[street9009]

I am working on a PC for someone and it has, among other things, the Google redirect problem. I have read other posts and the logs requested for those with the Google problem are attached. (Followed the instructions here: http://www.geekstogo...s-t274316.html)

The other problems that the PC is having are Windows Updates won't install (the page won't display and error code 0x80072EFF is given), and it seems Microsoft.com is also blocked. A fresh install of Google Chrome won't do anything (can't connect to any websites).

I have done scans with Spybot, Malwarebytes, SUPERAntispyware, A-Squared, Avast, AVG, and I even put the hard drive in a drive cage and scanned it with Symantec Endpoint. The early scans cleaned up, but the later are showing everything is clean (when it clearly isn't).

The hosts file on the PC isn't compromised and the DNS entries appear to be valid.

I also ran HJT and that log is also attached.

Would very much appreciate help in getting this one straight.

Attached Files

•  ark.txt   13.66KB   328 downloads
•  OTL.Txt   71.67KB   169 downloads
•  Extras.Txt   33.09KB   323 downloads
•  hijackthis.txt   5.33KB   124 downloads

Edited by street9009, 16 April 2010 - 11:02 PM.

[Advertisements]

Hello street9009, Welcome to Geeks To Go , I'm ali.B & I will be assisting you

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:

• Be advised that I am still in training, so there may be a delay between replies. Each reply must be approved by a resident expert before posting them to you.
• Be sure to follow all my instructions carefully! If there is anything you don''t understand, don't hesitate to ask.
• Please do not do anything or perform other steps unless I have asked you to do so.
• Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.
• If you are unsure of how to reply, or need help with anything regarding the website, please look Here

I also recommend that you print these instructions as you may be required to boot in safe mode.

I'll post my instructions soon.

[ali.B]

Hello street9009, Welcome to Geeks To Go , I'm ali.B & I will be assisting you

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:

• Be advised that I am still in training, so there may be a delay between replies. Each reply must be approved by a resident expert before posting them to you.
• Be sure to follow all my instructions carefully! If there is anything you don''t understand, don't hesitate to ask.
• Please do not do anything or perform other steps unless I have asked you to do so.
• Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.
• If you are unsure of how to reply, or need help with anything regarding the website, please look Here

I also recommend that you print these instructions as you may be required to boot in safe mode.

I'll post my instructions soon.

[ali.B]

Will post the logs to make it easier for me to analyze them.

OTL logfile created on: 4/17/2010 12:49:12 AM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Thompson Insurance\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

479.00 Mb Total Physical Memory | 135.00 Mb Available Physical Memory | 28.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 27.17 Gb Free Space | 72.91% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OFFICE-PC
Current User Name: Thompson Insurance
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/16 23:07:45 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thompson Insurance\Desktop\OTL.exe
PRC - [2010/04/16 20:59:05 | 001,872,320 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2010/04/14 12:47:08 | 002,790,472 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/08/27 11:27:44 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe
PRC - [2003/08/12 13:50:40 | 001,376,360 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\acsd.exe
PRC - [2003/05/15 17:45:54 | 000,114,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\type32.exe
PRC - [2003/05/15 17:41:16 | 000,163,840 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\point32.exe


========== Modules (SafeList) ==========

MOD - [2010/04/16 23:07:45 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thompson Insurance\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/04/16 20:59:05 | 001,872,320 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\Program Files\a-squared Free\a2service.exe -- (a2free)
SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/04/09 00:47:58 | 000,020,480 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2006/11/09 16:30:14 | 000,065,536 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2005/10/06 19:12:30 | 000,855,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS)
SRV - [2003/08/27 11:27:44 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)
SRV - [2003/08/12 13:50:40 | 001,376,360 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\acsd.exe -- (AOL ACS)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 5C 7C 62 58 04 DD CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/04/16 10:23:36 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [type32] C:\Program Files\Microsoft IntelliType Pro\type32.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ccleaner] C:\Program Files\CCleaner\ccleaner.exe (Piriform Ltd)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {297AEB8E-D78B-427A-BBC2-E6496017D290} https://allapp.ahlco...ol/AHLDSync.cab (AHLDSync.ctlDataSync)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.syma...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1138037095375 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E5238271-D692-408F-A625-275DF49EE4E3} https://allapp.ahlco...LInfoUpdate.CAB (AHLInfoUpdate.Login)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/02/13 17:28:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = secfile] -- Reg Error: Key error. File not found
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/02/13 17:27:52 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: Ip6FwHlp - File not found

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 14 Days ==========

[2010/04/16 23:07:41 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Thompson Insurance\Desktop\OTL.exe
[2010/04/16 22:45:17 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Thompson Insurance\Recent
[2010/04/16 22:41:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Desktop\backups
[2010/04/16 20:52:18 | 000,000,000 | ---D | C] -- C:\Program Files\a-squared Free
[2010/04/16 20:52:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\My Documents\a-squared Free
[2010/04/16 20:42:53 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/16 20:42:47 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/16 20:42:24 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/04/16 20:41:02 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/16 20:40:19 | 074,121,968 | ---- | C] (Emsi Software GmbH ) -- C:\Documents and Settings\Thompson Insurance\Desktop\a2FreeSetup.exe
[2010/04/16 20:37:51 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Thompson Insurance\Desktop\HijackThis.exe
[2010/04/16 19:55:02 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/04/16 19:55:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/04/16 19:54:40 | 005,650,240 | ---- | C] (SurfRight B.V.) -- C:\Documents and Settings\Thompson Insurance\Desktop\HitmanPro35.exe
[2010/04/16 15:39:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\My Documents\Downloads
[2010/04/16 15:36:40 | 000,162,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/16 15:36:40 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/16 15:36:39 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/16 15:36:38 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/16 15:36:35 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/16 15:36:35 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/16 15:36:35 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/16 15:36:04 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/16 15:36:04 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/16 15:35:51 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/04/16 15:35:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/04/16 11:02:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/16 10:40:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2010/04/16 10:35:30 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/04/16 10:35:30 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/04/16 10:34:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/16 10:34:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/04/16 10:16:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot2
[2010/04/16 10:13:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\SoftwareDistribution
[2010/04/16 09:02:44 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/04/16 08:54:51 | 000,161,296 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/04/16 08:43:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010/04/16 08:41:38 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/16 08:21:04 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/16 08:19:18 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/16 08:19:18 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/16 08:16:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/15 21:52:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/15 21:52:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/15 21:51:13 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/04/15 21:50:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Application Data\Sun
[2010/04/15 21:34:22 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/04/15 21:03:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/15 21:03:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/15 19:01:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/15 19:01:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Application Data\SUPERAntiSpyware.com
[2010/04/15 19:01:09 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/15 19:00:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Application Data\Malwarebytes
[2010/04/15 19:00:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/15 18:54:36 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
[2010/04/15 18:44:37 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/15 18:44:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/04/15 18:37:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\Western Digital
[2010/04/15 09:21:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\avG
[2010/04/14 09:02:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\avG
[2010/04/14 09:02:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avG
[2010/04/13 13:37:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/13 13:37:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/12 14:28:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/02/03 14:27:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/02/03 14:22:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/09/05 10:52:07 | 000,570,128 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\DAO350.DLL
[2008/09/05 10:52:07 | 000,561,179 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\dao360.dll
[2007/03/15 11:02:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2007/01/31 10:06:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Intuit
[2005/02/28 17:04:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/17 00:54:00 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{F8304665-2F87-4296-9734-BB2FA0D640B1}.job
[2010/04/17 00:37:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/16 23:07:45 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thompson Insurance\Desktop\OTL.exe
[2010/04/16 23:03:40 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Desktop\gmer.zip
[2010/04/16 22:45:37 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/16 22:45:16 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/16 22:45:11 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/16 22:45:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/16 22:44:18 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\Thompson Insurance\NTUSER.DAT
[2010/04/16 22:44:08 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Thompson Insurance\ntuser.ini
[2010/04/16 22:43:55 | 005,367,552 | -H-- | M] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\IconCache.db
[2010/04/16 22:14:54 | 000,000,448 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{FBB64FB1-BDAF-43F9-BF36-142543C81592}.job
[2010/04/16 20:52:46 | 000,000,648 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2010/04/16 20:40:28 | 074,121,968 | ---- | M] (Emsi Software GmbH ) -- C:\Documents and Settings\Thompson Insurance\Desktop\a2FreeSetup.exe
[2010/04/16 20:37:52 | 000,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Thompson Insurance\Desktop\HijackThis.exe
[2010/04/16 20:36:45 | 003,916,775 | R--- | M] () -- C:\Documents and Settings\Thompson Insurance\Desktop\ComboFix.exe
[2010/04/16 20:03:31 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/16 19:58:02 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/16 19:55:02 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/04/16 19:54:40 | 005,650,240 | ---- | M] (SurfRight B.V.) -- C:\Documents and Settings\Thompson Insurance\Desktop\HitmanPro35.exe
[2010/04/16 15:37:42 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/04/16 15:36:41 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/04/16 15:36:36 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/16 15:34:57 | 048,417,032 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Desktop\setup_av_free.exe
[2010/04/16 11:03:16 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/16 10:23:46 | 000,001,856 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2010/04/16 08:54:50 | 000,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/04/16 08:33:12 | 000,000,239 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/16 08:06:36 | 000,000,314 | RHS- | M] () -- C:\boot.ini
[2010/04/15 22:10:38 | 000,011,264 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/15 22:04:45 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/15 21:48:48 | 000,036,576 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/15 21:17:30 | 000,175,464 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/15 18:55:14 | 000,013,702 | -HS- | M] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\4ML87
[2010/04/15 18:55:14 | 000,013,702 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\4ML87
[2010/04/15 18:40:41 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Desktop\CCleaner.lnk
[2010/04/15 09:39:23 | 000,000,687 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/14 14:14:20 | 000,016,884 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\50vGiJ1FW7x2
[2010/04/14 14:04:42 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & SHUMATE CONTRACT-#32.doc
[2010/04/14 12:47:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/14 12:47:03 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/14 12:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/14 12:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/14 12:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/14 12:31:12 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/14 12:31:09 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/14 12:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/14 12:30:45 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/13 09:54:10 | 000,016,724 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\E. Dean Nuckles.lwp
[2010/04/13 09:53:36 | 000,015,548 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\CARY'S COMMISSION.lwp
[2010/04/12 11:51:46 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\TWILIGHT DEVELOPMENT-MAR, 2010.doc
[2010/04/06 11:22:26 | 000,033,280 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\MONTHLY RENT PAYMENTS 2010.doc
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/16 23:03:52 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\Desktop\gmer.exe
[2010/04/16 23:03:38 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\Desktop\gmer.zip
[2010/04/16 20:52:45 | 000,000,648 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2010/04/16 20:42:54 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/16 20:42:53 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/16 20:36:36 | 003,916,775 | R--- | C] () -- C:\Documents and Settings\Thompson Insurance\Desktop\ComboFix.exe
[2010/04/16 19:55:19 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/16 19:55:02 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/04/16 15:37:42 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/04/16 15:36:41 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/04/16 15:34:47 | 048,417,032 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\Desktop\setup_av_free.exe
[2010/04/16 11:54:41 | 000,000,420 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{F8304665-2F87-4296-9734-BB2FA0D640B1}.job
[2010/04/16 11:03:16 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/16 11:02:34 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/16 10:23:46 | 000,001,856 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2010/04/16 08:21:12 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/16 08:21:07 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/16 08:19:18 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/16 08:19:18 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/16 08:19:18 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/15 22:04:45 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/15 21:30:31 | 000,000,448 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{FBB64FB1-BDAF-43F9-BF36-142543C81592}.job
[2010/04/14 14:04:42 | 000,028,672 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & SHUMATE CONTRACT-#32.doc
[2010/04/14 11:12:53 | 000,016,884 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\50vGiJ1FW7x2
[2010/04/14 11:12:53 | 000,016,884 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\50vGiJ1FW7x2
[2010/04/14 09:02:10 | 000,013,702 | -HS- | C] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\4ML87
[2010/04/13 13:38:06 | 000,013,702 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4ML87
[2010/04/13 13:38:06 | 000,013,522 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\4ML87
[2010/04/12 11:51:46 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\My Documents\TWILIGHT DEVELOPMENT-MAR, 2010.doc
[2007/02/13 11:02:37 | 000,000,141 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\fusioncache.dat
[2005/09/14 12:30:53 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/08/26 12:23:57 | 000,000,105 | ---- | C] () -- C:\WINDOWS\upst.ini
[2005/04/25 13:42:26 | 000,000,075 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\LuResult.txt
[2005/01/11 18:02:33 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\ntuser.dat
[2005/01/11 18:02:33 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG
[2004/07/28 15:05:35 | 000,000,241 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2004/06/07 15:15:30 | 000,000,049 | ---- | C] () -- C:\WINDOWS\upth.ini
[2004/06/07 15:15:30 | 000,000,024 | ---- | C] () -- C:\WINDOWS\atid.ini
[2004/02/16 15:38:39 | 000,176,594 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\~
[2004/02/16 14:05:46 | 000,000,713 | ---- | C] () -- C:\WINDOWS\IHEALTH.INI
[2004/02/16 14:05:45 | 000,000,346 | ---- | C] () -- C:\WINDOWS\valuterm.ini
[2004/02/16 14:02:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2004/02/16 13:44:56 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Fdfacx.dll
[2004/02/16 13:44:56 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll
[2004/02/16 13:44:55 | 000,317,440 | ---- | C] () -- C:\WINDOWS\System32\FdfTk.dll
[2004/02/14 14:59:42 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/02/14 14:14:30 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/02/13 17:46:26 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Thompson Insurance\ntuser.dat.LOG
[2004/02/13 17:46:26 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Thompson Insurance\ntuser.ini
[2004/02/13 17:46:25 | 003,670,016 | -H-- | C] () -- C:\Documents and Settings\Thompson Insurance\NTUSER.DAT

========== LOP Check ==========

[2010/04/16 15:35:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/04/14 09:02:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avG
[2007/01/30 14:46:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2010/04/16 19:55:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/04/15 21:04:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/05/22 19:10:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Thompson Insurance\Application Data\GetRightToGo
[2004/07/19 16:26:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Thompson Insurance\Application Data\Leadertech
[2010/04/15 21:04:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Thompson Insurance\Application Data\Viewpoint
[2010/04/17 00:54:00 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{F8304665-2F87-4296-9734-BB2FA0D640B1}.job
[2010/04/16 22:14:54 | 000,000,448 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{FBB64FB1-BDAF-43F9-BF36-142543C81592}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/08/22 09:03:25 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/08/22 09:03:25 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2003/03/31 08:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/22 09:03:25 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/08/22 09:03:25 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2002/08/29 02:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2009/08/06 20:23:54 | 000,575,704 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\wuapi.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/02/13 12:02:28 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/02/13 12:02:28 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/02/13 12:02:28 | 000,397,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/14 12:30:45 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aavmker4.sys
[2010/04/14 12:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys
[2010/04/14 12:31:09 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswmon.sys
[2010/04/14 12:31:12 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswmon2.sys
[2010/04/14 12:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswRdr.sys
[2010/04/14 12:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswSP.sys
[2010/04/14 12:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswTdi.sys
[2010/04/16 19:58:02 | 000,015,944 | ---- | M] () -- C:\WINDOWS\system32\drivers\hitmanpro35.sys
[2010/02/24 09:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/04/16 06:44:29 | 000,003,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\PCIIde.sys
[2010/02/11 08:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys
[2010/04/16 08:54:50 | 000,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\tmcomm.sys
< End of report >

OTL Extras logfile created on: 4/17/2010 12:49:12 AM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Thompson Insurance\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

479.00 Mb Total Physical Memory | 135.00 Mb Available Physical Memory | 28.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 27.17 Gb Free Space | 72.91% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OFFICE-PC
Current User Name: Thompson Insurance
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- Reg Error: Key error. File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)
"C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager -- (iAnywhere Solutions, Inc.)
"C:\Fipsco Life Portraits\AHL\AHLWebServer.exe" = C:\Fipsco Life Portraits\AHL\AHLWebServer.exe:*:Enabled:AHLWebServer -- (Fiserv)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0AB6D4F3-B460-408B-9ED5-8AAAA8CB5A68}" = Golden Rule Individual Health 12.1
"{0EB9D057-5811-45A1-A2A1-E141AE62FAAB}" = AllApp - LPES
"{11B569C2-4BF6-4ED0-9D17-A4273943CB24}" = Adobe Photoshop Album 2.0 Starter Edition
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{797EE0CA-8165-405C-B5CE-F11EC20F1BB0}" = Microsoft VC9 runtime libraries
"{7E545666-F422-45FD-B3DF-C0B99A1A579F}" = QuickBooks Pro 2007
"{81463B08-A929-4125-A5F4-1B053AC35A09}" = Microsoft IntelliType Pro 5.0
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{91208A47-5D08-4C79-986F-1931940F51BB}" = QuickBooks Product Listing Service
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4D7B764-4140-11D4-88EB-0050DA3579C0}" = Nero - Burning Rom
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF6E7481-4487-46D3-810A-F73EEA232CE0}" = Microsoft IntelliPoint 5.0
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"All Products" = All Products
"AllApp" = AllApp
"America Online us" = America Online (Choose which version to remove)
"AolCoach" = AOL Coach Version 1.0(Build:20030807.3)
"a-squared Free_is1" = a-squared Free 4.5
"avast5" = avast! Free Antivirus
"CCleaner" = CCleaner
"CXT1034" = SUPRAMAX V.92 PCI PRO
"Defraggler" = Defraggler
"FaxTalk Communicator 4.5" = FaxTalk Communicator 4.5
"Google Chrome" = Google Chrome
"HijackThis" = HijackThis 2.0.2
"HitmanPro35" = Hitman Pro 3.5
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nForce Drivers" = NVIDIA nForce Drivers
"Prospector Version 6.0" = Prospector Version 6.0
"Prospector Version 6.1" = Prospector Version 6.1
"Prospector Version 6.2.0" = Prospector Version 6.2.0
"Prospector Version 6.3.0" = Prospector Version 6.3.0
"Prospector Version 6.4.0" = Prospector Version 6.4.0
"Prospector Version 6.4.7" = Prospector Version 6.4.7
"Prospector Version 7.0.0" = Prospector Version 7.0.0
"Prospector Version 7.1.0" = Prospector Version 7.1.0
"Prospector Version 7.2.0" = Prospector Version 7.2.0
"Prospector Version 7.3.0" = Prospector Version 7.3.0
"QuickTime" = QuickTime
"RealPlayer 6.0" = RealPlayer Basic
"SmartSuite V98.0" = Lotus SmartSuite Release 9
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"StreetPlugin" = Learn2 Player (Uninstall Only)
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WinZip" = WinZip
"WorldIns" = WorldIns

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/5/2009 3:02:12 PM | Computer Name = OFFICE-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.18852, fault address 0x0029af2b.

Error - 3/2/2010 10:29:36 AM | Computer Name = OFFICE-PC | Source = Microsoft Office 10 | ID = 1000
Description = Faulting application winword.exe, version 10.0.6856.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 4/15/2010 6:41:23 PM | Computer Name = OFFICE-PC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 4/15/2010 8:40:49 PM | Computer Name = OFFICE-PC | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module Flash10e.ocx, version 10.0.45.2, fault address 0x0009cfdb.

Error - 4/16/2010 3:22:51 AM | Computer Name = OFFICE-PC | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module Flash10e.ocx, version 10.0.45.2, fault address 0x000e6dea.

Error - 4/16/2010 10:47:17 AM | Computer Name = OFFICE-PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\Documents and Settings\Thompson Insurance\Desktop\Symantec
Antivirus 11.05 with Registry Fix\SEP\Symantec AntiVirus.msi is not permitted due
to an error in software restriction policy processing. The object cannot be trusted.

Error - 4/16/2010 3:20:48 PM | Computer Name = OFFICE-PC | Source = MsiInstaller | ID = 10005
Description = Product: Symantec Endpoint Protection -- Symantec Endpoint Protection
has detected that there are pending system changes that require a reboot. Please
reboot the system and rerun the installation.

Error - 4/16/2010 3:21:10 PM | Computer Name = OFFICE-PC | Source = MsiInstaller | ID = 10005
Description = Product: Symantec Endpoint Protection -- Symantec Endpoint Protection
has detected that there are pending system changes that require a reboot. Please
reboot the system and rerun the installation.

Error - 4/16/2010 3:35:16 PM | Computer Name = OFFICE-PC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 4/16/2010 3:35:17 PM | Computer Name = OFFICE-PC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 4/16/2010 8:51:47 PM | Computer Name = OFFICE-PC | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 4/16/2010 8:52:04 PM | Computer Name = OFFICE-PC | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 4/16/2010 8:52:09 PM | Computer Name = OFFICE-PC | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2

Error - 4/16/2010 8:59:34 PM | Computer Name = OFFICE-PC | Source = Service Control Manager | ID = 7031
Description = The a-squared Free Service service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 0 milliseconds:
Restart the service.

Error - 4/16/2010 10:45:21 PM | Computer Name = OFFICE-PC | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 4/16/2010 10:45:26 PM | Computer Name = OFFICE-PC | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2

Error - 4/16/2010 10:45:31 PM | Computer Name = OFFICE-PC | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/16/2010 10:45:31 PM | Computer Name = OFFICE-PC | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 4/17/2010 12:49:29 AM | Computer Name = OFFICE-PC | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 4/17/2010 12:49:30 AM | Computer Name = OFFICE-PC | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2


< End of report >

[ali.B]

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-17 00:48:19
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\THOMPS~1\LOCALS~1\Temp\pwliapod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB2D3AC08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB2D3AAC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB2D3B078]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB2D3AFA2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB2D3A69A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB2D3AB9E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB2D3A5DA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB2D3A63E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB2D3ACBE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB2D3B146]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB2D3AC7E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB2D3ADFE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB2D4750A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xB2D4732E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xB2D47468]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP B2D4497E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 805652B3 7 Bytes JMP B2D47332 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP B2D4750E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F8CA 5 Bytes JMP B2D434AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A3B73 7 Bytes JMP B2D4746C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.rsrc C:\WINDOWS\system32\drivers\pciide.sys entry point in ".rsrc" section [0xF7A4F814]
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF75D0A0C]
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6745340, 0xFC99F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9D6300, 0x234EA0, 0xF8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[988] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[988] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[988] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[988] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[988] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 017A000A
.text C:\WINDOWS\System32\svchost.exe[988] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0179000A
.text C:\Program Files\a-squared Free\a2service.exe[1280] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 00454E05 C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
.text C:\WINDOWS\Explorer.EXE[1488] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1488] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[1488] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3420] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3420] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3420] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3420] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3420] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3420] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3420] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3420] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3420] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3420] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3420] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3420] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3512] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 856A2AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pciide.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

[ali.B]

hi

• Open OTL
• Under the Custom Scan box paste this in
  
  /md5start
  pciide.sys
  /md5stop
  
  
• Click the Run Scan button.

When done post the log it produces

[street9009]

Sure thing. Here's the resulting log:

OTL logfile created on: 4/17/2010 9:48:34 AM - Run 2
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Thompson Insurance\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

479.00 Mb Total Physical Memory | 89.00 Mb Available Physical Memory | 19.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 27.12 Gb Free Space | 72.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OFFICE-PC
Current User Name: Thompson Insurance
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/16 23:07:45 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thompson Insurance\Desktop\OTL.exe
PRC - [2010/04/16 20:59:05 | 001,872,320 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2010/04/14 12:47:08 | 002,790,472 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/08/27 11:27:44 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe
PRC - [2003/08/12 13:50:40 | 001,376,360 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\acsd.exe
PRC - [2003/05/15 17:45:54 | 000,114,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\type32.exe
PRC - [2003/05/15 17:41:16 | 000,163,840 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\point32.exe


========== Modules (SafeList) ==========

MOD - [2010/04/16 23:07:45 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thompson Insurance\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/04/16 20:59:05 | 001,872,320 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\Program Files\a-squared Free\a2service.exe -- (a2free)
SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/04/09 00:47:58 | 000,020,480 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2006/11/09 16:30:14 | 000,065,536 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2005/10/06 19:12:30 | 000,855,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS)
SRV - [2003/08/27 11:27:44 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)
SRV - [2003/08/12 13:50:40 | 001,376,360 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\acsd.exe -- (AOL ACS)


========== Driver Services (SafeList) ==========

DRV - [2010/04/14 12:35:47 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/04/14 12:35:25 | 000,162,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/04/14 12:31:39 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/04/14 12:31:12 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/04/14 12:31:01 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/04/14 12:30:45 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2004/10/22 10:41:46 | 000,413,824 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA® nForce™
DRV - [2004/10/22 10:38:28 | 000,053,376 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA® nForce™
DRV - [2004/02/14 15:19:07 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2003/08/04 03:56:02 | 000,884,614 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\winachcf.sys -- (Winachcf)
DRV - [2003/06/13 13:31:00 | 001,323,995 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/03/19 16:51:00 | 000,018,688 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2003/01/10 18:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/11/27 21:52:00 | 000,080,896 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET)
DRV - [2001/08/17 14:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 09:28:02 | 000,907,456 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys -- (HCF_MSFT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 5C 7C 62 58 04 DD CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/04/16 10:23:36 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [type32] C:\Program Files\Microsoft IntelliType Pro\type32.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ccleaner] C:\Program Files\CCleaner\ccleaner.exe (Piriform Ltd)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {297AEB8E-D78B-427A-BBC2-E6496017D290} https://allapp.ahlco...ol/AHLDSync.cab (AHLDSync.ctlDataSync)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.syma...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1138037095375 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E5238271-D692-408F-A625-275DF49EE4E3} https://allapp.ahlco...LInfoUpdate.CAB (AHLInfoUpdate.Login)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/02/13 17:28:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = secfile] -- Reg Error: Key error. File not found
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/04/17 09:45:19 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Thompson Insurance\Recent
[2010/04/16 23:07:41 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Thompson Insurance\Desktop\OTL.exe
[2010/04/16 22:41:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Desktop\backups
[2010/04/16 20:52:18 | 000,000,000 | ---D | C] -- C:\Program Files\a-squared Free
[2010/04/16 20:52:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\My Documents\a-squared Free
[2010/04/16 20:42:53 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/16 20:42:47 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/16 20:42:24 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/04/16 20:41:02 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/16 20:40:19 | 074,121,968 | ---- | C] (Emsi Software GmbH ) -- C:\Documents and Settings\Thompson Insurance\Desktop\a2FreeSetup.exe
[2010/04/16 20:37:51 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Thompson Insurance\Desktop\HijackThis.exe
[2010/04/16 19:55:02 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/04/16 19:55:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/04/16 19:54:40 | 005,650,240 | ---- | C] (SurfRight B.V.) -- C:\Documents and Settings\Thompson Insurance\Desktop\HitmanPro35.exe
[2010/04/16 15:39:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\My Documents\Downloads
[2010/04/16 15:36:40 | 000,162,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/16 15:36:40 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/16 15:36:39 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/16 15:36:38 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/16 15:36:35 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/16 15:36:35 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/16 15:36:35 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/16 15:36:04 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/16 15:36:04 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/16 15:35:51 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/04/16 15:35:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/04/16 11:02:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/16 10:40:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2010/04/16 10:35:30 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/04/16 10:35:30 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/04/16 10:34:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/16 10:34:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/04/16 10:16:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot2
[2010/04/16 10:13:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\SoftwareDistribution
[2010/04/16 09:02:44 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/04/16 08:54:51 | 000,161,296 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/04/16 08:43:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010/04/16 08:41:38 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/16 08:21:04 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/16 08:19:18 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/16 08:19:18 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/16 08:16:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/15 21:52:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/15 21:52:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/15 21:51:45 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/15 21:51:45 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/15 21:51:44 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/15 21:51:44 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/15 21:51:44 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/15 21:51:13 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/04/15 21:50:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Application Data\Sun
[2010/04/15 21:34:22 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/04/15 21:03:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/15 21:03:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/15 19:01:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/15 19:01:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Application Data\SUPERAntiSpyware.com
[2010/04/15 19:01:09 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/15 19:00:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Application Data\Malwarebytes
[2010/04/15 19:00:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/15 18:54:36 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
[2010/04/15 18:44:37 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/15 18:44:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/04/15 18:37:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\Western Digital
[2010/04/15 09:21:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\avG
[2010/04/14 09:02:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\avG
[2010/04/14 09:02:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avG
[2010/04/13 13:37:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/13 13:37:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/12 14:28:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/02/03 14:27:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/02/03 14:22:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/09/05 10:52:07 | 000,570,128 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\DAO350.DLL
[2008/09/05 10:52:07 | 000,561,179 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\dao360.dll
[2007/03/15 11:02:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2007/01/31 10:06:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Intuit
[2005/02/28 17:04:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/17 09:49:00 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{F8304665-2F87-4296-9734-BB2FA0D640B1}.job
[2010/04/17 09:46:50 | 000,000,448 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{FBB64FB1-BDAF-43F9-BF36-142543C81592}.job
[2010/04/17 09:45:39 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/17 09:45:12 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/17 09:45:07 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/17 09:45:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/17 01:05:58 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\Thompson Insurance\NTUSER.DAT
[2010/04/17 01:05:48 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Thompson Insurance\ntuser.ini
[2010/04/17 00:37:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/16 23:07:45 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thompson Insurance\Desktop\OTL.exe
[2010/04/16 23:03:40 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Desktop\gmer.zip
[2010/04/16 22:43:55 | 005,367,552 | -H-- | M] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\IconCache.db
[2010/04/16 20:52:46 | 000,000,648 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2010/04/16 20:40:28 | 074,121,968 | ---- | M] (Emsi Software GmbH ) -- C:\Documents and Settings\Thompson Insurance\Desktop\a2FreeSetup.exe
[2010/04/16 20:37:52 | 000,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Thompson Insurance\Desktop\HijackThis.exe
[2010/04/16 20:36:45 | 003,916,775 | R--- | M] () -- C:\Documents and Settings\Thompson Insurance\Desktop\ComboFix.exe
[2010/04/16 20:03:31 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/16 19:58:02 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/16 19:55:02 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/04/16 19:54:40 | 005,650,240 | ---- | M] (SurfRight B.V.) -- C:\Documents and Settings\Thompson Insurance\Desktop\HitmanPro35.exe
[2010/04/16 15:37:42 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/04/16 15:36:41 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/04/16 15:36:36 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/16 15:34:57 | 048,417,032 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Desktop\setup_av_free.exe
[2010/04/16 11:03:16 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/16 10:23:46 | 000,001,856 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2010/04/16 08:54:50 | 000,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/04/16 08:33:12 | 000,000,239 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/16 08:06:36 | 000,000,314 | RHS- | M] () -- C:\boot.ini
[2010/04/15 23:01:37 | 000,003,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pciide.sys
[2010/04/15 22:10:38 | 000,011,264 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/15 22:04:45 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/15 21:51:20 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/15 21:51:20 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/15 21:51:20 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/15 21:51:20 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/15 21:51:20 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/15 21:48:48 | 000,036,576 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/15 21:17:30 | 000,175,464 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/15 18:55:14 | 000,013,702 | -HS- | M] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\4ML87
[2010/04/15 18:55:14 | 000,013,702 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\4ML87
[2010/04/15 18:40:41 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Desktop\CCleaner.lnk
[2010/04/15 09:39:23 | 000,000,687 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/14 14:14:20 | 000,016,884 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\50vGiJ1FW7x2
[2010/04/14 14:04:42 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & SHUMATE CONTRACT-#32.doc
[2010/04/14 12:47:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/14 12:47:03 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/14 12:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/14 12:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/14 12:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/14 12:31:12 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/14 12:31:09 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/14 12:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/14 12:30:45 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/13 09:54:10 | 000,016,724 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\E. Dean Nuckles.lwp
[2010/04/13 09:53:36 | 000,015,548 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\CARY'S COMMISSION.lwp
[2010/04/12 11:51:46 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\TWILIGHT DEVELOPMENT-MAR, 2010.doc
[2010/04/06 11:22:26 | 000,033,280 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\MONTHLY RENT PAYMENTS 2010.doc
[2010/03/30 11:44:54 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & THOMPSON INC-FEB, 2010 VISA.doc
[2010/03/30 11:39:18 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & THOMPSON INC-JAN, 2010 VISA.doc
[2010/03/29 14:21:37 | 000,043,008 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Desktop\Doc1.doc
[2010/03/23 14:35:54 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & THOMPSON, INC-FEB, 2010.doc
[2010/03/23 13:36:43 | 000,158,720 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & THOMPSON INC-FEB, 2010.doc
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/16 23:03:52 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\Desktop\gmer.exe
[2010/04/16 23:03:38 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\Desktop\gmer.zip
[2010/04/16 20:52:45 | 000,000,648 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2010/04/16 20:42:54 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/16 20:42:53 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/16 20:36:36 | 003,916,775 | R--- | C] () -- C:\Documents and Settings\Thompson Insurance\Desktop\ComboFix.exe
[2010/04/16 19:55:19 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/16 19:55:02 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/04/16 15:37:42 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/04/16 15:36:41 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/04/16 15:34:47 | 048,417,032 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\Desktop\setup_av_free.exe
[2010/04/16 11:54:41 | 000,000,420 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{F8304665-2F87-4296-9734-BB2FA0D640B1}.job
[2010/04/16 11:03:16 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/16 11:02:34 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/16 10:23:46 | 000,001,856 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2010/04/16 08:21:12 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/16 08:21:07 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/16 08:19:18 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/16 08:19:18 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/16 08:19:18 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/15 22:04:45 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/15 21:30:31 | 000,000,448 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{FBB64FB1-BDAF-43F9-BF36-142543C81592}.job
[2010/04/14 14:04:42 | 000,028,672 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & SHUMATE CONTRACT-#32.doc
[2010/04/14 11:12:53 | 000,016,884 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\50vGiJ1FW7x2
[2010/04/14 11:12:53 | 000,016,884 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\50vGiJ1FW7x2
[2010/04/14 09:02:10 | 000,013,702 | -HS- | C] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\4ML87
[2010/04/13 13:38:06 | 000,013,702 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4ML87
[2010/04/13 13:38:06 | 000,013,522 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\4ML87
[2010/04/12 11:51:46 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\My Documents\TWILIGHT DEVELOPMENT-MAR, 2010.doc
[2010/03/30 11:44:54 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & THOMPSON INC-FEB, 2010 VISA.doc
[2010/03/30 11:39:18 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & THOMPSON INC-JAN, 2010 VISA.doc
[2010/03/19 12:36:00 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & THOMPSON, INC-FEB, 2010.doc
[2010/03/18 14:51:17 | 000,158,720 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & THOMPSON INC-FEB, 2010.doc
[2007/02/13 11:02:37 | 000,000,141 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\fusioncache.dat
[2005/09/14 12:30:53 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/08/26 12:23:57 | 000,000,105 | ---- | C] () -- C:\WINDOWS\upst.ini
[2005/04/25 13:42:26 | 000,000,075 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\LuResult.txt
[2005/01/11 18:02:33 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\ntuser.dat
[2005/01/11 18:02:33 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG
[2004/07/28 15:05:35 | 000,000,241 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2004/06/07 15:15:30 | 000,000,049 | ---- | C] () -- C:\WINDOWS\upth.ini
[2004/06/07 15:15:30 | 000,000,024 | ---- | C] () -- C:\WINDOWS\atid.ini
[2004/02/16 15:38:39 | 000,176,594 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\~
[2004/02/16 14:05:46 | 000,000,713 | ---- | C] () -- C:\WINDOWS\IHEALTH.INI
[2004/02/16 14:05:45 | 000,000,346 | ---- | C] () -- C:\WINDOWS\valuterm.ini
[2004/02/16 14:02:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2004/02/16 13:44:56 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Fdfacx.dll
[2004/02/16 13:44:56 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll
[2004/02/16 13:44:55 | 000,317,440 | ---- | C] () -- C:\WINDOWS\System32\FdfTk.dll
[2004/02/14 14:59:42 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/02/14 14:14:30 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/02/13 17:46:26 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Thompson Insurance\ntuser.dat.LOG
[2004/02/13 17:46:26 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Thompson Insurance\ntuser.ini
[2004/02/13 17:46:25 | 003,670,016 | -H-- | C] () -- C:\Documents and Settings\Thompson Insurance\NTUSER.DAT

========== Custom Scans ==========



< MD5 for: PCIIDE.SYS >
[2010/04/15 23:01:37 | 000,003,328 | ---- | M] (Microsoft Corporation) MD5=CCF5F451BB1A5A2A522A76E670000FF0 -- C:\WINDOWS\system32\dllcache\pciide.sys
[2001/08/17 14:51:52 | 000,003,328 | ---- | M] (Microsoft Corporation) MD5=CCF5F451BB1A5A2A522A76E670000FF0 -- C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\i386\pciide.sys
[2010/04/16 06:44:29 | 000,003,328 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\PCIIde.sys
< End of report >

[ali.B]

hi

First Please download the attached file fix.txt and save it on your desktop.

Now

Restart your computer, and then press F8 repeatedly, "windows advanced options menu" will appear, choose "Safe Mode" and hit enter.

Once you're in Safe Mode:

• Run OTL
• Click Run Fix Then click Ok to load a file.
• Select fix.txt
• Now click Run Fix
• Let the program run unhindered, reboot when it is done to normal.
• Then post a new OTL log

When back Into Normal Mode:

Download the GMER Rootkit Scanner.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
    
    Click the image to enlarge it
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

Attached Files

•  fix.txt   125bytes   160 downloads

[street9009]

K, I've followed your directions and here are the new scans, OTL first, then GMER:

OTL logfile created on: 4/17/2010 3:28:09 PM - Run 3
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Thompson Insurance\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

479.00 Mb Total Physical Memory | 140.00 Mb Available Physical Memory | 29.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 27.17 Gb Free Space | 72.91% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OFFICE-PC
Current User Name: Thompson Insurance
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/16 23:07:45 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thompson Insurance\Desktop\OTL.exe
PRC - [2010/04/16 20:59:05 | 001,872,320 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2010/04/14 12:47:08 | 002,790,472 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/08/27 11:27:44 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe
PRC - [2003/08/12 13:50:40 | 001,376,360 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\acsd.exe
PRC - [2003/05/15 17:45:54 | 000,114,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\type32.exe
PRC - [2003/05/15 17:41:16 | 000,163,840 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\point32.exe


========== Modules (SafeList) ==========

MOD - [2010/04/16 23:07:45 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thompson Insurance\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/04/16 20:59:05 | 001,872,320 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\Program Files\a-squared Free\a2service.exe -- (a2free)
SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/04/14 12:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/04/09 00:47:58 | 000,020,480 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2006/11/09 16:30:14 | 000,065,536 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2005/10/06 19:12:30 | 000,855,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS)
SRV - [2003/08/27 11:27:44 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)
SRV - [2003/08/12 13:50:40 | 001,376,360 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\acsd.exe -- (AOL ACS)


========== Driver Services (SafeList) ==========

DRV - [2010/04/14 12:35:47 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/04/14 12:35:25 | 000,162,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/04/14 12:31:39 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/04/14 12:31:12 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/04/14 12:31:01 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/04/14 12:30:45 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2004/10/22 10:41:46 | 000,413,824 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA® nForce™
DRV - [2004/10/22 10:38:28 | 000,053,376 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA® nForce™
DRV - [2004/02/14 15:19:07 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2003/08/04 03:56:02 | 000,884,614 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\winachcf.sys -- (Winachcf)
DRV - [2003/06/13 13:31:00 | 001,323,995 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/03/19 16:51:00 | 000,018,688 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2003/01/10 18:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/11/27 21:52:00 | 000,080,896 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET)
DRV - [2001/08/17 14:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 09:28:02 | 000,907,456 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys -- (HCF_MSFT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 5C 7C 62 58 04 DD CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/04/16 10:23:36 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [type32] C:\Program Files\Microsoft IntelliType Pro\type32.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ccleaner] C:\Program Files\CCleaner\ccleaner.exe (Piriform Ltd)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {297AEB8E-D78B-427A-BBC2-E6496017D290} https://allapp.ahlco...ol/AHLDSync.cab (AHLDSync.ctlDataSync)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.syma...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1138037095375 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E5238271-D692-408F-A625-275DF49EE4E3} https://allapp.ahlco...LInfoUpdate.CAB (AHLInfoUpdate.Login)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/02/13 17:28:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = secfile] -- Reg Error: Key error. File not found
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/04/17 15:23:19 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Thompson Insurance\Recent
[2010/04/17 15:21:36 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/16 23:07:41 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Thompson Insurance\Desktop\OTL.exe
[2010/04/16 22:41:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Desktop\backups
[2010/04/16 20:52:18 | 000,000,000 | ---D | C] -- C:\Program Files\a-squared Free
[2010/04/16 20:52:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\My Documents\a-squared Free
[2010/04/16 20:42:53 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/16 20:42:47 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/16 20:42:24 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/04/16 20:41:02 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/16 20:40:19 | 074,121,968 | ---- | C] (Emsi Software GmbH ) -- C:\Documents and Settings\Thompson Insurance\Desktop\a2FreeSetup.exe
[2010/04/16 20:37:51 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Thompson Insurance\Desktop\HijackThis.exe
[2010/04/16 19:55:02 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/04/16 19:55:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/04/16 19:54:40 | 005,650,240 | ---- | C] (SurfRight B.V.) -- C:\Documents and Settings\Thompson Insurance\Desktop\HitmanPro35.exe
[2010/04/16 15:39:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\My Documents\Downloads
[2010/04/16 15:36:40 | 000,162,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/16 15:36:40 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/16 15:36:39 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/16 15:36:38 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/16 15:36:35 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/16 15:36:35 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/16 15:36:35 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/16 15:36:04 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/16 15:36:04 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/16 15:35:51 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/04/16 15:35:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/04/16 11:02:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/16 10:40:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2010/04/16 10:35:30 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/04/16 10:35:30 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/04/16 10:34:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/16 10:34:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/04/16 10:16:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot2
[2010/04/16 10:13:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\SoftwareDistribution
[2010/04/16 09:02:44 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/04/16 08:54:51 | 000,161,296 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/04/16 08:43:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010/04/16 08:41:38 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/16 08:21:04 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/16 08:19:18 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/16 08:19:18 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/16 08:16:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/15 21:52:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/15 21:52:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/15 21:51:45 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/15 21:51:45 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/15 21:51:44 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/15 21:51:44 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/15 21:51:44 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/15 21:51:13 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/04/15 21:50:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Application Data\Sun
[2010/04/15 21:34:22 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/04/15 21:03:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/15 21:03:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/15 19:01:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/15 19:01:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Application Data\SUPERAntiSpyware.com
[2010/04/15 19:01:09 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/15 19:00:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Application Data\Malwarebytes
[2010/04/15 19:00:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/15 18:54:36 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
[2010/04/15 18:44:37 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/15 18:44:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/04/15 18:37:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\Western Digital
[2010/04/15 09:21:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\avG
[2010/04/14 09:02:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\avG
[2010/04/14 09:02:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avG
[2010/04/13 13:37:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/13 13:37:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/12 14:28:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/02/03 14:27:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/02/03 14:22:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/09/05 10:52:07 | 000,570,128 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\DAO350.DLL
[2008/09/05 10:52:07 | 000,561,179 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\dao360.dll
[2007/03/15 11:02:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2007/01/31 10:06:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Intuit
[2005/02/28 17:04:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/17 15:29:00 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{F8304665-2F87-4296-9734-BB2FA0D640B1}.job
[2010/04/17 15:23:44 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/17 15:23:29 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/17 15:23:27 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/17 15:23:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/17 15:22:14 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\Thompson Insurance\NTUSER.DAT
[2010/04/17 15:22:14 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Thompson Insurance\ntuser.ini
[2010/04/17 15:22:11 | 004,240,656 | -H-- | M] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\IconCache.db
[2010/04/17 09:46:50 | 000,000,448 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{FBB64FB1-BDAF-43F9-BF36-142543C81592}.job
[2010/04/17 00:37:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/16 23:07:45 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thompson Insurance\Desktop\OTL.exe
[2010/04/16 23:03:40 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Desktop\gmer.zip
[2010/04/16 20:52:46 | 000,000,648 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2010/04/16 20:40:28 | 074,121,968 | ---- | M] (Emsi Software GmbH ) -- C:\Documents and Settings\Thompson Insurance\Desktop\a2FreeSetup.exe
[2010/04/16 20:37:52 | 000,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Thompson Insurance\Desktop\HijackThis.exe
[2010/04/16 20:36:45 | 003,916,775 | R--- | M] () -- C:\Documents and Settings\Thompson Insurance\Desktop\ComboFix.exe
[2010/04/16 20:03:31 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/16 19:58:02 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/16 19:55:02 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/04/16 19:54:40 | 005,650,240 | ---- | M] (SurfRight B.V.) -- C:\Documents and Settings\Thompson Insurance\Desktop\HitmanPro35.exe
[2010/04/16 15:37:42 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/04/16 15:36:41 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/04/16 15:36:36 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/16 15:34:57 | 048,417,032 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Desktop\setup_av_free.exe
[2010/04/16 11:03:16 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/16 10:23:46 | 000,001,856 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2010/04/16 08:54:50 | 000,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/04/16 08:33:12 | 000,000,239 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/16 08:06:36 | 000,000,314 | RHS- | M] () -- C:\boot.ini
[2010/04/15 23:01:37 | 000,003,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pciide.sys
[2010/04/15 22:10:38 | 000,011,264 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/15 22:04:45 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/15 21:51:20 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/15 21:51:20 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/15 21:51:20 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/15 21:51:20 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/15 21:51:20 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/15 21:48:48 | 000,036,576 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/15 21:17:30 | 000,175,464 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/15 18:55:14 | 000,013,702 | -HS- | M] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\4ML87
[2010/04/15 18:55:14 | 000,013,702 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\4ML87
[2010/04/15 18:40:41 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Desktop\CCleaner.lnk
[2010/04/15 09:39:23 | 000,000,687 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/14 14:14:20 | 000,016,884 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\50vGiJ1FW7x2
[2010/04/14 14:04:42 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & SHUMATE CONTRACT-#32.doc
[2010/04/14 12:47:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/14 12:47:03 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/14 12:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/14 12:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/14 12:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/14 12:31:12 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/14 12:31:09 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/14 12:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/14 12:30:45 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/13 09:54:10 | 000,016,724 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\E. Dean Nuckles.lwp
[2010/04/13 09:53:36 | 000,015,548 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\CARY'S COMMISSION.lwp
[2010/04/12 11:51:46 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\TWILIGHT DEVELOPMENT-MAR, 2010.doc
[2010/04/06 11:22:26 | 000,033,280 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\MONTHLY RENT PAYMENTS 2010.doc
[2010/03/30 11:44:54 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & THOMPSON INC-FEB, 2010 VISA.doc
[2010/03/30 11:39:18 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & THOMPSON INC-JAN, 2010 VISA.doc
[2010/03/29 14:21:37 | 000,043,008 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\Desktop\Doc1.doc
[2010/03/23 14:35:54 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & THOMPSON, INC-FEB, 2010.doc
[2010/03/23 13:36:43 | 000,158,720 | ---- | M] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & THOMPSON INC-FEB, 2010.doc
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/16 23:03:52 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\Desktop\gmer.exe
[2010/04/16 23:03:38 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\Desktop\gmer.zip
[2010/04/16 20:52:45 | 000,000,648 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2010/04/16 20:42:54 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/16 20:42:53 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/16 20:36:36 | 003,916,775 | R--- | C] () -- C:\Documents and Settings\Thompson Insurance\Desktop\ComboFix.exe
[2010/04/16 19:55:19 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/16 19:55:02 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/04/16 15:37:42 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/04/16 15:36:41 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/04/16 15:34:47 | 048,417,032 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\Desktop\setup_av_free.exe
[2010/04/16 11:54:41 | 000,000,420 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{F8304665-2F87-4296-9734-BB2FA0D640B1}.job
[2010/04/16 11:03:16 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/16 11:02:34 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/16 10:23:46 | 000,001,856 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2010/04/16 08:21:12 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/16 08:21:07 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/16 08:19:18 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/16 08:19:18 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/16 08:19:18 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/15 22:04:45 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/15 21:30:31 | 000,000,448 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{FBB64FB1-BDAF-43F9-BF36-142543C81592}.job
[2010/04/14 14:04:42 | 000,028,672 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & SHUMATE CONTRACT-#32.doc
[2010/04/14 11:12:53 | 000,016,884 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\50vGiJ1FW7x2
[2010/04/14 11:12:53 | 000,016,884 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\50vGiJ1FW7x2
[2010/04/14 09:02:10 | 000,013,702 | -HS- | C] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\4ML87
[2010/04/13 13:38:06 | 000,013,702 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4ML87
[2010/04/13 13:38:06 | 000,013,522 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\4ML87
[2010/04/12 11:51:46 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\My Documents\TWILIGHT DEVELOPMENT-MAR, 2010.doc
[2010/03/30 11:44:54 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & THOMPSON INC-FEB, 2010 VISA.doc
[2010/03/30 11:39:18 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & THOMPSON INC-JAN, 2010 VISA.doc
[2010/03/19 12:36:00 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\My Documents\THOMPSON & THOMPSON, INC-FEB, 2010.doc
[2007/02/13 11:02:37 | 000,000,141 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\fusioncache.dat
[2005/09/14 12:30:53 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/08/26 12:23:57 | 000,000,105 | ---- | C] () -- C:\WINDOWS\upst.ini
[2005/04/25 13:42:26 | 000,000,075 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\LuResult.txt
[2005/01/11 18:02:33 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\ntuser.dat
[2005/01/11 18:02:33 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG
[2004/07/28 15:05:35 | 000,000,241 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2004/06/07 15:15:30 | 000,000,049 | ---- | C] () -- C:\WINDOWS\upth.ini
[2004/06/07 15:15:30 | 000,000,024 | ---- | C] () -- C:\WINDOWS\atid.ini
[2004/02/16 15:38:39 | 000,176,594 | ---- | C] () -- C:\Documents and Settings\Thompson Insurance\~
[2004/02/16 14:05:46 | 000,000,713 | ---- | C] () -- C:\WINDOWS\IHEALTH.INI
[2004/02/16 14:05:45 | 000,000,346 | ---- | C] () -- C:\WINDOWS\valuterm.ini
[2004/02/16 14:02:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2004/02/16 13:44:56 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Fdfacx.dll
[2004/02/16 13:44:56 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll
[2004/02/16 13:44:55 | 000,317,440 | ---- | C] () -- C:\WINDOWS\System32\FdfTk.dll
[2004/02/14 14:59:42 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/02/14 14:14:30 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/02/13 17:46:26 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Thompson Insurance\ntuser.dat.LOG
[2004/02/13 17:46:26 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Thompson Insurance\ntuser.ini
[2004/02/13 17:46:25 | 003,670,016 | -H-- | C] () -- C:\Documents and Settings\Thompson Insurance\NTUSER.DAT

========== Custom Scans ==========



< MD5 for: PCIIDE.SYS >
[2010/04/15 23:01:37 | 000,003,328 | ---- | M] (Microsoft Corporation) MD5=CCF5F451BB1A5A2A522A76E670000FF0 -- C:\WINDOWS\system32\dllcache\pciide.sys
[2010/04/17 15:21:37 | 000,003,328 | ---- | M] (Microsoft Corporation) MD5=CCF5F451BB1A5A2A522A76E670000FF0 -- C:\WINDOWS\system32\drivers\PCIIde.sys
[2001/08/17 14:51:52 | 000,003,328 | ---- | M] (Microsoft Corporation) MD5=CCF5F451BB1A5A2A522A76E670000FF0 -- C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\i386\pciide.sys
< End of report >



--------------------------------------


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-17 17:11:00
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\THOMPS~1\LOCALS~1\Temp\pwliapod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB2D3AC08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB2D3AAC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB2D3B078]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB2D3AFA2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB2D3A69A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB2D3AB9E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB2D3A5DA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB2D3A63E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB2D3ACBE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB2D3B146]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB2D3AC7E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB2D3ADFE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB2D4750A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xB2D4732E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xB2D47468]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 856A2AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

[ali.B]

hi

are you still getting redirected ?

you ran combofix yourself post it's log, it shall be locate in c:\combofix.txt

[street9009]

Google seems to be fine now. Also, Microsoft.com is unblocked, so we're making headway. I had posted initially that Windows updates weren't working, and before all this corruption (below) they weren't, but now they appear to be working as well.

However, I tried to re-run Combofix (just for good measure) and it nearly annhilated the computer. the computer rebooted right in the middle of the scan and isapnp.sys was corrupted. I restored from the XP disc and then had to restore tcpip.sys because the PC wouldn't get an internet connection. I believe I have it back to normal, but apparently Combofix will be of no help to us now.

Also, I still get the occasional popup.

Edited by street9009, 18 April 2010 - 07:49 AM.

[ali.B]

hi

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

[street9009]

Hey ali.B,

I believe the popups were a fluke. MB came back clean (that's one of the standard scans I always run) again and the PC is in much better shape. I believe your fix.txt got the remaining infection off. I have given the PC back to its owner.

Thanks a bunch for your help. Never would have gotten it fixed without you.

street

[Essexboy]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.