Jump to content

Free help from tech experts
Welcome to Geeks to Go forums. Create an account now to gain access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing topics, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. Best of all, registration and all assistance is 100% free! This message, and all ads will be removed once you have signed in.
Sign In Create Account

Google Redirect virus and Trojan horse Cryptic.FJ [Solved]


  • This topic is locked This topic is locked

#1
krpa-d-em

krpa-d-em

    Member

  • Member
  • PipPip
  • 39 posts
Thank you for taking time to help me. The work done here is greatly appreciated in an effort to counter the criminals who flood the Web with Malware, etc.

I have explicitly followed the steps to the "Malware and Spyware Cleaning Guide" and the proper logs will follow my narrative. Here is an overview of what my Lenovo 3000 J Series PC that runs Windows XP Home edition has been doing.

For about a month, after startup the computer would "crunch hard" for about 10-15 minutes and then run normally, as if something was searching through all the files. During this time the "services.exe" process would max out CPU usage.

About a week ago, I upgraded my free AVG software to their pay service and immediately I began having Google redirect problems on my toolbar search on my Firefox and IE web browsers. After a google toolbar search, there would be a pause, the proper page would appear, but then it would be redirected to some other type of search page. Sometimes Firefox would say "can not access ADSREDIRECT.GOOGLE.COM" page.
Also, if I switched my toolbar to Yahoo search, the search completed with no problems.

I then downloaded the "NO-Scripts" add-on, which stopped the redirects, but was painfully slow.

After researching the Wdmaud.sys virus. I attempted to remove this file and I was unsuccessful.

After following your "malware, spyware guide" the symptoms of the google redirect have stopped, but AVG continues to say I have a "Trojan Horse Cryptic F.J" that AVG is unable to quarantine or remove. I have posted that log at the end.

And also, during my attempt at removing the bug, I deleted the wrong Wdmaud.sys file and lost all sound. In an attempt to regain my sound device, I re-installed Windows Service Pack 3. My sound did not come back.

Thank you for any help you may give me.

MBAM LOG

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/18/2010 12:34:34 PM
mbam-log-2010-04-18 (12-34-34).txt

Scan type: Quick scan
Objects scanned: 124386
Time elapsed: 7 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER LOG

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-25 23:57:02
Windows 5.1.2600 Service Pack 3
Running: qiouocck3qsu.exe; Driver: C:\DOCUME~1\Ginger\LOCALS~1\Temp\ffldapoc.sys


---- System - GMER 1.0.15 ----

SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwCreateKey [0xF7B0FAC2]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF7B25EEE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF7B260E0]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteKey [0xF7B0FCB6]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteValueKey [0xF7B0FD5C]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwOpenKey [0xF7B0F9B2]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF7E4E670]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF7B46D72]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwSetValueKey [0xF7B0FEF8]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF57C80B0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF7E4E7C0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF7E4E860]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 27C0 80501FF8 4 Bytes CALL A29517E1

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[992] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 012D2862
.text C:\WINDOWS\Explorer.EXE[992] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012D26EE
.text C:\WINDOWS\Explorer.EXE[992] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012D27E0
.text C:\WINDOWS\Explorer.EXE[992] WS2_32.dll!recv 71AB676F 5 Bytes JMP 012D2726
.text C:\WINDOWS\Explorer.EXE[992] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 012D275E
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe[1308] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F62862
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe[1308] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F626EE
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe[1308] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F627E0
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe[1308] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F62726
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe[1308] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F6275E
.text C:\Program Files\AVG\AVG9\avgemc.exe[1472] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 032B2862
.text C:\Program Files\AVG\AVG9\avgemc.exe[1472] WS2_32.dll!send 71AB4C27 5 Bytes JMP 032B26EE
.text C:\Program Files\AVG\AVG9\avgemc.exe[1472] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 032B27E0
.text C:\Program Files\AVG\AVG9\avgemc.exe[1472] WS2_32.dll!recv 71AB676F 5 Bytes JMP 032B2726
.text C:\Program Files\AVG\AVG9\avgemc.exe[1472] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 032B275E
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[1756] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01432862
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[1756] WS2_32.dll!send 71AB4C27 5 Bytes JMP 014326EE
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[1756] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 014327E0
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[1756] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01432726
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[1756] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0143275E
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1808] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 006A2862
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1808] WS2_32.dll!send 71AB4C27 5 Bytes JMP 006A26EE
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1808] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 006A27E0
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1808] WS2_32.dll!recv 71AB676F 5 Bytes JMP 006A2726
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1808] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 006A275E
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1848] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01092862
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1848] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010926EE
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1848] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010927E0
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1848] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01092726
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1848] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0109275E
.text C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe[2004] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02AB2862
.text C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe[2004] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02AB26EE
.text C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe[2004] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02AB27E0
.text C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe[2004] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02AB2726
.text C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe[2004] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02AB275E
.text C:\WINDOWS\system32\tcpsvcs.exe[2272] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00A22862
.text C:\WINDOWS\system32\tcpsvcs.exe[2272] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00A226EE
.text C:\WINDOWS\system32\tcpsvcs.exe[2272] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00A227E0
.text C:\WINDOWS\system32\tcpsvcs.exe[2272] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00A22726
.text C:\WINDOWS\system32\tcpsvcs.exe[2272] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00A2275E
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2432] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01092862
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2432] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010926EE
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2432] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010927E0
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2432] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01092726
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2432] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0109275E
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2440] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DF2862
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2440] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DF26EE
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2440] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DF27E0
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2440] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DF2726
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2440] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DF275E
.text C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe[2504] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E22862
.text C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe[2504] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E226EE
.text C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe[2504] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E227E0
.text C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe[2504] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E22726
.text C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe[2504] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E2275E
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3100] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F22862
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3100] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F226EE
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3100] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F227E0
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3100] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F22726
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3100] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F2275E
.text C:\Program Files\Mozilla Firefox\firefox.exe[3292] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe[3436] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01C92862
.text C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe[3436] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01C926EE
.text C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe[3436] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01C927E0
.text C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe[3436] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01C92726
.text C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe[3436] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01C9275E
.text C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe[3456] SHELL32.dll!SHUpdateImageA + 3E22 7CABF4A7 1 Byte [E4]
.text C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe[3456] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 015B2862
.text C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe[3456] WS2_32.dll!send 71AB4C27 5 Bytes JMP 015B26EE
.text C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe[3456] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 015B27E0
.text C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe[3456] WS2_32.dll!recv 71AB676F 5 Bytes JMP 015B2726
.text C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe[3456] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 015B275E
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3492] SHELL32.dll!SHUpdateImageA + 3E22 7CABF4A7 1 Byte [E4]
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3492] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03622862
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3492] WS2_32.dll!send 71AB4C27 5 Bytes JMP 036226EE
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3492] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 036227E0
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3492] WS2_32.dll!recv 71AB676F 5 Bytes JMP 03622726
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3492] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0362275E
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3500] SHELL32.dll!SHUpdateImageA + 3E22 7CABF4A7 1 Byte [E4]
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3500] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 012B2862
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3500] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012B26EE
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3500] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012B27E0
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3500] WS2_32.dll!recv 71AB676F 5 Bytes JMP 012B2726
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3500] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 012B275E
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[3512] SHELL32.dll!SHUpdateImageA + 3E22 7CABF4A7 1 Byte [E4]
.text C:\WINDOWS\System32\svchost.exe[3660] SHELL32.dll!SHUpdateImageA + 3E22 7CABF4A7 1 Byte [E4]
.text C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe[3712] SHELL32.dll!SHUpdateImageA + 3E22 7CABF4A7 1 Byte [E4]
.text C:\Program Files\Java\jre6\bin\jqs.exe[3808] SHELL32.dll!SHUpdateImageA + 3E22 7CABF4A7 1 Byte [E4]
.text C:\Program Files\AVG\AVG9\avgam.exe[3968] SHELL32.dll!SHUpdateImageA + 3E22 7CABF4A7 1 Byte [E4]
.text ...
.text C:\Program Files\AVG\AVG9\avgnsx.exe[4004] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01742862
.text C:\Program Files\AVG\AVG9\avgnsx.exe[4004] WS2_32.dll!send 71AB4C27 5 Bytes JMP 017426EE
.text C:\Program Files\AVG\AVG9\avgnsx.exe[4004] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 017427E0
.text C:\Program Files\AVG\AVG9\avgnsx.exe[4004] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01742726
.text C:\Program Files\AVG\AVG9\avgnsx.exe[4004] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0174275E
.text C:\WINDOWS\system32\PSIService.exe[4060] SHELL32.dll!SHUpdateImageA + 3E22 7CABF4A7 1 Byte [E4]
.text C:\WINDOWS\system32\PSIService.exe[4060] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C52862
.text C:\WINDOWS\system32\PSIService.exe[4060] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C526EE
.text C:\WINDOWS\system32\PSIService.exe[4060] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C527E0
.text C:\WINDOWS\system32\PSIService.exe[4060] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C52726
.text C:\WINDOWS\system32\PSIService.exe[4060] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C5275E
.text C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe[4092] SHELL32.dll!SHUpdateImageA + 3E22 7CABF4A7 1 Byte [E4]
.text C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe[4092] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 016A2862
.text C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe[4092] WS2_32.dll!send 71AB4C27 5 Bytes JMP 016A26EE
.text C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe[4092] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 016A27E0
.text C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe[4092] WS2_32.dll!recv 71AB676F 5 Bytes JMP 016A2726
.text C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe[4092] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 016A275E
.text C:\WINDOWS\System32\alg.exe[4240] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C92862
.text C:\WINDOWS\System32\alg.exe[4240] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C926EE
.text C:\WINDOWS\System32\alg.exe[4240] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C927E0
.text C:\WINDOWS\System32\alg.exe[4240] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C92726
.text C:\WINDOWS\System32\alg.exe[4240] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C9275E
.text C:\WINDOWS\System32\alg.exe[4240] SHELL32.dll!SHUpdateImageA + 3E22 7CABF4A7 1 Byte [E4]
.text C:\Documents and Settings\Ginger\Desktop\COMPUTER MAINTANENCE\qiouocck3qsu.exe[5656] SHELL32.dll!SHUpdateImageA + 3E22 7CABF4A7 1 Byte [E4]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\PCTCore \Device\PCTCoreDevice 82F65878

AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

OTL LOG No. 1

OTL logfile created on: 4/26/2010 12:22:18 AM - Run 2
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Documents and Settings\Ginger\Desktop\COMPUTER MAINTANENCE
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

703.00 Mb Total Physical Memory | 412.00 Mb Available Physical Memory | 59.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.99 Gb Total Space | 31.86 Gb Free Space | 45.52% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LBBBOOKS
Current User Name: Ginger
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/25 23:57:25 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ginger\Desktop\COMPUTER MAINTANENCE\OTL.exe
PRC - [2010/04/19 08:53:56 | 002,064,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/04/19 08:53:43 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/04/03 23:40:21 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/04/03 23:40:20 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/04/03 23:40:20 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/04/03 23:40:15 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/04/03 23:40:12 | 000,836,888 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgam.exe
PRC - [2010/04/03 23:40:11 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/04/03 23:40:10 | 000,596,488 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2010/04/03 23:40:09 | 005,888,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2010/02/02 04:32:46 | 000,984,352 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2010/01/31 11:01:28 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2010/01/22 09:56:24 | 000,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/10/30 20:52:34 | 000,016,200 | ---- | M] () -- C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
PRC - [2007/10/18 20:10:42 | 000,479,232 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
PRC - [2006/11/03 00:40:12 | 000,174,656 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
PRC - [2006/04/10 20:25:54 | 000,950,272 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
PRC - [2006/02/28 20:00:34 | 001,992,240 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe
PRC - [2006/01/11 19:08:36 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe
PRC - [2005/12/21 22:34:58 | 000,077,824 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
PRC - [2005/12/21 22:27:00 | 000,032,768 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
PRC - [2005/12/21 22:20:56 | 001,384,448 | ---- | M] () -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
PRC - [2005/12/07 05:00:00 | 000,106,496 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE
PRC - [2005/09/13 02:22:44 | 000,135,168 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\PELMICED.EXE
PRC - [2005/04/20 22:28:58 | 000,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/04/20 22:28:52 | 000,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/04/20 22:28:48 | 000,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2005/04/13 18:34:28 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe
PRC - [2005/03/08 07:33:28 | 000,053,248 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\VTTimer.exe
PRC - [2004/09/29 13:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2004/08/04 09:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe
PRC - [2003/11/06 19:51:32 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\FSRremoS.EXE


========== Modules (SafeList) ==========

MOD - [2010/04/25 23:57:25 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ginger\Desktop\COMPUTER MAINTANENCE\OTL.exe
MOD - [2006/01/16 18:40:38 | 000,073,728 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\PELHOOKS.DLL
MOD - [2005/12/30 17:36:38 | 000,126,976 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\PELSCRLL.DLL
MOD - [2004/02/20 14:37:24 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\PELCOMM.DLL


========== Win32 Services (SafeList) ==========

SRV - [2010/04/03 23:40:15 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/04/03 23:40:11 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/04/03 23:40:09 | 005,888,008 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2010/03/15 12:50:36 | 001,142,224 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2010/03/11 12:09:22 | 000,366,840 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2010/02/02 10:13:54 | 000,070,928 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\TFEngine\TFService.exe -- (ThreatFire)
SRV - [2010/01/31 11:01:28 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2010/01/22 09:56:24 | 000,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2008/11/18 15:45:28 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2008/04/13 20:12:02 | 000,105,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\p2pgasvc.dll -- (p2pgasvc)
SRV - [2008/04/13 20:11:55 | 000,035,328 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\iprip.dll -- (Iprip)
SRV - [2006/11/03 00:40:12 | 000,174,656 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)
SRV - [2006/08/24 19:02:12 | 000,032,256 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psasrv.exe -- (PsaSrv)
SRV - [2006/03/01 15:50:06 | 000,626,810 | ---- | M] (Diskeeper Corporation) [On_Demand | Stopped] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2005/12/21 22:34:58 | 000,077,824 | ---- | M] () [Auto | Running] -- C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe -- (TVT Scheduler)
SRV - [2005/12/21 22:20:56 | 001,384,448 | ---- | M] () [Auto | Running] -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe -- (TVT Backup Service)
SRV - [2005/04/20 22:28:58 | 000,161,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005/04/20 22:28:56 | 000,083,568 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2005/04/20 22:28:52 | 000,185,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2004/09/29 13:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2004/08/04 09:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\tcpsvcs.exe -- (SimpTcp)


========== Driver Services (SafeList) ==========

DRV - [2010/04/25 00:00:04 | 000,005,427 | ---- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\EGATHDRV.SYS -- (EGATHDRV)
DRV - [2010/04/19 08:53:45 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/04/03 23:40:43 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/04/03 23:40:14 | 000,025,096 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\AVGIDSxx.sys -- (AVGIDSErHrxpx)
DRV - [2010/04/03 23:40:13 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\System32\Drivers\avgrkx86.sys -- (AvgRkx86)
DRV - [2010/04/03 23:40:12 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/04/03 23:40:11 | 000,122,376 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys -- (AVGIDSDriverxpx)
DRV - [2010/04/03 23:40:10 | 000,030,216 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys -- (AVGIDSFilterxpx)
DRV - [2010/04/03 23:40:10 | 000,026,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys -- (AVGIDSShimxpx)
DRV - [2010/03/10 11:36:36 | 000,217,032 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2010/02/11 08:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2010/02/05 09:25:38 | 000,070,408 | ---- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pctplsg.sys -- (pctplsg)
DRV - [2010/02/05 09:17:56 | 000,233,136 | ---- | M] (PC Tools) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pctgntdi.sys -- (pctgntdi)
DRV - [2010/02/02 10:13:54 | 000,059,664 | --S- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - [2009/11/23 08:43:30 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/11/23 08:43:30 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/11/23 08:43:28 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2008/08/21 23:49:58 | 000,008,320 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgpfl.sys -- (motccgpfl)
DRV - [2008/08/21 23:49:22 | 000,018,688 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgp.sys -- (motccgp)
DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2007/04/16 22:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2006/08/24 19:02:12 | 000,016,256 | ---- | M] (Lenovo) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2006/02/17 21:15:34 | 003,846,848 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/12/21 21:14:58 | 000,012,544 | ---- | M] (IBM) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ibmfilter.sys -- (ibmfilter)
DRV - [2005/12/21 20:45:56 | 000,003,968 | ---- | M] (IBM Corp.) [Kernel | Auto | Running] -- C:\Program Files\SMI2\smi2.sys -- (smi2)
DRV - [2005/12/21 20:39:46 | 000,006,912 | ---- | M] (IBM Corp.) [File_System | Boot | Stopped] -- C:\WINDOWS\system32\drivers\ANCSQ.ORG -- (ANCSQ)
DRV - [2005/04/02 19:36:04 | 000,123,200 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2004/08/04 02:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/02/25 06:22:00 | 000,212,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2004/02/25 06:20:22 | 000,682,624 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/02/25 06:18:46 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/07/02 08:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/02/11 17:25:14 | 000,009,216 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PELUSBLF.SYS -- (pelusblf)
DRV - [2003/01/10 17:55:32 | 000,016,384 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PELMOUSE.SYS -- (pelmouse)
DRV - [2001/08/17 18:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 18:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 18:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 18:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 18:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 17:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 17:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 17:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 17:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 17:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 17:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 17:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 17:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 17:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 17:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 16:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)
DRV - [2000/06/01 16:29:54 | 000,007,012 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PMEMNT.SYS -- (PMEM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.defaulturl: "http://www.google.co...-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.0.20090922023629
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..keyword.URL: "http://us.yhs.search...2-tb-web_us&p="


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/04/19 08:57:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/25 11:54:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/25 11:54:50 | 000,000,000 | ---D | M]

[2008/12/31 00:01:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\Mozilla\Extensions
[2010/04/26 00:17:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\Mozilla\Firefox\Profiles\63qxlycj.default\extensions
[2009/09/03 06:36:37 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Ginger\Application Data\Mozilla\Firefox\Profiles\63qxlycj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/24 05:05:09 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Ginger\Application Data\Mozilla\Firefox\Profiles\63qxlycj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/11/28 01:13:36 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Ginger\Application Data\Mozilla\Firefox\Profiles\63qxlycj.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/04/24 05:39:37 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Ginger\Application Data\Mozilla\Firefox\Profiles\63qxlycj.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2008/06/01 17:56:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\Mozilla\Firefox\Profiles\63qxlycj.default\extensions\OberonGameHost@OberonGames.com
[2010/04/26 00:17:53 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/04/13 23:58:39 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/04/24 00:09:14 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/08/30 23:35:05 | 000,036,864 | ---- | M] (Homestead Technologies, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nphssb.dll

O1 HOSTS File: ([2010/04/24 01:38:49 | 000,000,609 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts:
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
O4 - HKLM..\Run: [cssauthe] C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation)
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [LPManager] C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [PCDrProfiler] File not found
O4 - HKLM..\Run: [QuickFinder Scheduler] C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE (Corel Corporation)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk = C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\Ginger\Start Menu\Programs\Startup\Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1252727148250 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace....ceUploader2.cab (MySpace Uploader Control)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/...all-142-win.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 66.76.227.40 208.180.42.68
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Ginger\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Ginger\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/02/05 23:07:57 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{b7493754-d460-11dc-a2e5-00142aceb095}\Shell - "" = AutoRun
O33 - MountPoints2\{b7493754-d460-11dc-a2e5-00142aceb095}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b7493754-d460-11dc-a2e5-00142aceb095}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/09 17:12:00 | 000,000,000 | ---D | M]
NetSvcs: Iprip - C:\WINDOWS\system32\iprip.dll (Microsoft Corporation)
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/04/25 22:36:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/25 22:34:23 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/25 18:59:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\Desktop\GooredFix Backups
[2010/04/25 18:57:20 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Ginger\Recent
[2010/04/25 15:43:47 | 000,059,664 | --S- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfSysMon.sys
[2010/04/25 15:43:47 | 000,051,984 | --S- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfFsMon.sys
[2010/04/25 15:43:47 | 000,033,552 | --S- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfNetMon.sys
[2010/04/25 15:43:13 | 001,652,688 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2010/04/25 15:43:13 | 000,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2010/04/25 15:43:13 | 000,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2010/04/25 15:41:10 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/04/25 15:40:52 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/04/25 15:40:43 | 000,217,032 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/04/25 15:40:43 | 000,088,040 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2010/04/25 15:40:38 | 000,070,408 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/04/25 15:40:30 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/04/25 13:10:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/04/24 05:21:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\Desktop\tdsskiller
[2010/04/24 01:44:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/24 01:44:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\Application Data\SUPERAntiSpyware.com
[2010/04/24 01:44:08 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/24 01:43:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/04/24 00:08:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/04/24 00:06:10 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/04/20 23:25:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\Application Data\Facebook
[2010/04/18 16:31:56 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/04/17 23:07:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\Application Data\Malwarebytes
[2010/04/17 23:06:57 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/17 23:06:55 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/17 23:06:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/17 23:06:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/04 04:51:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\Application Data\AVG9
[2010/04/03 23:40:44 | 000,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/04/03 23:40:43 | 000,029,512 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/04/03 23:40:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2010/04/03 23:40:14 | 000,025,096 | ---- | C] (AVG Technologies CZ, s.r.o. ) -- C:\WINDOWS\System32\drivers\AVGIDSxx.sys
[2010/04/03 23:40:13 | 000,052,872 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys
[2010/04/03 23:40:12 | 000,242,896 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/04/03 23:40:12 | 000,216,200 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/04/03 23:40:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/04/03 23:27:08 | 121,175,904 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Ginger\Desktop\avg_ipw_stf_all_90_800a2779.exe
[2010/04/01 23:40:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\Desktop\FN080
[2010/03/31 20:06:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/03/19 09:31:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\Local Settings\Application Data\Threat Expert
[2010/03/18 22:25:02 | 036,592,720 | ---- | C] (PC Tools ) -- C:\Documents and Settings\Ginger\Desktop\sdasetup.exe
[2010/03/18 03:05:46 | 000,000,000 | ---D | C] -- C:\Program Files\SpaceMonger
[2010/03/18 03:05:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\Application Data\SpaceMonger
[2010/03/18 02:52:38 | 000,000,000 | ---D | C] -- C:\tools
[2010/03/18 01:59:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2010/03/17 06:36:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\PeerNetworking
[2010/03/09 22:56:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\Desktop\Ginger's Pics
[2010/03/08 03:45:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010/03/02 00:05:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\Desktop\All Dropship Info and Images
[2010/02/19 04:02:31 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/02/18 08:47:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\Application Data\AVS4YOU
[2010/02/18 08:47:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVS4YOU
[2010/02/18 08:43:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AVSMedia
[2010/02/18 08:43:51 | 000,000,000 | ---D | C] -- C:\Program Files\AVS4YOU
[2010/02/17 22:59:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\My Documents\Christian's Stuff
[2010/02/14 23:30:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2010/02/14 23:30:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\Application Data\Roxio
[2010/02/12 23:07:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\Local Settings\Application Data\Move Networks
[2010/02/12 23:07:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\Application Data\Move Networks
[2010/02/07 11:10:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\$regcmp$
[2010/02/03 10:36:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\Desktop\webpics
[2010/02/02 23:56:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ginger\My Documents\Phoenix

========== Files - Modified Within 90 Days ==========

[2010/04/25 23:30:04 | 000,001,136 | ---- | M] () -- C:\Documents and Settings\Ginger\My Documents\AVGreport1.csv
[2010/04/25 22:34:27 | 000,000,622 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\NTREGOPT.lnk
[2010/04/25 22:28:09 | 000,002,543 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
[2010/04/25 22:27:33 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/25 22:27:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/25 22:27:28 | 737,726,464 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/25 22:26:50 | 006,291,456 | ---- | M] () -- C:\Documents and Settings\Ginger\ntuser.dat
[2010/04/25 22:26:36 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Ginger\ntuser.ini
[2010/04/25 19:50:39 | 004,804,928 | -H-- | M] () -- C:\Documents and Settings\Ginger\Local Settings\Application Data\IconCache.db
[2010/04/25 19:39:29 | 059,268,202 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/04/25 18:58:37 | 000,000,386 | ---- | M] () -- C:\Documents and Settings\Ginger\My Documents\cc_20100425_185816.reg
[2010/04/25 18:58:12 | 000,000,082 | ---- | M] () -- C:\Documents and Settings\Ginger\My Documents\cc_20100425_185811.reg
[2010/04/25 18:57:55 | 000,004,854 | ---- | M] () -- C:\Documents and Settings\Ginger\My Documents\cc_20100425_185750.reg
[2010/04/25 18:50:06 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/25 18:49:23 | 000,001,674 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/04/25 15:40:41 | 000,001,648 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/04/25 15:03:13 | 000,001,132 | ---- | M] () -- C:\Documents and Settings\Ginger\My Documents\AVGreport.csv
[2010/04/25 13:17:06 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/04/25 13:10:53 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/25 11:32:36 | 000,000,839 | ---- | M] () -- C:\WINDOWS\orun32.ini
[2010/04/25 08:36:07 | 000,040,440 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\lbb myspace logo.jpg
[2010/04/25 02:23:01 | 000,285,795 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\toriblack.png
[2010/04/25 02:18:20 | 000,010,856 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010/04/24 05:18:41 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\tdsskiller.zip
[2010/04/24 01:38:49 | 000,000,609 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/24 00:41:20 | 000,002,196 | ---- | M] () -- C:\Documents and Settings\Ginger\My Documents\cc_20100424_004115.reg
[2010/04/21 00:44:34 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2010/04/19 22:45:59 | 000,452,096 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\Little Black Box LLC 2010a.april11QBW (Portable).QBM
[2010/04/19 08:53:45 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/04/19 08:39:40 | 000,001,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2010/04/18 23:12:04 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/04/18 23:08:54 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2010/04/15 10:03:20 | 101,000,794 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\vgas 22.MOV
[2010/04/08 00:34:33 | 003,259,000 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\garHback.pspimage
[2010/04/07 22:56:49 | 000,065,588 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\2009 monthly cash modified.xls
[2010/04/04 19:50:03 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_motmodem_01005.Wdf
[2010/04/04 19:49:20 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
[2010/04/04 19:49:20 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_motccgp_01005.Wdf
[2010/04/04 19:49:17 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2010/04/03 23:40:45 | 000,001,518 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 9.0.lnk
[2010/04/03 23:40:44 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/04/03 23:40:43 | 000,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/04/03 23:40:43 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/04/03 23:40:14 | 000,025,096 | ---- | M] (AVG Technologies CZ, s.r.o. ) -- C:\WINDOWS\System32\drivers\AVGIDSxx.sys
[2010/04/03 23:40:13 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys
[2010/04/03 23:40:12 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/04/03 23:29:09 | 121,175,904 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Ginger\Desktop\avg_ipw_stf_all_90_800a2779.exe
[2010/04/03 22:25:53 | 000,000,542 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/03 22:25:53 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/03 22:25:53 | 000,000,184 | -HS- | M] () -- C:\BOOT.INI
[2010/04/03 22:03:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Ginger\Local Settings\Application Data\prvlcl.dat
[2010/04/02 13:07:01 | 000,031,744 | ---- | M] () -- C:\Documents and Settings\Ginger\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/01 23:39:53 | 000,199,639 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\FN080.zip
[2010/04/01 23:25:16 | 000,449,024 | ---- | M] () -- C:\Documents and Settings\Ginger\My Documents\Little Black Box LLC 2010a April 1(Portable).QBM
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/28 23:17:15 | 000,010,612 | ---- | M] () -- C:\Documents and Settings\Ginger\My Documents\Las Vegas Itinery.wpd
[2010/03/28 20:37:17 | 000,214,675 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\vegas orleans hotel confirm.jpg
[2010/03/28 20:34:09 | 000,206,089 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\vegas the orleans hotel confirmation.jpg
[2010/03/26 22:19:08 | 006,881,280 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\Little Black Box LLC 2010 (Backup Mar 26,2010 10 18 PM).QBB
[2010/03/26 22:14:24 | 000,000,090 | ---- | M] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2010/03/24 21:13:28 | 000,057,224 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\Mozilla Bookmarks-2010-03-24
[2010/03/20 04:17:48 | 000,520,732 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/20 04:17:48 | 000,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/20 04:17:48 | 000,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/18 22:25:35 | 036,592,720 | ---- | M] (PC Tools ) -- C:\Documents and Settings\Ginger\Desktop\sdasetup.exe
[2010/03/18 02:50:54 | 000,717,114 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\setupdf2.exe
[2010/03/18 02:10:55 | 000,001,876 | ---- | M] () -- C:\Documents and Settings\Ginger\My Documents\cc_20100318_021051.reg
[2010/03/17 22:57:26 | 012,617,778 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\attachments_2010_03_17.zip
[2010/03/14 18:32:04 | 000,066,072 | ---- | M] () -- C:\Documents and Settings\Ginger\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/14 16:37:17 | 000,022,858 | ---- | M] () -- C:\Documents and Settings\Ginger\My Documents\cc_20100314_163636.reg
[2010/03/14 16:29:49 | 000,247,904 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/13 01:32:51 | 000,239,803 | ---- | M] () -- C:\Documents and Settings\Ginger\My Documents\EM 2010 descript prices.wpd
[2010/03/10 11:36:36 | 000,217,032 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/03/08 22:10:19 | 003,670,577 | ---- | M] () -- C:\Documents and Settings\Ginger\My Documents\attachments_2010_03_08.zip
[2010/02/26 23:52:25 | 000,000,876 | ---- | M] () -- C:\Documents and Settings\Ginger\My Documents\cc_20100226_225213.reg
[2010/02/19 14:18:50 | 000,012,882 | ---- | M] () -- C:\Documents and Settings\Ginger\My Documents\Christian M. resume wpd.wpd
[2010/02/18 07:27:17 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\
[2010/02/17 23:25:36 | 000,000,137 | -H-- | M] () -- C:\Documents and Settings\Ginger\Desktop\.~lock.2010 Lingerie Descriptions EM.ods#
[2010/02/07 13:45:26 | 000,005,985 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\report20100207-124621.iif
[2010/02/07 13:30:28 | 000,017,197 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\report20100207-123122.iif
[2010/02/05 09:25:38 | 000,070,408 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/02/05 09:17:56 | 000,233,136 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/02/02 10:13:54 | 000,059,664 | --S- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\TfSysMon.sys
[2010/02/02 10:13:54 | 000,051,984 | --S- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\TfFsMon.sys
[2010/02/02 10:13:54 | 000,033,552 | --S- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\TfNetMon.sys
[2010/01/31 23:40:20 | 000,076,293 | ---- | M] () -- C:\Documents and Settings\Ginger\Desktop\2009 FINAL INVENTORY.ods
[2010/01/31 18:48:58 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/01/31 18:48:58 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/01/31 17:43:54 | 000,003,828 | ---- | M] () -- C:\Documents and Settings\Ginger\My Documents\cc_20100131_164340Jan31.reg
[2010/01/29 08:24:38 | 000,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin

========== Files Created - No Company Name ==========

[2010/04/25 23:30:04 | 000,001,136 | ---- | C] () -- C:\Documents and Settings\Ginger\My Documents\AVGreport1.csv
[2010/04/25 22:34:27 | 000,000,622 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\NTREGOPT.lnk
[2010/04/25 18:58:17 | 000,000,386 | ---- | C] () -- C:\Documents and Settings\Ginger\My Documents\cc_20100425_185816.reg
[2010/04/25 18:58:12 | 000,000,082 | ---- | C] () -- C:\Documents and Settings\Ginger\My Documents\cc_20100425_185811.reg
[2010/04/25 18:57:52 | 000,004,854 | ---- | C] () -- C:\Documents and Settings\Ginger\My Documents\cc_20100425_185750.reg
[2010/04/25 18:49:23 | 000,001,674 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/04/25 15:43:13 | 001,152,444 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2010/04/25 15:43:13 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2010/04/25 15:43:13 | 000,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2010/04/25 15:43:13 | 000,000,879 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2010/04/25 15:43:13 | 000,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2010/04/25 15:40:52 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
[2010/04/25 15:40:43 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
[2010/04/25 15:40:43 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2010/04/25 15:40:41 | 000,001,648 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/04/25 15:40:38 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat
[2010/04/25 15:03:13 | 000,001,132 | ---- | C] () -- C:\Documents and Settings\Ginger\My Documents\AVGreport.csv
[2010/04/25 08:36:05 | 000,040,440 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\lbb myspace logo.jpg
[2010/04/25 02:23:01 | 000,285,795 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\toriblack.png
[2010/04/24 05:31:41 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Ginger\wdm.txt
[2010/04/24 05:18:39 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\tdsskiller.zip
[2010/04/24 04:14:51 | 737,726,464 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/24 00:41:16 | 000,002,196 | ---- | C] () -- C:\Documents and Settings\Ginger\My Documents\cc_20100424_004115.reg
[2010/04/24 00:09:45 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/19 22:45:58 | 000,452,096 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\Little Black Box LLC 2010a.april11QBW (Portable).QBM
[2010/04/18 23:12:04 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/04/18 23:12:04 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/04/18 23:04:21 | 000,012,074 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\MVI_0071.THM
[2010/04/15 10:03:20 | 101,000,794 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\vgas 22.MOV
[2010/04/11 10:28:25 | 000,001,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2010/04/08 00:34:31 | 003,259,000 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\garHback.pspimage
[2010/04/07 22:39:58 | 000,065,588 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\2009 monthly cash modified.xls
[2010/04/04 19:50:03 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_motmodem_01005.Wdf
[2010/04/04 19:49:20 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
[2010/04/04 19:49:20 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_motccgp_01005.Wdf
[2010/04/04 19:49:17 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2010/04/03 23:46:43 | 000,000,097 | ---- | C] () -- C:\Documents and Settings\Ginger\AVG.txt
[2010/04/03 23:40:45 | 000,001,518 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 9.0.lnk
[2010/04/03 23:40:43 | 000,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/04/03 23:40:33 | 059,268,202 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/04/03 22:25:47 | 000,002,543 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
[2010/04/03 22:25:47 | 000,002,120 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
[2010/04/03 22:25:47 | 000,001,826 | ---- | C] () -- C:\Documents and Settings\Ginger\Start Menu\Programs\Startup\Nikon Monitor.lnk
[2010/04/01 23:39:52 | 000,199,639 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\FN080.zip
[2010/04/01 23:25:14 | 000,449,024 | ---- | C] () -- C:\Documents and Settings\Ginger\My Documents\Little Black Box LLC 2010a April 1(Portable).QBM
[2010/03/28 22:33:14 | 000,010,612 | ---- | C] () -- C:\Documents and Settings\Ginger\My Documents\Las Vegas Itinery.wpd
[2010/03/28 20:37:17 | 000,214,675 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\vegas orleans hotel confirm.jpg
[2010/03/28 20:34:09 | 000,206,089 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\vegas the orleans hotel confirmation.jpg
[2010/03/26 22:18:56 | 006,881,280 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\Little Black Box LLC 2010 (Backup Mar 26,2010 10 18 PM).QBB
[2010/03/24 21:13:28 | 000,057,224 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\Mozilla Bookmarks-2010-03-24
[2010/03/18 02:50:54 | 000,717,114 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\setupdf2.exe
[2010/03/18 02:10:53 | 000,001,876 | ---- | C] () -- C:\Documents and Settings\Ginger\My Documents\cc_20100318_021051.reg
[2010/03/17 22:56:45 | 012,617,778 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\attachments_2010_03_17.zip
[2010/03/14 16:36:39 | 000,022,858 | ---- | C] () -- C:\Documents and Settings\Ginger\My Documents\cc_20100314_163636.reg
[2010/03/13 00:16:20 | 000,239,803 | ---- | C] () -- C:\Documents and Settings\Ginger\My Documents\EM 2010 descript prices.wpd
[2010/03/08 22:21:12 | 003,670,577 | ---- | C] () -- C:\Documents and Settings\Ginger\My Documents\attachments_2010_03_08.zip
[2010/02/26 23:52:20 | 000,000,876 | ---- | C] () -- C:\Documents and Settings\Ginger\My Documents\cc_20100226_225213.reg
[2010/02/23 09:25:09 | 000,002,707 | ---- | C] () -- C:\Documents and Settings\Ginger\avgrep.txt
[2010/02/19 06:45:57 | 000,012,882 | ---- | C] () -- C:\Documents and Settings\Ginger\My Documents\Christian M. resume wpd.wpd
[2010/02/18 07:27:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\
[2010/02/17 23:25:36 | 000,000,137 | -H-- | C] () -- C:\Documents and Settings\Ginger\Desktop\.~lock.2010 Lingerie Descriptions EM.ods#
[2010/02/07 13:45:26 | 000,005,985 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\report20100207-124621.iif
[2010/02/07 13:30:28 | 000,017,197 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\report20100207-123122.iif
[2010/01/31 22:39:22 | 000,076,293 | ---- | C] () -- C:\Documents and Settings\Ginger\Desktop\2009 FINAL INVENTORY.ods
[2010/01/31 17:43:50 | 000,003,828 | ---- | C] () -- C:\Documents and Settings\Ginger\My Documents\cc_20100131_164340Jan31.reg
[2009/08/02 04:15:28 | 000,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2008/07/05 07:33:01 | 000,000,030 | ---- | C] () -- C:\WINDOWS\Iedit_.INI
[2008/06/26 01:01:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ViewNX.INI
[2008/05/02 21:52:25 | 000,000,203 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/03/09 01:48:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Textart.INI
[2008/03/02 00:48:07 | 000,000,227 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2008/02/10 01:45:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ump.INI
[2008/02/05 23:23:36 | 000,010,856 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2008/02/05 23:23:36 | 000,000,248 | RHS- | C] () -- C:\WINDOWS\System32\069DADDB21.sys
[2006/08/24 19:05:27 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/24 19:00:51 | 000,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2006/08/24 18:51:11 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2006/08/24 18:50:38 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2006/08/24 18:50:05 | 000,005,528 | ---- | C] () -- C:\WINDOWS\System32\Setup2k.ini
[2006/08/24 18:50:05 | 000,000,296 | ---- | C] () -- C:\WINDOWS\System32\presetup.ini
[2006/08/24 18:50:04 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\FSRremoC.DLL
[2006/02/02 20:37:10 | 000,004,676 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/09/23 08:52:14 | 000,207,872 | ---- | C] () -- C:\WINDOWS\System32\OneWay.dll
[2004/08/09 17:34:32 | 000,000,839 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2002/03/16 20:00:00 | 000,007,420 | ---- | C] () -- C:\WINDOWS\UA000091.DLL
[2001/07/06 16:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1980/01/01 04:00:00 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll

========== LOP Check ==========

[2010/04/03 23:40:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2006/08/24 18:56:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Borland
[2009/08/02 04:15:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2008/06/26 00:54:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp
[2008/11/07 01:11:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2010/04/24 00:08:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2006/08/24 18:54:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo
[2008/04/30 22:06:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2008/06/26 00:52:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nikon
[2010/03/18 01:59:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2008/05/01 22:53:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Simple Star Shared
[2009/08/02 04:40:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 10
[2008/04/14 11:49:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaskMgr
[2010/04/26 00:17:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/02/05 23:08:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ThinkVantage
[2008/08/22 01:08:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2008/06/26 00:54:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15
[2010/04/04 04:51:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\AVG9
[2008/04/07 01:03:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\EBookSys
[2010/04/20 23:25:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\Facebook
[2006/08/24 18:59:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\IBM
[2009/01/21 04:36:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\Image Zone Express
[2008/04/20 22:08:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\Lenovo
[2008/12/03 00:23:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\MSNInstaller
[2010/01/09 04:28:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\Nikon
[2009/06/09 00:22:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\OpenOffice.org
[2010/01/09 10:25:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\Research In Motion
[2008/05/01 22:46:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\Simple Star
[2010/03/18 03:05:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\SpaceMonger
[2008/02/05 23:08:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\ThinkVantage
[2009/09/13 13:35:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\Uniblue
[2009/01/08 21:57:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\Unity
[2009/09/08 21:45:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ginger\Application Data\Z-Firm LLC

========== Purity Check ==========



========== Custom Scans ==========


< >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 09:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2004/08/04 09:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 03:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 09:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2004/08/04 09:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 02:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 09:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 09:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 09:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/08/09 17:17:00 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/09 17:17:00 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/09 17:17:00 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/03 23:40:14 | 000,025,096 | ---- | M] (AVG Technologies CZ, s.r.o. ) -- C:\WINDOWS\system32\drivers\AVGIDSxx.sys
[2010/04/03 23:40:12 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys
[2010/04/03 23:40:43 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgmfx86.sys
[2010/04/03 23:40:13 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgrkx86.sys
[2010/04/19 08:53:45 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdix.sys
[2010/04/25 18:50:06 | 000,015,944 | ---- | M] () -- C:\WINDOWS\system32\drivers\hitmanpro35.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/24 09:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/03/10 11:36:36 | 000,217,032 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\PCTCore.sys
[2010/02/05 09:17:56 | 000,233,136 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\pctgntdi.sys
[2010/02/05 09:25:38 | 000,070,408 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\pctplsg.sys
[2010/02/11 08:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys
[2010/02/02 10:13:54 | 000,051,984 | --S- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfFsMon.sys
[2010/02/02 10:13:54 | 000,033,552 | --S- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfNetMon.sys
[2010/02/02 10:13:54 | 000,059,664 | --S- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfSysMon.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 201 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 142 bytes -> C:\WINDOWS\System32\:pctlsp.log
@Alternate Data Stream - 142 bytes -> C:\WINDOWS\System32\:pctlsp.log
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

OTL LOG No. 2

OTL Extras logfile created on: 4/25/2010 11:58:25 PM - Run 1
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Documents and Settings\Ginger\Desktop\COMPUTER MAINTANENCE
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

703.00 Mb Total Physical Memory | 378.00 Mb Available Physical Memory | 54.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.99 Gb Total Space | 31.86 Gb Free Space | 45.53% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LBBBOOKS
Current User Name: Ginger
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [SpaceMonger] -- "C:\Program Files\SpaceMonger\SpaceMonger.exe" ; show-free-space false ; show-system-space false ; set-root "%l" (Sixty-Five Software, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"8723:TCP" = 8723:TCP:*:Enabled:Services
"80:TCP" = 80:TCP:*:Enabled:Services
"1709:TCP" = 1709:TCP:*:Enabled:Services
"1552:TCP" = 1552:TCP:*:Enabled:Services
"5256:TCP" = 5256:TCP:*:Enabled:Services
"3587:TCP" = 3587:TCP:*:Enabled:Windows Peer-to-Peer Grouping
"3540:UDP" = 3540:UDP:*:Enabled:Peer Name Resolution Protocol (PNRP)
"6241:TCP" = 6241:TCP:*:Enabled:Services
"2849:TCP" = 2849:TCP:*:Enabled:Services
"7146:TCP" = 7146:TCP:*:Enabled:Services
"2069:TCP" = 2069:TCP:*:Enabled:Services
"6615:TCP" = 6615:TCP:*:Enabled:Services
"6616:TCP" = 6616:TCP:*:Enabled:Services
"7427:TCP" = 7427:TCP:*:Enabled:Services
"7428:TCP" = 7428:TCP:*:Enabled:Services
"3961:TCP" = 3961:TCP:*:Enabled:Services
"6422:TCP" = 6422:TCP:*:Enabled:Services
"7083:TCP" = 7083:TCP:*:Enabled:Services
"7084:TCP" = 7084:TCP:*:Enabled:Services
"4054:TCP" = 4054:TCP:*:Enabled:Services
"6608:TCP" = 6608:TCP:*:Enabled:Services
"4198:TCP" = 4198:TCP:*:Enabled:Services
"4912:TCP" = 4912:TCP:*:Enabled:Services
"8324:TCP" = 8324:TCP:*:Enabled:Services
"8271:TCP" = 8271:TCP:*:Enabled:Services
"8272:TCP" = 8272:TCP:*:Enabled:Services
"6169:TCP" = 6169:TCP:*:Enabled:Services
"6170:TCP" = 6170:TCP:*:Enabled:Services
"8801:TCP" = 8801:TCP:*:Enabled:Services
"8802:TCP" = 8802:TCP:*:Enabled:Services
"1604:TCP" = 1604:TCP:*:Enabled:Services
"6083:TCP" = 6083:TCP:*:Enabled:Services
"6084:TCP" = 6084:TCP:*:Enabled:Services
"7240:TCP" = 7240:TCP:*:Enabled:Services
"7241:TCP" = 7241:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Disabled:Services
"2479:TCP" = 2479:TCP:*:Disabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"8723:TCP" = 8723:TCP:*:Disabled:Services
"1709:TCP" = 1709:TCP:*:Disabled:Services
"1552:TCP" = 1552:TCP:*:Enabled:Services
"5256:TCP" = 5256:TCP:*:Disabled:Services
"3587:TCP" = 3587:TCP:*:Enabled:Windows Peer-to-Peer Grouping
"3540:UDP" = 3540:UDP:*:Enabled:Peer Name Resolution Protocol (PNRP)
"6241:TCP" = 6241:TCP:*:Disabled:Services
"2849:TCP" = 2849:TCP:*:Disabled:Services
"7146:TCP" = 7146:TCP:*:Disabled:Services
"2069:TCP" = 2069:TCP:*:Enabled:Services
"6615:TCP" = 6615:TCP:*:Disabled:Services
"6616:TCP" = 6616:TCP:*:Disabled:Services
"7427:TCP" = 7427:TCP:*:Disabled:Services
"7428:TCP" = 7428:TCP:*:Disabled:Services
"3961:TCP" = 3961:TCP:*:Disabled:Services
"6422:TCP" = 6422:TCP:*:Disabled:Services
"7083:TCP" = 7083:TCP:*:Disabled:Services
"7084:TCP" = 7084:TCP:*:Disabled:Services
"4054:TCP" = 4054:TCP:*:Disabled:Services
"6608:TCP" = 6608:TCP:*:Disabled:Services
"4198:TCP" = 4198:TCP:*:Disabled:Services
"4912:TCP" = 4912:TCP:*:Disabled:Services
"8324:TCP" = 8324:TCP:*:Disabled:Services
"8272:TCP" = 8272:TCP:*:Disabled:Services
"8271:TCP" = 8271:TCP:*:Disabled:Services
"6169:TCP" = 6169:TCP:*:Enabled:Services
"6170:TCP" = 6170:TCP:*:Enabled:Services
"8801:TCP" = 8801:TCP:*:Enabled:Services
"8802:TCP" = 8802:TCP:*:Enabled:Services
"1604:TCP" = 1604:TCP:*:Enabled:Services
"6083:TCP" = 6083:TCP:*:Enabled:Services
"6084:TCP" = 6084:TCP:*:Enabled:Services
"7240:TCP" = 7240:TCP:*:Enabled:Services
"7241:TCP" = 7241:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe" = C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe:*:Enabled:ThinkVantage System Update -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe" = C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe:*:Enabled:ThinkVantage System Update -- File not found
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\MySpace\IM\MySpaceIM.exe" = C:\Program Files\MySpace\IM\MySpaceIM.exe:*:Enabled:MySpace Instant Messenger -- ()
"C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe:*:Enabled:QuickBooks 2009 Data Manager -- (Intuit, Inc.)
"C:\Program Files\AVG\AVG9\avgam.exe" = C:\Program Files\AVG\AVG9\avgam.exe:*:Enabled:avgam.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgdiagex.exe" = C:\Program Files\AVG\AVG9\avgdiagex.exe:*:Enabled:avgdiagex.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Disabled:hpfccopy.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Disabled:hpoews01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Disabled:hpofxm08.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Disabled:hposfx08.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Disabled:hposid01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Disabled:hpqcopy.exe -- File not found
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Disabled:hpqdia.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Disabled:hpqkygrp.exe -- File not found
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Disabled:hpqphunl.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Disabled:hpqscnvw.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Disabled:hpqste08.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Disabled:hpqtra08.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Disabled:hpzwiz01.exe -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{83FBD495-DDF6-4C8D-92D6-10261DD6F6A3}" = WordPerfect Office X3
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{1007F41F-7D69-468E-8017-3849A5A973C2}" = ThinkVantage Technologies Welcome Message
"{1A07F627-0F8F-43EE-B667-38908DF85911}" = Rescue and Recovery
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{237CD223-1B9D-47E8-A76C-E478B83CCEA2}" = File Uploader
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 20
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{6280149E-EFF3-4F1B-BD43-5B7EDD6F620A}" = Lenovo Care Supplement
"{64E72FB1-2343-4977-B4A8-262CD53D0BD3}" = Corel Paint Shop Pro Photo X2
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83FBD495-DDF6-4C8D-92D6-10261DD6F6A3}" = WordPerfect Office X3
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A5F34E2-37CF-4AD4-808C-2D413786E31A}" = Microsoft Visual C Runtime
"{8E726115-FCBE-43B1-9FB7-06E8E25F9ABE}" = Diskeeper Lite
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime
"{986F64DC-FF15-449D-998F-EE3BCEC6666A}" = Help Center
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A2F0810-3622-4E86-9072-973FBE1679C5}" = QuickBooks Pro 2009
"{9A2F0810-369F-4E86-9072-973FBE1679C5}" = QuickBooks
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3D44AD8-D3C9-45E4-B861-3B653C6EF620}" = Rhapsody MP3 Download Manager
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.2
"{B28759B8-5FC6-4F56-9C6C-6EDAD36455A9}" = Roxio Media Manager
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{B941B1C3-40AF-4E1E-AA5F-ED99EDEA1033}" = SecurDisc Viewer
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C54ED2B6-1AF2-416F-BBA8-5E2B8CDCB5C4}" = XP Themes
"{C6FA39A7-26B1-480A-BC74-6D17531AC222}" = Access Help
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE5E3F15-320A-4865-97D3-F07227C5BB2F}" = BlackBerry Desktop Software 4.5
"{CF52099A-3BEA-4C41-AEA8-1E190F04D737}" = Lenovo Care
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}" = U3Launcher
"{D8F6834B-D5E7-4451-8681-B051ABD8561D}" = ccCommon
"{DB71210F-8314-4AE3-B7A7-EBAF85BD30E9}" = Wallpapers
"{DF654BB0-0833-497B-82D5-4D9A5613AC2C}" = Small Business Center
"{E5EE9939-259F-4DE2-8023-5C49E16A4F43}" = Norton Internet Security
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{E7E836B8-4BDD-454F-82E6-5FEA17C83AD4}" = Message Center
"{E85FA9A1-C241-4698-893B-DD99509B8DB0}" = Norton WMI Update
"{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{F007CBCE-D714-4C0B-8CE9-9B0D78116468}" = ViewNX
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FE64AE29-0883-4C70-8388-DC026019C900}" = HP Image Zone Express
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AVG9Uninstall" = AVG 9.0
"BlackBerry_{CE5E3F15-320A-4865-97D3-F07227C5BB2F}" = BlackBerry Desktop Software 4.5
"Browser Defender_is1" = Browser Defender 2.0.6.15
"CCleaner" = CCleaner (remove only)
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_201414F1" = HSF2014 56K Data Fax Modem
"ERUNT_is1" = ERUNT 1.1j
"HitmanPro35" = Hitman Pro 3.5
"Homestead SiteBuilder" = Homestead SiteBuilder
"ie8" = Windows Internet Explorer 8
"InstallShield_{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MouseSuite98" = Mouse Suite
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MySpaceIM" = MySpaceIM
"Picasa 3" = Picasa 3
"ProcessScanner_is1" = Uniblue ProcessScanner
"SpaceMonger" = SpaceMonger 2.1.1
"Spyware Doctor" = Spyware Doctor 7.0
"VIA/S3G UniChrome Family Win2K/XP Display" = VIA/S3G Display Driver
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast-Ethernet Adapter
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/24/2010 9:07:35 AM | Computer Name = LBBBOOKS | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks Pro 2009": InitSystem
CheckDBServerEnvironment fail

Error - 4/24/2010 9:15:39 AM | Computer Name = LBBBOOKS | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 4/24/2010 9:15:39 AM | Computer Name = LBBBOOKS | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 4/24/2010 9:15:39 AM | Computer Name = LBBBOOKS | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 4/24/2010 9:15:39 AM | Computer Name = LBBBOOKS | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 4/24/2010 9:16:11 AM | Computer Name = LBBBOOKS | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks Pro 2009": Connection
Error:Invalid user ID or passwo

Error - 4/24/2010 9:16:11 AM | Computer Name = LBBBOOKS | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks Pro 2009": Connection
String:CON=QBConnectionPool-Probe-QB_data_engine_19; ;DBF=C:\Documents and Settings\All
Users\Documents\Intuit\QuickBooks\Company Files\Little Black Box LLC 2010a.QBW;ENG=QB_data_engine_19;DBN=b362e6e150b44832852e0e1d14df05

Error - 4/24/2010 9:16:11 AM | Computer Name = LBBBOOKS | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks Pro 2009": DBConnPool::HandleConnectionError
errorCode:-6069, dbCode:-103 from file:'.\.\src\ConnPool.cpp' at line 1003 from
function:'DBMgr::DBConnPool::ini

Error - 4/24/2010 9:16:22 AM | Computer Name = LBBBOOKS | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks Pro 2009": InitSystem
OpenDBSession[4] failed. Error code code 0, msg Succeed

Error - 4/25/2010 11:36:35 PM | Computer Name = LBBBOOKS | Source = Application Error | ID = 1000
Description = Faulting application morehope.exe, version 1.0.15.15281, faulting
module morehope.exe, version 1.0.15.15281, fault address 0x0000c4b1.

[ System Events ]
Error - 4/25/2010 10:23:48 PM | Computer Name = LBBBOOKS | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 4/25/2010 10:23:48 PM | Computer Name = LBBBOOKS | Source = Service Control Manager | ID = 7034
Description = The Pml Driver HPZ12 service terminated unexpectedly. It has done
this 1 time(s).

Error - 4/25/2010 10:23:48 PM | Computer Name = LBBBOOKS | Source = Service Control Manager | ID = 7034
Description = The ProtexisLicensing service terminated unexpectedly. It has done
this 1 time(s).

Error - 4/25/2010 10:23:48 PM | Computer Name = LBBBOOKS | Source = Service Control Manager | ID = 7034
Description = The QBCFMonitorService service terminated unexpectedly. It has done
this 1 time(s).

Error - 4/25/2010 10:23:50 PM | Computer Name = LBBBOOKS | Source = Service Control Manager | ID = 7034
Description = The TVT Scheduler service terminated unexpectedly. It has done this
1 time(s).

Error - 4/25/2010 10:23:50 PM | Computer Name = LBBBOOKS | Source = Service Control Manager | ID = 7034
Description = The Simple TCP/IP Services service terminated unexpectedly. It has
done this 1 time(s).

Error - 4/25/2010 10:23:50 PM | Computer Name = LBBBOOKS | Source = Service Control Manager | ID = 7034
Description = The TVT Backup Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 4/25/2010 10:23:51 PM | Computer Name = LBBBOOKS | Source = Service Control Manager | ID = 7034
Description = The AVG E-mail Scanner service terminated unexpectedly. It has done
this 1 time(s).

Error - 4/25/2010 10:29:22 PM | Computer Name = LBBBOOKS | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 4/25/2010 10:29:22 PM | Computer Name = LBBBOOKS | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher
9 service to connect.


< End of report >

AVG REPORT CONCERNING TROJAN

"Scan ""Scan whole computer"" was finished."
"Infections";"2";"1";"1"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Monday, April 26, 2010, 12:50:46 AM"
"Scan finished:";"Monday, April 26, 2010, 12:51:03 AM (17 second(s))"
"Total object scanned:";"249"
"User who launched the scan:";"Ginger"

"Infections"
"File";"Infection";"Result"
"C:\WINDOWS\system32\services.exe (800):\memory_010c0000";"Trojan horse Cryptic.FJ";"Object is inaccessible."
"C:\WINDOWS\system32\services.exe (800)";"Trojan horse Cryptic.FJ";""
  • 0

Similar Topics: Google Redirect virus and Trojan horse Cryptic.FJ [Solved]     x


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O33 - MountPoints2\{b7493754-d460-11dc-a2e5-00142aceb095}\Shell - "" = AutoRun
    O33 - MountPoints2\{b7493754-d460-11dc-a2e5-00142aceb095}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{b7493754-d460-11dc-a2e5-00142aceb095}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
    @Alternate Data Stream - 142 bytes -> C:\WINDOWS\System32\:pctlsp.log
    @Alternate Data Stream - 142 bytes -> C:\WINDOWS\System32\:pctlsp.log
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done



Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
  • 0

#3
krpa-d-em

krpa-d-em

    Member

  • Member
  • PipPip
  • 39 posts
I ran the OTL custom scan as directed with no problems.

I ran the HelpAsst-mebroot_fix_exe initially and it did not find any infections, but it did remove a "help" type file.

When I attempted to run the bolded mbr -f command. It did nothing. The program would open and then immediately close.

Perhaps I am not making the command in bold. I used notepad, but the bold never appeared in the text when I transferred it. Please give me specific instructions on how to make the text bold when entering it into the Start>Run.

What do I do next?

Thank you for taking the time to help me. Man, this is so frustrating, I'm very grateful you are there to help.
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

    Click me

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#5
krpa-d-em

krpa-d-em

    Member

  • Member
  • PipPip
  • 39 posts
Sorry this took so long, here is the Combofix log. Thank you very much.

ComboFix 10-04-27.02 - Ginger 04/28/2010 9:13.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.317 [GMT -4:00]
Running from: c:\documents and settings\Ginger\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\KGyGaAvL.sys
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 )))))))))))))))))))))))))))))))
.

2010-04-27 05:21 . 2010-04-27 05:21 -------- d-----w- c:\documents and settings\HelpAssistant.LBBBOOKS\WINDOWS
2010-04-27 05:21 . 2010-04-27 05:21 -------- d-----w- c:\documents and settings\HelpAssistant.LBBBOOKS\UserData
2010-04-27 05:21 . 2010-04-27 05:21 -------- d-----w- c:\documents and settings\HelpAssistant.LBBBOOKS\PrivacIE
2010-04-27 05:14 . 2010-04-27 05:14 -------- d-----w- c:\documents and settings\HelpAssistant.LBBBOOKS\IETldCache
2010-04-27 05:14 . 2010-04-27 05:14 -------- d-----w- c:\documents and settings\HelpAssistant.LBBBOOKS\IECompatCache
2010-04-27 05:09 . 2010-04-27 05:09 -------- d-----w- c:\documents and settings\HelpAssistant.LBBBOOKS\Client Security
2010-04-27 05:09 . 2010-04-27 05:09 -------- d-----w- c:\documents and settings\HelpAssistant.LBBBOOKS\Citrix
2010-04-27 05:09 . 2008-11-25 04:24 22 ----a-w- c:\documents and settings\HelpAssistant.LBBBOOKS\campaign monitor.zip
2010-04-27 00:09 . 2010-04-27 00:09 -------- d-----w- C:\HelpAsst_backup
2010-04-26 23:42 . 2010-04-26 23:42 -------- d-----w- C:\_OTL
2010-04-26 12:23 . 2010-04-26 12:23 -------- d-----w- c:\documents and settings\Ginger\Local Settings\Application Data\FixItCenter
2010-04-26 11:59 . 2010-04-26 11:59 -------- d-----w- c:\windows\MATS
2010-04-26 11:59 . 2010-04-26 11:59 -------- d-----w- c:\program files\Microsoft Fix it Center
2010-04-26 02:34 . 2010-04-26 02:34 -------- d-----w- c:\program files\ERUNT
2010-04-25 19:43 . 2010-02-02 14:13 59664 --s-a-w- c:\windows\system32\drivers\TfSysMon.sys
2010-04-25 19:43 . 2010-02-02 14:13 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2010-04-25 19:43 . 2010-02-02 14:13 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2010-04-25 19:43 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-25 19:43 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-25 19:43 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-25 19:43 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-25 19:43 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip
2010-04-25 19:43 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip
2010-04-25 19:40 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-25 19:40 . 2010-03-10 15:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-25 19:40 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-25 19:40 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-25 19:40 . 2010-04-25 23:27 -------- d-----w- c:\program files\Spyware Doctor
2010-04-25 16:40 . 2008-04-14 09:41 81920 ------w- c:\windows\system32\ieencode.dll
2010-04-24 05:44 . 2010-04-24 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-24 05:44 . 2010-04-24 05:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-24 05:44 . 2010-04-24 05:44 -------- d-----w- c:\documents and settings\Ginger\Application Data\SUPERAntiSpyware.com
2010-04-24 05:43 . 2010-04-24 05:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-24 04:09 . 2010-04-27 03:18 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-24 04:09 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-24 04:08 . 2010-04-24 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-24 04:06 . 2010-04-24 04:06 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-23 01:27 . 2010-04-23 01:27 -------- d-----w- c:\documents and settings\Administrator.LBBBOOKS\Application Data\Malwarebytes
2010-04-21 03:25 . 2010-04-21 03:25 -------- d-----w- c:\documents and settings\Ginger\Application Data\Facebook
2010-04-18 20:31 . 2010-04-18 20:31 -------- d-----w- C:\$AVG
2010-04-18 03:07 . 2010-04-18 03:07 -------- d-----w- c:\documents and settings\Ginger\Application Data\Malwarebytes
2010-04-18 03:06 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-18 03:06 . 2010-04-18 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-18 03:06 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-18 03:06 . 2010-04-18 16:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 08:51 . 2010-04-04 08:51 -------- d-----w- c:\documents and settings\Ginger\Application Data\AVG9
2010-04-04 03:40 . 2010-04-04 03:40 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-04 03:40 . 2010-04-04 03:40 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-04 03:40 . 2010-04-28 13:06 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-04 03:40 . 2010-04-04 03:40 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-04-04 03:40 . 2010-04-04 03:40 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-04 03:40 . 2010-04-19 12:53 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-04 03:40 . 2010-04-04 03:40 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-04 03:40 . 2010-04-04 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 13:23 . 2008-04-14 02:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-25 19:43 . 2008-09-28 19:06 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-25 04:00 . 2006-08-24 23:03 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-04-24 08:13 . 2008-10-24 01:22 -------- d-----w- c:\program files\AVG
2010-04-24 04:09 . 2008-05-11 17:27 -------- d-----w- c:\program files\Java
2010-04-21 04:44 . 2008-06-26 04:54 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2010-04-20 05:16 . 2008-02-06 03:14 -------- d-----w- c:\documents and settings\Ginger\Application Data\U3
2010-04-19 03:08 . 2008-06-26 04:51 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2010-04-11 14:28 . 2008-04-14 04:02 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-04 23:50 . 2010-04-04 23:50 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2010-04-04 23:49 . 2010-04-04 23:49 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2010-04-04 23:49 . 2010-04-04 23:49 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2010-04-04 23:49 . 2010-04-04 23:49 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-04-04 02:03 . 2009-05-17 14:23 0 -c--a-w- c:\documents and settings\Ginger\Local Settings\Application Data\prvlcl.dat
2010-04-01 00:06 . 2008-05-11 17:27 -------- d-----w- c:\program files\Common Files\Java
2010-03-18 07:05 . 2010-03-18 07:05 -------- d-----w- c:\program files\SpaceMonger
2010-03-18 07:05 . 2010-03-18 07:05 -------- d-----w- c:\documents and settings\Ginger\Application Data\SpaceMonger
2010-03-18 05:59 . 2010-03-18 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PCDr
2010-03-18 04:08 . 2010-03-18 04:08 -------- d-----w- c:\documents and settings\Administrator.LBBBOOKS\Application Data\SpaceMonger
2010-03-17 10:36 . 2010-03-17 10:36 -------- d-----w- c:\documents and settings\LocalService\Application Data\PeerNetworking
2010-03-14 22:32 . 2008-02-06 03:09 66072 ------w- c:\documents and settings\Ginger\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 20:29 . 2008-05-01 05:06 -------- d-----w- c:\program files\Yahoo!
2010-03-14 20:27 . 2008-05-01 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-03-14 20:26 . 2008-05-02 04:18 -------- d-----w- c:\documents and settings\Ginger\Application Data\Yahoo!
2010-03-14 20:23 . 2008-03-04 13:15 -------- d-----w- c:\program files\HP
2010-03-10 06:15 . 1980-01-01 08:00 420352 ------w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 1980-01-01 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 1980-01-01 08:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-17 13:10 . 1980-01-01 08:00 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 06:59 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 1980-01-01 08:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 1980-01-01 08:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-01-29 12:24 . 2010-01-09 14:25 256 ----a-w- c:\windows\system32\pool.bin
2009-07-10 07:00 . 2008-02-06 03:23 248 --sh--r- c:\windows\system32\069DADDB21.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 49152]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"QuickFinder Scheduler"="c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2007-01-03 83568]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-21 48752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2005-12-07 106496]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-03-01 196710]
"cssauthe"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" [2006-03-01 1992240]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-31 16200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-04-28 5937984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\Ginger\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2008-2-6 1078]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-2-2 984352]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-04 03:40 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"LightScribeService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"7474:TCP"= 7474:TCP:Services
"7475:TCP"= 7475:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"4288:TCP"= 4288:TCP:Services
"7076:TCP"= 7076:TCP:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [4/3/2010 11:40 PM 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/3/2010 11:40 PM 52872]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/25/2010 3:40 PM 217032]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [4/25/2010 3:43 PM 59664]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/3/2010 11:40 PM 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/3/2010 11:40 PM 242896]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [4/25/2010 3:40 PM 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [4/3/2010 11:40 PM 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/3/2010 11:40 PM 308064]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/25/2010 3:43 PM 112592]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 8:45 PM 3968]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [4/24/2010 12:09 AM 15944]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]
S3 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/3/2010 11:40 PM 5888008]
S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [4/3/2010 11:40 PM 122376]
S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [4/3/2010 11:40 PM 30216]
S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [4/3/2010 11:40 PM 26120]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [4/10/2010 5:05 PM 266544]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [4/25/2010 3:40 PM 70408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/25/2010 3:40 PM 366840]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HITMANPRO35

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\Ginger\Application Data\Mozilla\Firefox\Profiles\63qxlycj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\documents and settings\Ginger\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Ginger\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-PCDrProfiler - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-28 09:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82EDA708]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7d53f28
\Driver\ACPI -> ACPI.sys @ 0xf7bc6cb8
\Driver\atapi -> atapi.sys @ 0xf7b7e852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> 0x8292e8f0
PacketIndicateHandler -> NDIS.sys @ 0xf7a5ba21
SendHandler -> NDIS.sys @ 0xf7a3987b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3394718649-747758906-3735171228-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3394718649-747758906-3735171228-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-3394718649-747758906-3735171228-1006)
@Allowed: (Read) (S-1-5-21-3394718649-747758906-3735171228-1006)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(832)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(5164)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\pelscrll.dll
c:\windows\system32\PELCOMM.dll
c:\windows\system32\PELHOOKS.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\VTTimer.exe
c:\windows\system32\ICO.EXE
c:\documents and settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\Pelmiced.exe
c:\program files\IBM ThinkVantage\Common\Logger\logmon.exe
.
**************************************************************************
.
Completion time: 2010-04-28 09:38:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-28 13:38

Pre-Run: 29,504,131,072 bytes free
Post-Run: 29,345,591,296 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Home Edition" /fastdetect

- - End Of File - - 1F5E619337D44C337FB3FEF8945F5C89
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
this log may be too big so attach it if it is


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\documents and settings\HelpAssistant.LBBBOOKS
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-
MBR::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#7
krpa-d-em

krpa-d-em

    Member

  • Member
  • PipPip
  • 39 posts
Here is the log, Thank you. One question, please. What is the reference the Combfix log makes to Norton at beginning? To my knowledge, Norton has never been programmed on this computer. I want to learn and be educated and help others some day.

Attached Files


  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
its just left overs from norton, must have been installed at one point


Please download OTM
  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
    
    :Services
    
    :Reg
    
    :Files
    c:\documents and settings\HelpAssistant.LBBBOOKS
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
can you tell me what else you have done to this machine yourself ?

open OTL click the none button, paste this in the custom scan box

/md5start
wdmaud.sys
/md5stop

click run scan post that log
  • 0

#10
krpa-d-em

krpa-d-em

    Member

  • Member
  • PipPip
  • 39 posts
I will complete all of the information you requested from the your two previous posts when I get home from work this evening. (About 10 pm eastern standard time.) The infection is on my home computer and I work a lot. I was unable to complete the Kaspersky scan last night b/c the computer froze. I will complete that tonite and send that and all of the other information.

I appreciate your help and patience very much.

Prior to contacting you, I researched many forums like this one and ran many programs, but I did not run Combo-Fix. I did not run any of the rogue programs that are listed in the forum, I am very, very careful about that.

Last year, I successfully removed the IE explorer rootkit by following instructions given by PC Tools. I attempted to remove the current google redirect virus and got in over my head. I have three years experience with Windows XP and I work hard to maintain three PC's for a business. I take pride in how they run well. I am going to sign up for the Geeks to Go education classes to further my knowledge.

Also, I noticed last night that there is now a user profile that was not previously on my computer. The user profile is entitled *HelpAssistant* is only found when looking at a system overiew and it is not found anywhere else. What is most curious is that it says the user profile takes up more than 1.5 Gigs of space. The other two barely take up 300 kb.

Here are a list of programs that I ran off the top of my head. I will get the exact list and exact spelling to you when I get home tonite. Since contacting you, I have tried to follow your instructions completely.

1. Malwarebytes, GMER, Super Anti-spyware, Tdssys Killer, Hitman Pro, ATF Cleaner
  • 0

#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
ok that's fine, just follow my above steps when you can
  • 0

#12
krpa-d-em

krpa-d-em

    Member

  • Member
  • PipPip
  • 39 posts
Ok, I am having problems with the Kaspersky scan. The scan is taking approx. 6 hours and each time after I run it, I am unable to retrieve the log needed. Here are the other logs you asked for. I am at home all day today and able to work on this. Thank you.

OTL LOG

All processes killed
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7493754-d460-11dc-a2e5-00142aceb095}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b7493754-d460-11dc-a2e5-00142aceb095}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7493754-d460-11dc-a2e5-00142aceb095}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b7493754-d460-11dc-a2e5-00142aceb095}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7493754-d460-11dc-a2e5-00142aceb095}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b7493754-d460-11dc-a2e5-00142aceb095}\ not found.
File E:\LaunchU3.exe not found.
Unable to delete ADS C:\WINDOWS\System32\:pctlsp.log .
Unable to delete ADS C:\WINDOWS\System32\:pctlsp.log .
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

User: Administrator.LBBBOOKS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Ginger
->Temp folder emptied: 2293 bytes
->Temporary Internet Files folder emptied: 234130 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 4742255 bytes
->Flash cache emptied: 434 bytes

User: HelpAssistant
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: HelpAssistant.LBBBOOKS
->Temp folder emptied: 2293 bytes
->Temporary Internet Files folder emptied: 152210 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->FireFox cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1220432 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 6.00 mb


[EMPTYFLASH]

User: Administrator

User: Administrator.LBBBOOKS

User: All Users

User: Default User

User: Ginger
->Flash cache emptied: 0 bytes

User: HelpAssistant
->Flash cache emptied: 0 bytes

User: HelpAssistant.LBBBOOKS
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.3.0 log created on 04262010_235042

MBAM LOG

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4056

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/1/2010 12:54:54 AM
mbam-log-2010-05-01 (00-54-54).txt

Scan type: Quick scan
Objects scanned: 136470
Time elapsed: 7 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HERE IS THE OTL LOG CONCERNING MY SOUND PROBLEM


OTL logfile created on: 5/2/2010 1:18:49 PM - Run 3
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Documents and Settings\Ginger\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

703.00 Mb Total Physical Memory | 115.00 Mb Available Physical Memory | 16.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 65.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.99 Gb Total Space | 27.31 Gb Free Space | 39.01% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LBBBOOKS
Current User Name: Ginger
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Custom Scans ==========
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

SRPeek::
C:\Windows\system32\drivers\wdmaud.sys
Mia::
C:\Windows\system32\drivers\wdmaud.sys

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *wdmaud.sys*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
  • 0

#14
krpa-d-em

krpa-d-em

    Member

  • Member
  • PipPip
  • 39 posts
The combofix log has been attached. I have stayed home from work today to deal with this problem. thank you. i also applied for Geek U.



SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:48 on 03/05/2010 by Ginger (Administrator - Elevation successful)

========== filefind ==========

Searching for "*wdmaud.sys*"
C:\WINDOWS\$hf_mig$\KB920872\SP2QFE\wdmaud.sys --a--- 82944 bytes [09:17 14/06/2006] [09:17 14/06/2006] 0BFA8203B8148FB4E54BC212C41CE497
C:\WINDOWS\$NtServicePackUninstall$\wdmaud.sys -----c 82944 bytes [00:14 03/09/2008] [09:00 14/06/2006] EFD235CA22B57C81118C1AEB4798F1C1
C:\WINDOWS\$NtServicePackUninstall$\wdmaud.sys.000 -----c 82944 bytes [00:15 03/09/2008] [09:00 14/06/2006] EFD235CA22B57C81118C1AEB4798F1C1
C:\WINDOWS\$NtUninstallKB920872$\wdmaud.sys -----c 82944 bytes [05:45 14/04/2008] [07:15 04/08/2004] 2797F33EBF50466020C430EE4F037933
C:\WINDOWS\ServicePackFiles\i386\wdmaud.sys ------ 83072 bytes [00:17 27/08/2008] [19:17 13/04/2008] 6768ACF64B18196494413695F0C3A00F
C:\WINDOWS\system32\dllcache\wdmaud.sys --a--- 83072 bytes [19:41 03/05/2010] [19:17 13/04/2008] 6768ACF64B18196494413695F0C3A00F
C:\WINDOWS\system32\drivers\wdmaud.sys --a--- 83072 bytes [19:41 03/05/2010] [19:17 13/04/2008] 6768ACF64B18196494413695F0C3A00F

-=End Of File=-

Attached Files


  • 0

#15
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
did you make a mistake doing the OTL Step ? It should have listed some files in the output

Can you try it again, make sure you are pasting this in the custom scan box


/md5start
wdmaud.sys
/md5stop


click run scan post that log
  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured