SQLEXPRESS | ID = 9954
Description = SQL Server failed to communicate with filter daemon launch service
(Windows error: The service cannot be started, either because it is disabled or
because it has no enabled devices associated with it. ). Full-Text filter daemon
process failed to start. Full-text search functionality will not be available.

Error - 3/2/2010 10:21:35 PM | Computer Name = THEGOAT | Source = Report Server Windows Service (SQLEXPRESS) | ID = 107
Description = Report Server Windows Service (SQLEXPRESS) cannot connect to the report
server database.

[ System Events ]
Error - 3/3/2010 6:55:28 PM | Computer Name = THEGOAT | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}

to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission
can be modified using the Component Services administrative tool.

Error - 3/3/2010 6:55:28 PM | Computer Name = THEGOAT | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}

to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission
can be modified using the Component Services administrative tool.

Error - 3/3/2010 7:14:58 PM | Computer Name = THEGOAT | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}

to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission
can be modified using the Component Services administrative tool.

Error - 3/3/2010 7:14:58 PM | Computer Name = THEGOAT | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}

to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission
can be modified using the Component Services administrative tool.

Error - 3/3/2010 7:34:28 PM | Computer Name = THEGOAT | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}

to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission
can be modified using the Component Services administrative tool.

Error - 3/3/2010 7:34:28 PM | Computer Name = THEGOAT | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}

to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission
can be modified using the Component Services administrative tool.

Error - 3/3/2010 7:53:58 PM | Computer Name = THEGOAT | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}

to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission
can be modified using the Component Services administrative tool.

Error - 3/3/2010 7:53:58 PM | Computer Name = THEGOAT | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}

to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission
can be modified using the Component Services administrative tool.

Error - 3/3/2010 8:13:28 PM | Computer Name = THEGOAT | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}

to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission
can be modified using the Component Services administrative tool.

Error - 3/3/2010 8:13:28 PM | Computer Name = THEGOAT | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}

to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission
can be modified using the Component Services administrative tool.


< End of report >
Back to top
ASE



Joined: Feb 26, 2010
Posts: 9



PostPosted: Thu Mar 04, 2010 12:43 am    Post subject:

I've just done a bunch of searches and clicked on the links in both Firefox and IE and it appears I may no longer be getting the redirects.

I'm wary that the problem might still be there, though. Appreciate the help so far.
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5924

Location: Brooklyn, NY

PostPosted: Thu Mar 04, 2010 7:53 pm    Post subject:

Nothing was fixed...it's most likely still on your computer but dormant for the time being.

I usually don't like the TeaTimer feature in Spybot, but I see that you have it enabled. When your host file is changed (Yahoo entry added back), does Spybot prompt your about this change?

Please do a scan with Kaspersky Online Scanner at http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

* Click on the "Accept" button and install any components it needs.
* The program will install and then begin downloading the latest definition files.
* After the files have been downloaded on the left side of the page in the "Scan" section select "My Computer".
* This will start the program and scan your system.
* The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
* Once the scan is complete, click on "View scan report" To obtain the report:
* Click on: "Save Report As".
* Next, in the "Save as" prompt, "Save in" area, select: "Desktop"
* In the "File name" area, use KScan, or something similar. In "Save as type", click the drop arrow and select "Text file [*.txt]". Then click "Save".

Please post the Kaspersky Online Scanner Report in your reply.
Back to top
AIM Address Yahoo Messenger
ASE



Joined: Feb 26, 2010
Posts: 9



PostPosted: Fri Mar 05, 2010 5:32 am    Post subject:

Spybot TeaTimer doesn't notify me of the hosts file change. However, I have WinPatrol installed and it DOES notify me every time that line is added back to the file. It gives me the option to "deny" the change, but it never actually works. The line is added anyway.

Anyhow, I ran the Kaspersky scan and am a bit worried about what I see. It appears to have found Backdoor.Win32.Poison.axru, which doesn't look good.

Log below:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, March 5, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, March 05, 2010 00:32:25
Records in database: 3693247
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 136248
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 01:27:03


File name / Threat / Threats count
C:\Documents and Settings\Adam\Local Settings\Application Data\Xenocode\Sandbox\Spoon Plugin\3.11.0.7\2009.08.01T00.21\Native\STUBEXE\@PROGRAMFILES@\OpenOffice.org 2.4\program\stclient_wrapper.exe Infected: Backdoor.Win32.Poison.axru 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\nvata.sys.vir Infected: Rootkit.Win32.Tdss.ai 1

Selected area has been scanned.
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5924

Location: Brooklyn, NY

PostPosted: Sat Mar 06, 2010 2:44 am    Post subject:

Don't know what I was thinking yesterday...TeaTimer only monitors registry changes. Sorry about that Rolling Eyes

That "backdoor trojan" that was detected is most likely a false positive. It belongs to Open Office and you have it sandboxed so it will cause no harm either way.

Download the file TDSSKiller http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Extract it into a folder on the infected (or potentially infected) PC.
Double click on the extracted TDSSKiller.exe file.
Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over. If anything is detected, you should see it being removed on that window that's open.

Go to Start->Run, copy/paste in ComboFix /Uninstall and hit OK to remove it.

Let me know if the hosts file is still being hijacked after doing the above.
Back to top
AIM Address Yahoo Messenger
ASE



Joined: Feb 26, 2010
Posts: 9



PostPosted: Mon Mar 08, 2010 6:16 am    Post subject:

I downloaded the file and ran the scan and it indicated nothing was found.

I then uninstalled ComboFix.

I then removed the www.yahoo.com entry from my hosts file (via Spybot's hosts file editing function), waited for a bit, and it was not added back. I opened the actual hosts file, and only the standard localhost line is there. So it appears the hosts file is no longer being hijacked, though I'm not sure why.

Also no longer appear to be getting redirects.

I'm not sure at what point my issue may have been fixed. I tried some fixing of my own before posting here, but was still having redirect problems and have only followed your instructions since.

Let me know if you still suspect I have a problem. Thanks again.
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5924

Location: Brooklyn, NY

PostPosted: Wed Mar 10, 2010 1:39 am    Post subject:

You may give it another day or so to confirm that all is well now. Other than that...Good job.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

If there are no more problems, please post back one more time indicating so and you should be set to go.
Back to top
AIM Address Yahoo Messenger
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> HijackThis Logs All times are: Eastern Time (US & Canada)
Page 1 of 1

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Warning: fopen(): open_basedir restriction in effect. File(/home/adsense_reject.txt) is not within the allowed path(s): (/home/helploc:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/helploc/public_html/Giga/GigaFunctions.php on line 1144

Warning: fopen(/home/adsense_reject.txt): failed to open stream: Operation not permitted in /home/helploc/public_html/Giga/GigaFunctions.php on line 1144

Warning: fwrite() expects parameter 1 to be resource, boolean given in /home/helploc/public_html/Giga/GigaFunctions.php on line 1145

Warning: fclose() expects parameter 1 to be resource, boolean given in /home/helploc/public_html/Giga/GigaFunctions.php on line 1146