[Mahocker]

When using Google search on IE, when I click on a search result I'm being redirected to another site. I've tried CCleaner and scanned with Malwarebytes Anti-Malware, AVG, SuperAntiSpyware, Bitdefender, and a-Squared Free. I've looked at Hijackthis but not sure what I'm looking at.

I believe it started when I was searching the internet and received a warning across my screen regarding Windows Police Pro. I've uninstalled Java and all older versions and re-installed the latest version.

Any help would be greatly appreciated!

[Advertisements]

Hello Mahocker !

Welcome to the site! My nickname is heir and I'll be helping clean up your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:

• To make sure that you receive an email when I reply to this topic, please click here and check that this topic is listed under Malware Removal and Spyware Removal.
• Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
• When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad in the menubar click on Format and make sure that Word Wrap is unchecked)
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
• Make sure you reply to this thread using the Add Reply button:

Please read my posts completely before following the instructions.
It may be easier for you if you copy and paste a post to a new text document or print it for reference later.
This is required when you won't have access to Internet.


Step 1.
exeHelper:

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Step 2.
Win32kDiag:

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Step 3.
RootRepeal:

Download RootRepeal from one of the following locations and save it to your desktop:Link 1
Link 2
Link 3

• Double click to start the program
• Click on the Report tab at the bottom of the program window
• Click the button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
  • Shadow SSDT
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Step 4.
OTS:

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans check the following:
  • Reg - Shell Spawning
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EvtViewer (last 10)
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

Step 5.
Things I would like to see in your reply:

• The content of log.txt from step 1.
• The content of Win32kDiag.txt from step 2.
• The content of RootRepeal.txt from step 3.
• The attached report from OTS in step 4.
• Information on how your computer is running after those steps.

[heir]

Hello Mahocker !

Welcome to the site! My nickname is heir and I'll be helping clean up your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:

• To make sure that you receive an email when I reply to this topic, please click here and check that this topic is listed under Malware Removal and Spyware Removal.
• Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
• When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad in the menubar click on Format and make sure that Word Wrap is unchecked)
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
• Make sure you reply to this thread using the Add Reply button:

Please read my posts completely before following the instructions.
It may be easier for you if you copy and paste a post to a new text document or print it for reference later.
This is required when you won't have access to Internet.


Step 1.
exeHelper:

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Step 2.
Win32kDiag:

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Step 3.
RootRepeal:

Download RootRepeal from one of the following locations and save it to your desktop:Link 1
Link 2
Link 3

• Double click to start the program
• Click on the Report tab at the bottom of the program window
• Click the button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
  • Shadow SSDT
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Step 4.
OTS:

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans check the following:
  • Reg - Shell Spawning
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EvtViewer (last 10)
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

Step 5.
Things I would like to see in your reply:

• The content of log.txt from step 1.
• The content of Win32kDiag.txt from step 2.
• The content of RootRepeal.txt from step 3.
• The attached report from OTS in step 4.
• Information on how your computer is running after those steps.

[Mahocker]

Hi Heir -

Thank you for the reply. I have done as requested and ran all the steps in order. Below are the results from steps 1-3 with step 4 attached.

After running through the steps, it seems like my computer speed has increased. After installing AVG Free I've been using the Yahoo toolbar and Yahoo search enginge. When searching in Yahoo, I'm not redirected but if I go to www.google.com and perform a search, I'm redirected.

Mahocker  OTS.Txt   161.02KB   140 downloads



exeHelper by Raktor - 09
Build 20090925
Run at 08:00:47 on 10/07/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--



Running from: C:\Documents and Settings\Preferred Customer\My Documents\My Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\Preferred Customer\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/07 08:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB8BDC000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79D1000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB45D8000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\preferred customer\local settings\temp\~df348d.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\preferred customer\local settings\temp\~dff251.tmp
Status: Allocation size mismatch (API: 32768, Raw: 16384)

Stealth Objects
-------------------
Object: Hidden Module [Name: tdlcmd.dll]
Process: svchost.exe (PID: 856) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: tdlwsp.dll]

[heir]

It looks as RootRepeal.txt is cut off. Last line should be:

==EOF==

Please repost the content of RootRepeal.txt.

[Mahocker]

Sorry about that!

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/07 08:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB8BDC000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79D1000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB45D8000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\preferred customer\local settings\temp\~df348d.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\preferred customer\local settings\temp\~dff251.tmp
Status: Allocation size mismatch (API: 32768, Raw: 16384)

Stealth Objects
-------------------
Object: Hidden Module [Name: tdlcmd.dll]
Process: svchost.exe (PID: 856) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: tdlwsp.dll]
Process: Explorer.EXE (PID: 340) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: tdlwsp.dll]
Process: iexplore.exe (PID: 2128) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: tdlwsp.dll]
Process: iexplore.exe (PID: 3620) Address: 0x10000000 Size: 28672

==EOF==

[heir]

Download Combofix from any of the links below. You must rename it to UMahocker.exe before saving it. Save it to your desktop.

Link 2
Link 3

-------------------------------------------------------------------

Double click on UMahocker.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt .

[Mahocker]

Here is the Combofix log:

ComboFix 09-10-06.04 - Preferred Customer 10/07/09 20:10.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1744 [GMT -5:00]
Running from: c:\documents and settings\Preferred Customer\My Documents\My Downloads\UMahocker.exe
AV: Norman Security Suite ver. 7.00 *On-access scanning enabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
c:\documents and settings\All Users\Application Data\38E4A092.exe
c:\documents and settings\All Users\Application Data\92107786.ini
c:\documents and settings\Preferred Customer\Application Data\inst.exe
c:\documents and settings\Preferred Customer\Application Data\Microsoft\Internet Explorer\Quick Launch\SUPERAntiSpyware.lnk
c:\windows\Installer\16cfcd.msi
c:\windows\Installer\1c699bf.msp
c:\windows\Installer\1c699c5.msp
c:\windows\Installer\1f9ac8.msi
c:\windows\Installer\2f85ac.msi
c:\windows\Installer\8e654.msi
c:\windows\Installer\b6496b.msi
c:\windows\Mmob864g5s3d6p.dll
c:\windows\system32\1143239840.dat
c:\windows\system32\anosihuy.ini
c:\windows\system32\asenunus.ini
c:\windows\system32\dbsinit.exe
c:\windows\system32\ebehabat.ini
c:\windows\system32\igikepew.ini
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\tmp.reg
c:\windows\system32\udewuziy.ini

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))
.

2009-10-08 00:15 . 2009-10-08 00:15 -------- d-----w- c:\documents and settings\Preferred Customer\Local Settings\Application Data\RegistryBackups
2009-10-07 22:07 . 2009-10-07 22:07 -------- d-----w- C:\UMahocker
2009-10-07 12:12 . 2009-10-07 12:12 0 ----a-w- c:\documents and settings\Preferred Customer\settings.dat
2009-10-07 03:34 . 2009-10-07 03:35 -------- d-----w- c:\program files\ERUNT
2009-10-07 00:06 . 2009-10-07 00:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-07 00:05 . 2009-10-07 00:05 -------- d-----w- c:\program files\Java
2009-10-06 23:27 . 2009-10-06 23:27 -------- d-----w- c:\documents and settings\Preferred Customer\Local Settings\Application Data\Downloaded Installations
2009-10-06 23:15 . 2009-01-20 17:52 31928 ----a-w- c:\windows\system32\rrMon.sys
2009-10-06 23:15 . 2009-10-06 23:15 -------- d-----w- c:\program files\Registrar Registry Manager
2009-10-06 03:31 . 2009-10-06 03:31 815 ----a-w- C:\rtsr_eml_sr.dat
2009-10-06 03:31 . 2009-10-06 03:31 141 ----a-w- C:\dwl.dat
2009-10-06 03:15 . 2009-10-06 03:15 16 ----a-w- C:\asdict.dat
2009-10-05 23:41 . 2009-10-05 23:41 -------- d-----w- c:\program files\AVG
2009-10-05 02:08 . 2009-10-05 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-05 02:07 . 2009-10-05 11:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-05 02:07 . 2009-10-05 02:07 -------- d-----w- c:\documents and settings\Preferred Customer\Application Data\SUPERAntiSpyware.com
2009-09-29 20:41 . 2009-09-29 20:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-29 11:30 . 2009-09-29 11:30 -------- d-----w- c:\documents and settings\Preferred Customer\Application Data\MoveFab
2009-09-28 22:29 . 2009-09-28 22:29 -------- d-----w- c:\program files\DVDFab 6
2009-09-15 01:55 . 2009-09-15 01:55 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-15 01:48 . 2009-10-01 02:23 -------- d-----w- c:\program files\iTunes
2009-09-15 01:46 . 2009-09-21 01:20 -------- d-----w- c:\program files\QuickTime
2009-09-12 23:48 . 2009-09-12 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-08 20:52 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-07 11:17 . 2004-12-21 19:19 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-07 03:39 . 2009-01-15 15:51 81984 ----a-w- c:\windows\system32\bdod.bin
2009-10-06 03:31 . 2009-03-26 03:49 132 ----a-w- C:\httpdwl.dat
2009-10-06 02:15 . 2007-05-20 04:43 -------- d-----w- c:\program files\Windows Desktop Search
2009-10-05 19:35 . 2009-02-13 02:57 -------- d-----w- c:\program files\a-squared Free
2009-10-05 02:06 . 2008-06-25 00:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-04 18:26 . 2009-02-13 01:57 -------- d-----w- c:\program files\CCleaner
2009-10-01 01:31 . 2009-01-15 01:51 -------- d-----w- c:\documents and settings\Preferred Customer\Application Data\DVDFab
2009-09-29 12:37 . 2009-04-11 18:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-28 22:30 . 2008-06-06 12:18 -------- d-----w- c:\documents and settings\Preferred Customer\Application Data\Vso
2009-09-28 22:29 . 2008-06-06 12:18 47360 -c--a-w- c:\documents and settings\Preferred Customer\Application Data\pcouffin.sys
2009-09-28 22:29 . 2005-01-09 16:34 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-09-27 22:55 . 2008-10-01 23:25 -------- d-----w- c:\documents and settings\Preferred Customer\Application Data\LimeWire
2009-09-21 02:22 . 2007-08-12 13:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-21 02:00 . 2008-11-22 18:44 -------- d-----w- c:\program files\Safari
2009-09-21 01:22 . 2005-12-25 15:18 -------- d-----w- c:\program files\iPod
2009-09-15 01:53 . 2005-12-25 15:23 -------- d-----w- c:\documents and settings\Preferred Customer\Application Data\Apple Computer
2009-09-12 23:43 . 2007-08-12 13:07 -------- d-----w- c:\program files\Common Files\Apple
2009-09-10 19:54 . 2009-04-11 18:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-04-11 18:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 03:31 . 2005-01-09 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-09-09 20:41 . 2008-12-31 14:06 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 01:31 . 2008-02-26 01:02 -------- d-----w- c:\program files\LimeWire
2009-09-03 11:57 . 2009-09-03 11:57 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-08-29 00:42 . 2009-04-23 03:16 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 00:42 . 2007-12-06 02:32 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-12 23:25 . 2009-08-12 23:25 -------- d-----w- c:\program files\DVD Shrink 3.1
2009-08-12 23:08 . 2007-01-15 04:06 -------- d-----w- c:\documents and settings\Preferred Customer\Application Data\Corel
2009-08-12 22:56 . 2004-12-21 19:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2004-08-04 12:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-24 00:06 . 2008-11-05 22:25 34 ----a-w- c:\documents and settings\Preferred Customer\jagex_runescape_preferences.dat
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ------w- c:\windows\system32\wmpdxm.dll
2004-08-04 12:00 . 2004-08-04 12:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2004-08-04 12:00 50688 --sh--w- c:\windows\twain_32.dll
2009-06-26 23:35 . 2007-01-15 03:50 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
2008-04-14 00:12 . 2004-08-04 12:00 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2004-08-04 12:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2004-08-04 12:00 343040 --sh--w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12 . 2004-08-04 12:00 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2004-08-04 12:00 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2004-08-04 12:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-12-28 01:14 . 2004-03-18 14:33 892928 c:\program files\Logitech\iTouch\bak\iTouch.exe
2008-02-16 18:27 . 2004-03-18 15:33 892928 c:\program files\Logitech\iTouch\iTouch.exe

2004-08-04 12:00 . 2004-08-04 12:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-04 12:00 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-07 149280]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Keyboard Keys.lnk - c:\program files\Logitech\iTouch\bak\iTouch.exe [2004-12-27 892928]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [09/15/09 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [09/15/09 11:42 AM 74480]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [01/30/08 04:52 AM 106496]
S3 Arrakis3;BitDefender Arrakis Server;"c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe" --> c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [?]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys --> c:\windows\system32\drivers\bdfm.sys [?]
S3 DCamUSB20;AVerDVD EZMaker USB 2.0 Video Capture;c:\windows\system32\drivers\CsMini20.sys [03/18/03 04:55 PM 46248]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [09/15/09 11:42 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://madison.craigslist.org/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-Registrar Registry Manager 6.02 - c:\program files\Registrar Registry Manager\unwise.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 20:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,4a,38,2d,52,16,
6b,90,08,c8,28,51,af,b0,29,a3,98,76,cf,2a,e3,9c,a9,8b,0d,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,6a,67,e4,11,38,
35,60,e3,71,3b,04,66,8b,46,0d,96,07,f9,dd,8e,48,7e,33,6e,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,b1,46,00,98,53,
91,a7,c1,25,da,ec,7e,55,20,c9,26,b7,4f,11,6c,83,ce,ac,c8,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,aa,09,ed,be,60,
6b,e2,8c,3e,1e,9e,e0,57,5a,93,61,f8,b6,d9,81,9a,67,9a,83,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,1d,db,c4,5f,31,
cd,cc,97,cd,44,cd,b9,a6,33,6c,cd,11,d3,b8,3a,ca,90,59,c1,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,0f,4d,92,fd,2b,
6e,69,50,b0,18,ed,a7,3f,8d,37,a4,23,42,81,a2,b2,76,f6,a7,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,ca,ce,4c,a5,52,
10,6a,e1,31,77,e1,ba,b1,f8,68,02,5d,84,dd,f7,7d,0a,55,43,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,60,ca,af,b6,90,
5d,9b,b1,83,6c,56,8b,a0,85,96,ab,af,63,df,36,a1,90,63,1b,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,14,37,16,8a,f9,
1b,25,42,51,fa,6e,91,28,9e,14,cc,3f,40,73,47,5d,47,03,c3,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,ed,82,fd,f2,9e,
54,d0,9f,b1,cd,45,5a,a8,c4,f8,b9,b8,ce,cf,ed,be,ba,4d,a7,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,72,51,31,ce,6b,
48,4a,04,e3,0e,66,d5,eb,bc,2f,6b,17,cb,0d,0a,d2,74,7c,00,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:05,73,21,dd,54,d8,4a,c5,cd,08,38,eb,16,
08,d2,a3,fa,ea,66,7f,d4,3b,6b,70,1b,f0,de,d7,77,fb,bf,b6,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-10-08 20:19
ComboFix-quarantined-files.txt 2009-10-08 01:18

Pre-Run: 33,176,010,752 bytes free
Post-Run: 33,420,304,384 bytes free

313 --- E O F --- 2009-09-09 03:35

[heir]

That took care of some.
Let's move on.

Why didn't you place Combofix on the desktop as instructed. That tool needs to be located there.

Please Move
c:\documents and settings\Preferred Customer\My Documents\My Downloads\UMahocker.exe
to your desktop

Step 1.
CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

FCopy::
c:\windows\ServicePackFiles\i386\eventlog.dll | c:\windows\system32\eventlog.dll 
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"c:\\StubInstaller.exe"=-
RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

Save this as CFScript.txt, in the same location as UMahocker.exe




Refering to the picture above, drag CFScript into UMahocker.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2.
OTL-scan:

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Standard Output.
• Underneath Extra Registry at the lower left change it to Use SafeList.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Step 3.
Things I would like to see in your reply:

• The content of C:\ComboFix.txt from step 1.
• The content of OTL.txt and Extras.txt from step 2.
• Information on how your computer is running now.

Edited by heir, 07 October 2009 - 07:57 PM.

[Mahocker]

Sorry about that! I moved UMahocker.exe to the desktop and also saved CFScript.txt to the desktop. When I drag CFScript.txt into UMahocker.exe Combofix starts to run but then gives me an error message that it detected the following real time scanner(s) to be active: Norman Security Suite ver. 7.00. I haven't had Norman as my Antivirus provider since December 08 at which time I performed an uninstall. I've search My Computer for the word "Norman" and found a couple compressed archieved folders that won't let me delete them.

Do you know how I can get Norman to quit running?

Thanks

[heir]

In the user guide go to page 21 (page 23 in the pdf document) and disable it according to point 2.

But in this applies:

I haven't had Norman as my Antivirus provider since December 08 at which time I performed an uninstall.

So your not having any antivirus protection at the moment, have you?
How did you uninstall it. Like this:(It from the user guide)

Uninstalling the Security Suite
You can uninstall the product using Windows’ Control Panel’s Add/
Remove programs (on Vista, from Programs and Features), or running
delnvc5.exe from c:\Program Files\Norman\nvc\bin
and choose the Remove option. When the program is removed, restart
the computer.

If it won't uninstall then try booting into Safemode and uninstall it.

If your not able to disable or uninstall it then run combofix anyway.

Edited by heir, 07 October 2009 - 11:50 PM.

[Mahocker]

I don't have any antivirus protection on my computer at this time. I uninstalled it so it wouldn't interfere with these reports. My computer is running much faster now and it appears the redirection of search links is gone! I was unable to remove the reference to Norman so I went ahead and ran Combofix. Here are the results for Combfix.txt, OTL.txt and Extras.txt:

ComboFix 09-10-07.02 - Preferred Customer 10/08/09 6:51.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1669 [GMT -5:00]
Running from: c:\documents and settings\Preferred Customer\Desktop\UMahocker.exe
Command switches used :: c:\documents and settings\Preferred Customer\Desktop\CFScript.txt
AV: Norman Security Suite ver. 7.00 *On-access scanning enabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))
.

2009-10-08 11:51 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-10-08 11:51 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-10-08 00:15 . 2009-10-08 00:15 -------- d-----w- c:\documents and settings\Preferred Customer\Local Settings\Application Data\RegistryBackups
2009-10-07 22:07 . 2009-10-07 22:07 -------- d-----w- C:\UMahocker
2009-10-07 12:12 . 2009-10-07 12:12 0 ----a-w- c:\documents and settings\Preferred Customer\settings.dat
2009-10-07 03:34 . 2009-10-07 03:35 -------- d-----w- c:\program files\ERUNT
2009-10-07 00:06 . 2009-10-07 00:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-07 00:05 . 2009-10-07 00:05 -------- d-----w- c:\program files\Java
2009-10-06 23:27 . 2009-10-06 23:27 -------- d-----w- c:\documents and settings\Preferred Customer\Local Settings\Application Data\Downloaded Installations
2009-10-06 23:15 . 2009-01-20 17:52 31928 ----a-w- c:\windows\system32\rrMon.sys
2009-10-06 23:15 . 2009-10-06 23:15 -------- d-----w- c:\program files\Registrar Registry Manager
2009-10-06 03:31 . 2009-10-06 03:31 815 ----a-w- C:\rtsr_eml_sr.dat
2009-10-06 03:31 . 2009-10-06 03:31 141 ----a-w- C:\dwl.dat
2009-10-06 03:15 . 2009-10-06 03:15 16 ----a-w- C:\asdict.dat
2009-10-05 23:41 . 2009-10-05 23:41 -------- d-----w- c:\program files\AVG
2009-10-05 02:08 . 2009-10-05 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-05 02:07 . 2009-10-05 11:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-05 02:07 . 2009-10-05 02:07 -------- d-----w- c:\documents and settings\Preferred Customer\Application Data\SUPERAntiSpyware.com
2009-09-29 20:41 . 2009-09-29 20:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-29 11:30 . 2009-09-29 11:30 -------- d-----w- c:\documents and settings\Preferred Customer\Application Data\MoveFab
2009-09-28 22:29 . 2009-09-28 22:29 -------- d-----w- c:\program files\DVDFab 6
2009-09-15 01:55 . 2009-09-15 01:55 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-15 01:48 . 2009-10-01 02:23 -------- d-----w- c:\program files\iTunes
2009-09-15 01:46 . 2009-09-21 01:20 -------- d-----w- c:\program files\QuickTime
2009-09-12 23:48 . 2009-09-12 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-08 20:52 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-07 11:17 . 2004-12-21 19:19 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-07 03:39 . 2009-01-15 15:51 81984 ----a-w- c:\windows\system32\bdod.bin
2009-10-06 03:31 . 2009-03-26 03:49 132 ----a-w- C:\httpdwl.dat
2009-10-06 02:15 . 2007-05-20 04:43 -------- d-----w- c:\program files\Windows Desktop Search
2009-10-05 19:35 . 2009-02-13 02:57 -------- d-----w- c:\program files\a-squared Free
2009-10-05 02:06 . 2008-06-25 00:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-04 18:26 . 2009-02-13 01:57 -------- d-----w- c:\program files\CCleaner
2009-10-01 01:31 . 2009-01-15 01:51 -------- d-----w- c:\documents and settings\Preferred Customer\Application Data\DVDFab
2009-09-29 12:37 . 2009-04-11 18:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-28 22:30 . 2008-06-06 12:18 -------- d-----w- c:\documents and settings\Preferred Customer\Application Data\Vso
2009-09-28 22:29 . 2008-06-06 12:18 47360 -c--a-w- c:\documents and settings\Preferred Customer\Application Data\pcouffin.sys
2009-09-28 22:29 . 2005-01-09 16:34 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-09-27 22:55 . 2008-10-01 23:25 -------- d-----w- c:\documents and settings\Preferred Customer\Application Data\LimeWire
2009-09-21 02:22 . 2007-08-12 13:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-21 02:00 . 2008-11-22 18:44 -------- d-----w- c:\program files\Safari
2009-09-21 01:22 . 2005-12-25 15:18 -------- d-----w- c:\program files\iPod
2009-09-15 01:53 . 2005-12-25 15:23 -------- d-----w- c:\documents and settings\Preferred Customer\Application Data\Apple Computer
2009-09-12 23:43 . 2007-08-12 13:07 -------- d-----w- c:\program files\Common Files\Apple
2009-09-10 19:54 . 2009-04-11 18:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-04-11 18:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 03:31 . 2005-01-09 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-09-09 20:41 . 2008-12-31 14:06 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 01:31 . 2008-02-26 01:02 -------- d-----w- c:\program files\LimeWire
2009-09-03 11:57 . 2009-09-03 11:57 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-08-29 00:42 . 2009-04-23 03:16 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 00:42 . 2007-12-06 02:32 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-12 23:25 . 2009-08-12 23:25 -------- d-----w- c:\program files\DVD Shrink 3.1
2009-08-12 23:08 . 2007-01-15 04:06 -------- d-----w- c:\documents and settings\Preferred Customer\Application Data\Corel
2009-08-12 22:56 . 2004-12-21 19:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2004-08-04 12:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-24 00:06 . 2008-11-05 22:25 34 ----a-w- c:\documents and settings\Preferred Customer\jagex_runescape_preferences.dat
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ------w- c:\windows\system32\wmpdxm.dll
2004-08-04 12:00 . 2004-08-04 12:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2004-08-04 12:00 50688 --sh--w- c:\windows\twain_32.dll
2009-06-26 23:35 . 2007-01-15 03:50 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
2008-04-14 00:12 . 2004-08-04 12:00 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2004-08-04 12:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2004-08-04 12:00 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2004-08-04 12:00 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2004-08-04 12:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-08_01.16.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2009-10-08 01:13 87996 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-10-08 11:22 87996 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-10-08 11:22 478454 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-10-08 01:13 478454 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-12-28 01:14 . 2004-03-18 14:33 892928 c:\program files\Logitech\iTouch\bak\iTouch.exe
2008-02-16 18:27 . 2004-03-18 15:33 892928 c:\program files\Logitech\iTouch\iTouch.exe

2004-08-04 12:00 . 2004-08-04 12:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-04 12:00 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-07 149280]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Keyboard Keys.lnk - c:\program files\Logitech\iTouch\bak\iTouch.exe [2004-12-27 892928]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [09/15/09 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [09/15/09 11:42 AM 74480]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [01/30/08 04:52 AM 106496]
S3 Arrakis3;BitDefender Arrakis Server;"c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe" --> c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [?]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys --> c:\windows\system32\drivers\bdfm.sys [?]
S3 DCamUSB20;AVerDVD EZMaker USB 2.0 Video Capture;c:\windows\system32\drivers\CsMini20.sys [03/18/03 04:55 PM 46248]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [09/15/09 11:42 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://madison.craigslist.org/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Registrar Registry Manager 6.02 - c:\program files\Registrar Registry Manager\unwise.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-08 06:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2956)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-08 6:59
ComboFix-quarantined-files.txt 2009-10-08 11:59
ComboFix2.txt 2009-10-08 01:19

Pre-Run: 33,424,748,544 bytes free
Post-Run: 33,372,741,632 bytes free

221 --- E O F --- 2009-09-09 03:35




OTL logfile created on: 10/08/09 07:09:19 AM - Run 1
OTL by OldTimer - Version 3.0.18.4 Folder = C:\Documents and Settings\Preferred Customer\My Documents\My Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yy

2.00 Gb Total Physical Memory | 1.59 Gb Available Physical Memory | 79.47% Memory free
3.85 Gb Paging File | 3.64 Gb Available in Paging File | 94.48% Paging File free
Paging file location(s): F:\pagefile.sys 3070 3070 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.55 Gb Total Space | 31.09 Gb Free Space | 41.70% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STEINER
Current User Name: Preferred Customer
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2006/10/22 13:22:00 | 00,159,810 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2008/01/30 04:52:22 | 00,106,496 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
PRC - [2004/03/18 10:33:26 | 00,892,928 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\iTouch\iTouch.exe
PRC - [2009/09/08 21:09:42 | 00,305,440 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2003/11/14 10:50:00 | 00,037,888 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\MouseWare\system\em_exec.exe
PRC - [2009/09/08 21:09:30 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/01/08 07:36:42 | 02,521,464 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/10/07 07:17:44 | 00,520,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Preferred Customer\My Documents\My Downloads\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/09/30 20:03:44 | 01,858,144 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe -- (a2free [On_Demand | Stopped])
SRV - [2008/06/24 19:16:49 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [On_Demand | Stopped])
SRV - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - File not found -- -- (Arrakis3 [On_Demand | Stopped])
SRV - [2008/07/25 12:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/07/25 12:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 22:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 20:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/09/08 21:09:30 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/10/06 19:05:44 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Stopped])
SRV - File not found -- -- (KodakCCS [On_Demand | Stopped])
SRV - File not found -- -- (LIVESRV [Auto | Stopped])
SRV - [2008/07/29 20:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2006/10/22 13:22:00 | 00,159,810 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2005/02/09 13:59:00 | 00,014,165 | ---- | M] (Pinnacle Systems GmbH) -- C:\WINDOWS\System32\drivers\pclepci.sys -- (PCLEPCI [Auto | Stopped])
SRV - [2004/02/06 22:32:43 | 00,045,056 | ---- | M] ( ) -- C:\WINDOWS\System32\slserv.exe -- (SLService [Auto | Stopped])
SRV - File not found -- -- (VSSERV [Auto | Stopped])
SRV - [2008/01/30 04:52:22 | 00,106,496 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe -- (WDBtnMgrSvc.exe [Auto | Running])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2004/10/07 20:16:04 | 00,035,840 | ---- | M] (Oak Technology Inc.) -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K [System | Running])
DRV - File not found -- -- (catchme [On_Demand | Running])
DRV - [2003/10/04 12:59:38 | 00,022,656 | ---- | M] (Conexant) -- C:\WINDOWS\System32\DRIVERS\CnxTrLan.sys -- (CnxTrLan [On_Demand | Stopped])
DRV - [2003/10/04 12:59:38 | 00,046,720 | ---- | M] (Conexant) -- C:\WINDOWS\System32\DRIVERS\CnxTrUsb.sys -- (CnxTrUsb [On_Demand | Stopped])
DRV - [2003/03/18 16:55:04 | 00,046,248 | ---- | M] (Crescentec Corporation) -- C:\WINDOWS\System32\Drivers\CsMini20.sys -- (DCamUSB20 [On_Demand | Stopped])
DRV - [2005/01/27 03:22:00 | 00,088,016 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb [Boot | Running])
DRV - [2005/01/28 14:57:52 | 00,042,496 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\System32\DRIVERS\fetnd5bv.sys -- (FETND5BV [On_Demand | Running])
DRV - [2001/08/17 07:13:08 | 00,027,165 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\System32\DRIVERS\fetnd5.sys -- (FETNDIS [On_Demand | Stopped])
DRV - [2002/10/29 01:20:30 | 00,040,960 | R--- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\System32\DRIVERS\fetnd5b.sys -- (FETNDISB [On_Demand | Stopped])
DRV - [2009/05/18 14:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2004/03/10 14:42:24 | 00,012,953 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\DRIVERS\itchfltr.sys -- (itchfltr [On_Demand | Running])
DRV - [2003/11/07 04:50:00 | 00,051,486 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\DRIVERS\L8042pr2.Sys -- (L8042pr2 [On_Demand | Running])
DRV - [2003/11/07 04:50:00 | 00,070,798 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\DRIVERS\LMouFlt2.Sys -- (LMouFlt2 [On_Demand | Running])
DRV - [2007/01/04 11:07:00 | 00,171,520 | ---- | M] (Pinnacle Systems GmbH) -- C:\WINDOWS\System32\DRIVERS\MarvinBus.sys -- (MarvinBus [On_Demand | Running])
DRV - [2001/08/17 14:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2007/04/02 22:13:46 | 00,021,632 | ---- | M] (Motorola) -- C:\WINDOWS\System32\DRIVERS\motmodem.sys -- (motmodem [On_Demand | Stopped])
DRV - [2004/02/06 22:32:43 | 00,221,736 | ---- | M] ( ) -- C:\WINDOWS\System32\DRIVERS\Mtlmnt5.sys -- (Mtlmnt5 [On_Demand | Running])
DRV - [2004/02/06 22:32:43 | 01,301,704 | ---- | M] ( ) -- C:\WINDOWS\System32\DRIVERS\Mtlstrm.sys -- (Mtlstrm [On_Demand | Stopped])
DRV - [2004/02/06 22:32:43 | 00,167,352 | ---- | M] ( ) -- C:\WINDOWS\System32\DRIVERS\NtMtlFax.sys -- (NtMtlFax [On_Demand | Stopped])
DRV - [2006/10/22 13:22:00 | 03,994,624 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2009/09/28 17:29:29 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\System32\Drivers\Pcouffin.sys -- (Pcouffin [On_Demand | Running])
DRV - [2003/03/21 13:34:08 | 00,009,856 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\System32\drivers\pfc.sys -- (pfc [On_Demand | Running])
DRV - [2004/08/04 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/02/22 21:38:33 | 00,043,872 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DRIVERS\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2004/08/03 23:41:40 | 00,013,776 | ---- | M] (Smart Link) -- C:\WINDOWS\System32\DRIVERS\RecAgent.sys -- (RecAgent [On_Demand | Stopped])
DRV - [2005/03/21 11:00:24 | 00,004,096 | ---- | M] (SuperAdBlocker.com) -- C:\WINDOWS\System32\sabprocenum.sys -- (SABProcEnum [On_Demand | Stopped])
DRV - [2009/09/15 11:42:46 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/09/15 11:42:48 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/09/15 11:42:44 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2004/02/06 22:32:43 | 00,548,888 | ---- | M] ( ) -- C:\WINDOWS\System32\DRIVERS\slntamr.sys -- (Slntamr [On_Demand | Running])
DRV - [2004/02/06 22:32:43 | 00,086,512 | ---- | M] ( ) -- C:\WINDOWS\System32\DRIVERS\Slnthal.sys -- (SlNtHal [On_Demand | Stopped])
DRV - [2004/02/06 22:32:43 | 00,039,348 | ---- | M] (Vireo Software) -- C:\WINDOWS\System32\DRIVERS\SlWdmSup.sys -- (SlWdmSup [On_Demand | Running])
DRV - [2008/01/29 20:18:28 | 00,023,600 | ---- | M] (EnTech Taiwan) -- C:\WINDOWS\System32\DRIVERS\TVICHW32.SYS -- (TVICHW32 [On_Demand | Stopped])
DRV - [2002/11/05 16:56:48 | 00,012,692 | ---- | M] () -- C:\WINDOWS\System32\Drivers\cresscan.sys -- (Usb20Scan [On_Demand | Stopped])
DRV - [2009/08/28 19:42:52 | 00,040,448 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2003/07/02 05:42:00 | 00,027,904 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1 [Boot | Running])
DRV - [2003/02/26 03:04:00 | 00,370,048 | R--- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\System32\drivers\viaudios.sys -- (VIAudio [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://madison.craigslist.org/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://start.mozilla...en-US:official"

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 07:00:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/10/06 19:05:47 | 00,000,000 | ---D | M]

[2009/09/03 20:32:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Preferred Customer\Application Data\mozilla\Extensions
[2009/09/03 20:32:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Preferred Customer\Application Data\mozilla\Extensions\[email protected]
[2005/03/20 22:59:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Preferred Customer\Application Data\mozilla\Firefox\Profiles\irsr6g82.default\extensions
[2005/03/20 22:59:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Preferred Customer\Application Data\mozilla\Firefox\Profiles\irsr6g82.default\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2006/12/16 16:21:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Preferred Customer\Application Data\mozilla\Firefox\Profiles\q4uw4s9l.default\extensions
[2006/10/10 19:31:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Preferred Customer\Application Data\mozilla\Firefox\Profiles\q4uw4s9l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2005/03/20 21:08:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Preferred Customer\Application Data\mozilla\Firefox\Profiles\vbj0118a.default\extensions
[2005/03/20 21:08:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Preferred Customer\Application Data\mozilla\Firefox\Profiles\vbj0118a.default\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

O1 HOSTS File: (36 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (BitDefender Toolbar) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll File not found
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Logitech Utility] C:\WINDOWS\Logi_MwX.Exe (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Keyboard Keys.lnk = C:\Program Files\Logitech\iTouch\bak\iTouch.exe (Logitech Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: WizmaxBackup_NoDriveTypeAutoRun = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: WizmaxBackup_NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &eBay Search - C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll File not found
O8 - Extra context menu item: &Yahoo! Search - C:\Program Files\Yahoo!\Common [2007/09/03 21:13:31 | 00,000,000 | ---D | M]
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Yahoo! &Dictionary - C:\Program Files\Yahoo!\Common [2007/09/03 21:13:31 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Maps - C:\Program Files\Yahoo!\Common [2007/09/03 21:13:31 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &SMS - C:\Program Files\Yahoo!\Common [2007/09/03 21:13:31 | 00,000,000 | ---D | M]
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} http://h20270.www2.h...staller_gmn.cab (VerifyGMN Class)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} https://desktop.cuna...ents/wficat.cab (Citrix ICA Client)
O16 - DPF: {30439117-02CA-4FBA-ADAF-84C2D8E2004D} https://desktop.cuna.../spv3icachk.cab (v3 silent install)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo1.walgre...eensActivia.cab (Reg Error: Key error.)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.aka...vex-2.2.4.3.cab (Reg Error: Key error.)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace....ploader1005.cab (Reg Error: Key error.)
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} http://ipgweb.cce.hp...ads/sysinfo.cab (Reg Error: Key error.)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} http://tools.ebayimg...l_v1-0-3-36.cab (EPUImageControl Class)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase8300.cab (Windows Live Safety Center Base Module)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.nvidia.co.../sysreqlab2.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1132377535594 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} http://web1.shutterf...ds/Uploader.cab (Reg Error: Key error.)
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} https://h17000.www1....loadManager.ocx (Get_ActiveX Control)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadbl...ivex/sabspx.cab (SABScanProcesses Class)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553572000} http://download.macr...ash/swflash.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} http://driveragent.c...driveragent.cab (Reg Error: Key error.)
O16 - DPF: {EB96A156-E8D0-4A7D-A7AC-B60DFE87A6C6} https://desktop.cuna...ogin/cmgvpn.cab (Reg Error: Key error.)
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} http://dlm.tools.aka...vex-2.2.3.4.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/01/26 15:20:56 | 00,000,095 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/09/12 18:48:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/10/04 21:08:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/09/29 06:30:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Preferred Customer\Application Data\MoveFab
[2009/10/04 21:07:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Preferred Customer\Application Data\SUPERAntiSpyware.com
[2009/10/06 18:27:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Preferred Customer\Local Settings\Application Data\Downloaded Installations
[2009/10/07 19:15:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Preferred Customer\Local Settings\Application Data\RegistryBackups
[2009/10/05 18:41:59 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/09/28 17:29:15 | 00,000,000 | ---D | C] -- C:\Program Files\DVDFab 6
[2009/10/06 22:34:27 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/10/04 18:15:08 | 00,000,000 | ---D | C] -- C:\Program Files\HijackThis
[2009/09/14 20:48:48 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/10/06 19:05:31 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/09/14 20:46:45 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/10/06 18:15:37 | 00,000,000 | ---D | C] -- C:\Program Files\Registrar Registry Manager
[2009/10/04 21:07:51 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/10/08 06:59:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/10/08 06:51:33 | 00,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eventlog.dll
[2009/10/08 06:51:33 | 00,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\eventlog.dll
[2009/10/07 20:04:40 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/10/07 20:04:40 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/10/07 20:04:40 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/10/07 20:04:40 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/10/07 17:07:37 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/10/07 17:07:30 | 00,000,000 | ---D | C] -- C:\UMahocker
[2009/10/07 16:54:38 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/10/06 19:06:36 | 00,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/10/06 19:06:36 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/10/06 19:06:36 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/10/06 19:06:36 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/10/06 19:06:36 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/10/06 18:15:42 | 00,031,928 | ---- | C] (Resplendence Software Projects Sp) -- C:\WINDOWS\System32\rrMon.sys
[2009/10/04 13:35:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Preferred Customer\Desktop\SmitfraudFix
[2009/09/14 20:48:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Preferred Customer\Desktop\iTunes
[2009/09/08 15:52:55 | 00,153,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\triedit.dll
[2008/06/06 07:18:26 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Preferred Customer\Application Data\pcouffin.sys
[2004/12/21 16:11:25 | 00,014,976 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\winddx.sys
[2004/02/06 22:32:43 | 01,301,704 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\mtlstrm.sys
[2004/02/06 22:32:43 | 00,548,888 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slntamr.sys
[2004/02/06 22:32:43 | 00,221,736 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\mtlmnt5.sys
[2004/02/06 22:32:43 | 00,167,352 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\ntmtlfax.sys
[2004/02/06 22:32:43 | 00,086,512 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slnthal.sys

========== Files - Modified Within 30 Days ==========

[2009/10/08 06:59:38 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/08 06:56:32 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/10/08 06:43:55 | 03,328,738 | R--- | M] () -- C:\Documents and Settings\Preferred Customer\Desktop\UMahocker.exe
[2009/10/08 06:22:10 | 00,577,388 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/08 06:22:10 | 00,478,454 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/10/08 06:22:10 | 00,087,996 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/08 06:18:36 | 00,000,065 | ---- | M] () -- C:\WINDOWS\iTouch.ini
[2009/10/08 06:18:28 | 00,088,230 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/10/08 06:18:19 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/08 06:17:40 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/07 22:27:34 | 00,027,648 | ---- | M] () -- C:\Documents and Settings\Preferred Customer\My Documents\English 10-07-2009.doc
[2009/10/07 17:12:23 | 00,000,607 | ---- | M] () -- C:\WINDOWS\Uninstall Manager.INI
[2009/10/06 22:39:17 | 00,081,984 | ---- | M] () -- C:\WINDOWS\System32\bdod.bin
[2009/10/06 22:34:34 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Preferred Customer\Desktop\NTREGOPT.lnk
[2009/10/06 22:34:33 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Preferred Customer\Desktop\ERUNT.lnk
[2009/10/06 19:05:43 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/10/06 19:05:43 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/10/06 19:05:43 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/10/06 19:05:43 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/10/06 19:05:42 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/10/05 22:31:27 | 00,000,815 | ---- | M] () -- C:\rtsr_eml_sr.dat
[2009/10/05 22:31:27 | 00,000,141 | ---- | M] () -- C:\dwl.dat
[2009/10/05 22:31:27 | 00,000,132 | ---- | M] () -- C:\httpdwl.dat
[2009/10/05 22:30:56 | 00,000,623 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/10/05 22:30:56 | 00,000,282 | RHS- | M] () -- C:\boot.ini
[2009/10/05 22:15:49 | 00,000,016 | ---- | M] () -- C:\asdict.dat
[2009/10/05 22:09:06 | 00,000,121 | ---- | M] () -- C:\WINDOWS\bdagent.INI
[2009/10/04 21:07:57 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/10/04 18:19:37 | 00,000,036 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/10/04 13:46:33 | 00,000,375 | ---- | M] () -- C:\WINDOWS\System32\BDUpdateV1.xml
[2009/10/03 14:11:05 | 00,000,349 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\PCLECHAL.INI
[2009/10/03 14:11:05 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/10/01 17:14:37 | 00,000,158 | ---- | M] () -- C:\WINDOWS\System32\tempie.html
[2009/10/01 07:33:53 | 00,000,385 | ---- | M] () -- C:\WINDOWS\System32\user_gensett.xml
[2009/10/01 05:11:11 | 00,000,101 | ---- | M] () -- C:\WINDOWS\System32\wwp.htm
[2009/09/30 21:48:39 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Preferred Customer\Desktop\CCleaner.lnk
[2009/09/29 06:34:10 | 00,055,296 | ---- | M] () -- C:\Documents and Settings\Preferred Customer\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/28 17:29:29 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\System32\drivers\pcouffin.sys
[2009/09/28 17:29:29 | 00,047,360 | ---- | M] (VSO Software) -- C:\Documents and Settings\Preferred Customer\Application Data\pcouffin.sys
[2009/09/28 17:29:29 | 00,007,887 | ---- | M] () -- C:\Documents and Settings\Preferred Customer\Application Data\pcouffin.cat
[2009/09/28 17:29:29 | 00,001,144 | ---- | M] () -- C:\Documents and Settings\Preferred Customer\Application Data\pcouffin.inf
[2009/09/26 12:23:04 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/09/14 02:12:36 | 00,229,888 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/09/08 22:03:50 | 00,096,256 | ---- | M] () -- C:\Documents and Settings\Preferred Customer\My Documents\DVD Cover.doc

========== Files - No Company Name ==========
[2009/10/07 21:13:27 | 00,027,648 | ---- | C] () -- C:\Documents and Settings\Preferred Customer\My Documents\English 10-07-2009.doc
[2009/10/07 20:04:40 | 00,229,888 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/10/07 20:04:40 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/10/07 20:04:40 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/10/07 20:04:40 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/10/07 16:53:39 | 03,328,738 | R--- | C] () -- C:\Documents and Settings\Preferred Customer\Desktop\UMahocker.exe
[2009/10/06 22:34:34 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Preferred Customer\Desktop\NTREGOPT.lnk
[2009/10/06 22:34:33 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Preferred Customer\Desktop\ERUNT.lnk
[2009/10/06 18:15:37 | 00,120,376 | ---- | C] () -- C:\WINDOWS\System32\rrsec.dll
[2009/10/06 18:15:37 | 00,097,888 | ---- | C] () -- C:\WINDOWS\System32\rrsec2k.exe
[2009/10/05 22:31:27 | 00,000,815 | ---- | C] () -- C:\rtsr_eml_sr.dat
[2009/10/05 22:31:27 | 00,000,141 | ---- | C] () -- C:\dwl.dat
[2009/10/05 22:15:49 | 00,000,016 | ---- | C] () -- C:\asdict.dat
[2009/10/04 21:07:57 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/10/01 16:55:22 | 00,000,158 | ---- | C] () -- C:\WINDOWS\System32\tempie.html
[2009/10/01 05:11:11 | 00,000,101 | ---- | C] () -- C:\WINDOWS\System32\wwp.htm
[2009/09/30 21:48:34 | 00,001,548 | ---- | C] () -- C:\Documents and Settings\Preferred Customer\Desktop\CCleaner.lnk
[2009/04/14 21:29:49 | 00,000,075 | ---- | C] () -- C:\WINDOWS\TaxACT08.ini
[2009/03/08 19:05:37 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[2009/02/12 16:21:36 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\123478687123.dat
[2009/01/01 01:39:14 | 00,000,121 | ---- | C] () -- C:\WINDOWS\bdagent.INI
[2008/10/09 15:31:54 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\txmlutil.dll
[2008/06/06 07:18:27 | 00,000,034 | ---- | C] () -- C:\Documents and Settings\Preferred Customer\Application Data\pcouffin.log
[2008/06/06 07:18:26 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\Preferred Customer\Application Data\pcouffin.cat
[2008/06/06 07:18:26 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\Preferred Customer\Application Data\pcouffin.inf
[2008/04/20 14:45:32 | 00,000,026 | ---- | C] () -- C:\WINDOWS\startUp manager.INI
[2008/01/26 18:35:19 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\DVResampleru.dll
[2008/01/26 16:57:26 | 00,000,024 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\__FileUploader.log
[2008/01/26 16:42:46 | 00,000,017 | ---- | C] () -- C:\WINDOWS\MovingPicture.ini
[2008/01/26 15:20:55 | 00,196,096 | ---- | C] () -- C:\WINDOWS\System32\macd32.dll
[2008/01/26 15:20:55 | 00,138,752 | ---- | C] () -- C:\WINDOWS\System32\mase32.dll
[2008/01/26 15:20:55 | 00,136,192 | ---- | C] () -- C:\WINDOWS\System32\mamc32.dll
[2008/01/26 15:20:55 | 00,057,856 | ---- | C] () -- C:\WINDOWS\System32\masd32.dll
[2008/01/26 15:20:55 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\ma32.dll
[2008/01/25 08:29:23 | 00,000,607 | ---- | C] () -- C:\WINDOWS\Uninstall Manager.INI
[2007/01/14 22:50:48 | 00,003,350 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/01/06 11:48:39 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2007/01/06 11:48:33 | 00,000,026 | ---- | C] () -- C:\WINDOWS\dhp.ini
[2007/01/06 09:08:19 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/01/02 19:48:23 | 00,000,067 | ---- | C] () -- C:\Documents and Settings\Preferred Customer\Application Data\nero_photoshow_express_4_us_row[1].txt
[2006/12/14 23:48:09 | 00,955,203 | ---- | C] () -- C:\WINDOWS\I2E.ini
[2006/10/22 13:22:00 | 00,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/05/28 09:03:11 | 00,000,269 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2005/12/26 22:20:59 | 00,001,751 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/12/25 11:44:23 | 00,000,223 | ---- | C] () -- C:\WINDOWS\HP PrecisionScan Pro.INI
[2005/12/23 19:56:28 | 00,249,856 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylistSamsung.dll
[2005/12/10 16:31:20 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/12/07 23:15:14 | 00,000,074 | ---- | C] () -- C:\WINDOWS\ImportClient.INI
[2005/11/21 18:17:54 | 00,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7D.DLL
[2005/09/15 21:38:03 | 00,055,296 | ---- | C] () -- C:\Documents and Settings\Preferred Customer\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/07/28 10:52:12 | 00,001,387 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/06/15 17:20:00 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/06/15 17:20:00 | 01,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/06/15 17:20:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/06/15 17:20:00 | 00,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/06/15 17:20:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/06/15 17:20:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005/06/06 14:49:52 | 00,000,024 | ---- | C] () -- C:\WINDOWS\qfnonl.ini
[2005/06/06 12:56:17 | 00,000,647 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2005/06/06 12:56:13 | 00,000,185 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2005/03/14 21:58:05 | 00,089,616 | ---- | C] () -- C:\Documents and Settings\Preferred Customer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2005/03/09 13:36:22 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\rndcbridge.dll
[2005/02/25 22:54:18 | 00,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2005/01/23 12:44:33 | 00,089,616 | ---- | C] () -- C:\Documents and Settings\Preferred Customer\Application Data\GDIPFONTCACHEV1.DAT
[2005/01/09 11:49:13 | 00,000,028 | ---- | C] () -- C:\WINDOWS\DVDFabGold.INI
[2005/01/09 09:49:50 | 00,000,589 | ---- | C] () -- C:\WINDOWS\webica.ini
[2005/01/08 10:40:54 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2004/12/28 10:12:56 | 00,000,065 | ---- | C] () -- C:\WINDOWS\iTouch.ini
[2004/12/25 20:03:44 | 00,000,142 | ---- | C] () -- C:\WINDOWS\PhotoFantasy.ini
[2004/12/25 20:02:19 | 00,000,765 | ---- | C] () -- C:\WINDOWS\efscan.ini
[2004/12/25 20:02:19 | 00,000,075 | ---- | C] () -- C:\WINDOWS\efaxview.ini
[2004/12/25 20:01:37 | 00,335,872 | ---- | C] () -- C:\WINDOWS\System32\ldf252.dll
[2004/12/25 20:01:02 | 00,001,129 | ---- | C] () -- C:\WINDOWS\PhotoImpression.ini
[2004/12/21 16:11:25 | 00,475,136 | ---- | C] () -- C:\WINDOWS\System32\SLLights.dll
[2004/12/21 16:11:25 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\amr_cpl.dll
[2004/12/21 16:11:25 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\SLMOHServ.dll
[2004/12/21 15:52:08 | 00,000,737 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/12/21 14:46:34 | 00,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2004/12/21 14:33:58 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2004/12/21 14:26:49 | 02,640,454 | -H-- | C] () -- C:\Documents and Settings\Preferred Customer\Local Settings\Application Data\IconCache.db
[2004/12/21 13:56:45 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Preferred Customer\Application Data\desktop.ini
[2004/11/30 04:10:00 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\besched.dll
[2004/09/17 18:37:42 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2004/08/04 07:00:00 | 00,000,623 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 07:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/02/06 22:32:43 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\slextspk.dll
[2004/02/06 22:32:43 | 00,163,840 | ---- | C] () -- C:\WINDOWS\System32\SLGen.dll
[2004/02/06 22:32:43 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\coinst.dll
[2003/10/02 01:00:00 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2003/10/02 01:00:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll
[2002/12/18 22:48:40 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\cresvfw.dll
[2002/11/22 12:50:06 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\hpodinet.dll
[2002/11/05 17:56:48 | 00,099,672 | ---- | C] () -- C:\WINDOWS\dibapi32.dll
[2002/11/05 16:56:48 | 00,036,352 | ---- | C] () -- C:\WINDOWS\System32\preview.dll
[2002/11/05 16:56:48 | 00,012,692 | ---- | C] () -- C:\WINDOWS\System32\drivers\cresscan.sys
[2001/12/31 19:41:42 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2000/04/14 17:50:02 | 00,343,040 | ---- | C] () -- C:\WINDOWS\System32\Lffpx7.dll
[1998/06/11 14:08:06 | 00,095,232 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll
[1996/11/17 01:00:00 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1996/11/17 01:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
< End of report >





OTL Extras logfile created on: 10/08/09 07:09:19 AM - Run 1
OTL by OldTimer - Version 3.0.18.4 Folder = C:\Documents and Settings\Preferred Customer\My Documents\My Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yy

2.00 Gb Total Physical Memory | 1.59 Gb Available Physical Memory | 79.47% Memory free
3.85 Gb Paging File | 3.64 Gb Available in Paging File | 94.48% Paging File free
Paging file location(s): F:\pagefile.sys 3070 3070 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.55 Gb Total Space | 31.09 Gb Free Space | 41.70% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STEINER
Current User Name: Preferred Customer
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- Reg Error: Key error. File not found
.cmd [@ = cmdfile] -- Reg Error: Key error. File not found
.com [@ = ComFile] -- Reg Error: Key error. File not found
.exe [@ = exefile] -- Reg Error: Key error. File not found
.hta [@ = htafile] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- Reg Error: Key error. File not found
.vbs [@ = VBSFile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [ACDBrowse] -- "C:\PROGRA~1\ACDSYS~1\ACDSee\ACDSee.exe" "%1" (ACD Systems, Ltd.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\MSN Messenger\msnmsgr.exe" = C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 -- File not found
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger -- (Microsoft Corporation)
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Pinnacle\Studio 11\programs\RM.exe" = C:\Program Files\Pinnacle\Studio 11\programs\RM.exe:*:Enabled:Render Manager -- (Pinnacle Systems)
"C:\Program Files\Pinnacle\Studio 11\programs\Studio.exe" = C:\Program Files\Pinnacle\Studio 11\programs\Studio.exe:*:Enabled:Studio -- (Pinnacle Systems)
"C:\Program Files\Pinnacle\Studio 11\programs\PMSRegisterFile.exe" = C:\Program Files\Pinnacle\Studio 11\programs\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile -- ( )
"C:\Program Files\Pinnacle\Studio 11\programs\umi.exe" = C:\Program Files\Pinnacle\Studio 11\programs\umi.exe:*:Enabled:umi -- (Pinnacle Systems)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{036AA4D4-6D32-11D4-9875-00105ACE7734}" = Logitech iTouch Software
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{07295ABF-1245-415A-BE06-863271753443}" = ShowBiz
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0D396571-7BBD-44CE-ABB3-518BF86B72F7}" = HP Photo and Imaging 1.0 - HP Photosmart Printer Series
"{110B1ADF-2EAE-4E8F-B501-D2A1E6D8ED9D}" = Studio 11
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{1A22C818-D44D-4691-BF27-8884CB5B44B1}" = AVerDVD EZMaker USB 2.0 Driver
"{1DAB6BE8-4B4F-4C08-AC96-4008057E3424}" = Samsung Media Studio
"{20ED157B-1A84-4DF7-945E-4951A38A9CBA}" = iPod Reset Utility
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{2F952048-3220-4AC7-A206-D01EFC774BB2}" = Studio 11
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{369B36BE-3D64-4641-9AEA-808D436FE132}" = Microsoft Picture It! Photo 7.0
"{3F695596-85E6-4224-BC70-538F9036797A}" = MovieShop
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{45A1BF92-700A-4408-B95E-79F462E3D67D}" = Studio 11 Bonus DVD
"{49672EC2-171B-47B4-8CE7-50D7806360D7}" = Windows Live Sign-in Assistant
"{51B833D8-66B0-4E72-92B9-4E4977EF37F2}" = WD Drive Manager (x86)
"{5744C55E-8FC2-41ED-A91B-65F95732524C}" = BitDefender Antivirus 2009
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.79
"{5E835305-63BB-4E55-BBB7-EEBBE67774DB}" = MyDVD
"{634F6989-4BB5-4EF2-AF6F-C15700F81494}}_is1" = Advanced System Optimizer
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{637099FB-45FD-4BC7-9651-6FB540DBB749}" = Roxio Backup MyPC Deluxe
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B36DEBF-27D0-4B1E-858D-D397091C6C7D}" = HP Precisionscan Pro 3.1
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{8338BA06-E527-491B-9400-F51708FEE695}" = iPod for Windows 2005-11-17
"{86D28491-78AB-445C-A507-6F3FA81D7611}" = Canon iP6600D Memory Card Utility
"{8709C596-C0B4-415D-9281-AC846B39EA76}" = BIAS SoundSoap PE 2.1.1
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD144C1-5EAD-4D55-80A1-ACAF893A4FFE}" = PrintMaster
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{BBBC2B89-E193-4348-A83C-C8DD8210A4AC}" = Canon PhotoRecord
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC874CBB-BD87-4126-9465-AE73BB62D6E0}" = Studio Ultimate
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1AD7439-FBCA-4345-A780-2A5617EBA9DE}" = neoDVDstandard4
"{D666E437-158C-43D0-AC69-F67F6C5EC2B8}" = Trellix Web Express Site Building
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E56D39F8-2A9F-44B4-B068-A72E45A073E6}" = Safari
"{E9459BCF-0982-498B-ABA7-26C34323493F}" = Citrix Presentation Server Client - Web Only
"{EC2A8F27-4FBF-4E41-B27B-FE822511B761}" = iTunes
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}" = Pinnacle Instant DVD Recorder
"{F9AEEC34-CF00-4CBD-9E36-DF9DC4002685}" = Yahoo! Desktop Login
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"AC3Filter" = AC3Filter (remove only)
"ACDSee" = ACDSee
"Adobe Acrobat 5.0" = Adobe Acrobat 4.0, 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"a-squared Free_is1" = a-squared Free 4.0
"Audacity_is1" = Audacity 1.2.6
"CANONBJ_Deinstall_CNMCP7D.DLL" = Canon iP6600D
"CCleaner" = CCleaner (remove only)
"Citrix ICA Web Client" = MetaFrame Presentation Server Web Client for Win32
"Citrix Web Client" = Citrix Web Client
"DAO 3.5" = DAO 3.5
"DECCHECK" = Microsoft Windows XP Video Decoder Checkup Utility
"DVD Shrink_is1" = DVD Shrink 3.1.7
"DVDFab 6_is1" = DVDFab 6.0.7.0 (18/09/2009)
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-WebPrint" = Easy-WebPrint
"ERUNT_is1" = ERUNT 1.1j
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Indeo® software" = Indeo® software
"InstallShield_{1A22C818-D44D-4691-BF27-8884CB5B44B1}" = AVerDVD EZMaker USB 2.0 Driver
"InstallShield_{8338BA06-E527-491B-9400-F51708FEE695}" = iPod for Windows 2005-11-17
"InstallShield_{D1AD7439-FBCA-4345-A780-2A5617EBA9DE}" = neoDVDstandard
"LimeWire" = LimeWire 5.2.13
"Logitech Resource Center" = Logitech Resource Center
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero OEM
"Nero PhotoShow Express 4" = Nero PhotoShow Express 4
"NeroVision!UninstallKey" = Nero Digital
"Network Play System" = EA Network Play System
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PENTAX Digital Camera Utility" = PENTAX Digital Camera Utility
"Photo Finale_is1" = Photo Finale 4
"Registrar Registry Manager 6.02 (Lite Edition)" = Registrar Registry Manager 6.02 (Lite Edition)
"Registrar_is1" = Registrar Registry Manager 6.02
"Simplify Printing Client v3" = Simplify Printing Client v3
"SLAMRNTV" = Smart Link 56K Voice Modem
"SPv3 ICA Only Web Push (nstl chk)" = SPv3 ICA Only Web Push (nstl chk)
"SystemRequirementsLab" = System Requirements Lab
"TaxACT 2008" = TaxACT 2008
"TaxACT 2008 Wisconsin" = TaxACT 2008 Wisconsin
"VIA Audio Driver Setup Program" = VIA Audio Driver Setup Program
"VLC media player" = VideoLAN VLC media player 0.8.6a
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WebPost" = Microsoft Web Publishing Wizard 1.52
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Customizations" = Yahoo! extras
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

[heir]

I don't have any antivirus protection on my computer at this time. I uninstalled it so it wouldn't interfere with these reports.

That's a minimum on what you should have.

Please install one update it and scan your computer.

One AV is a must have! But never more than one, as this can and will cause conflicts and false readings. I have listed three free AV's below which are as good as any paid subscription AV, as long as you allow them to update themselves.

Anti Virus Programs

• avast! 4 Home Edition an excellent free AV.
• AVG Anti-Virus Free Edition 8.5 is free for personal use.
• Avira AntiVir PersonalEdition, yet another good free AV.

Let me know which one you installed.

Please also scan a file

• Using Internet Explorer please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
  
  
  • c:\windows\system32\drivers\tcpip.sys
• Click on the Upload button
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Meanwhile I'll look through your logs.

Edited by heir, 08 October 2009 - 07:19 AM.
added filescan

[Mahocker]

Thank you for the AV suggestions. I will install avast! as my AV.

I ran the scan you requested. A window appeared that asked "The file are tcpip.sys uploaded by other users and scanned successfully at 2009/05/13 01:00:16, and 38 softwares update the database from last scan to now." My choices were to RESCAN or SCAN RESULTS so I clicked on SCAN RESULTS and copied the following from the clipboard:

VirSCAN.org Scanned Report :
Scanned time : 2009/06/04 23:31:50 (CDT)
Scanner results: 79% Scanner(30/38) found malware!
File Name : 1.html
File Size : 4037 byte
File Type : Sendmail frozen configuration - version body bgcolor=
MD5 : 4a2514195555a43458b4e087d29124be
SHA1 : e96f20c01c95b12a6cf9992b1e16deaac5ca025c
Online report : http://virscan.org/r...5aa9dfd4d2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090604013225 2009-06-04 2.05 Virus.Win32.Killmbr.D!IK
AhnLab V3 2009.06.05.00 2009.06.05 2009-06-05 0.74 Win-Trojan/Dialer.712704.B
AntiVir 8.2.0.180 7.1.4.59 2009-06-04 0.55 KIT/GhostDial.1
Antiy 2.0.18 20090604.2498051 2009-06-04 0.15 Trojan/Win32.Dialer.gvg
Arcavir 2009 200906041608 2009-06-04 0.39 Dialer.Bib
Authentium 5.1.1 200906041652 2009-06-04 1.18 W32/Trojan2.DOJN (Exact)
AVAST! 4.7.4 090604-0 2009-06-04 0.05 Win32:Dialer-1314 [Trj]
AVG 8.5.286 270.12.53/2155 2009-06-05 0.37 Dialer.KNV
BitDefender 7.81008.3335505 7.25811 2009-06-05 0.75 Trojan.Generic.1004008
CA (VET) 9.0.0.143 31.6.6539 2009-06-05 9.17 -
ClamAV 0.95.1 9421 2009-06-05 0.18 Dialer-3765
Comodo 3.9 1259 2009-06-04 0.74 ApplicUnwnt.Win32.PornTool.Agent.fi
CP Secure 1.1.0.715 2009.06.03 2009-06-03 9.97 -
Dr.Web 4.44.0.9170 2009.06.05 2009-06-05 4.85 BackDoor.Pigeon.12989
F-Prot 4.4.4.56 20090604 2009-06-04 1.15 W32/Trojan2.DOJN (exact)
F-Secure 5.51.6100 2009.06.05.03 2009-06-05 5.79 -
Fortinet 2.81-3.117 10.466 2009-06-04 0.35 Suspicious
GData 19.5615/19.353 20090605 2009-06-05 4.39 Win32:Dialer-1313 [Trj] [Engine:B]
ViRobot 20090604 2009.06.04 2009-06-04 0.42 -
Ikarus T3.1.01.57 2009.06.03.72814 2009-06-03 3.11 Virus.Win32.Killmbr.D
JiangMin 11.0.706 2009.06.03 2009-06-03 2.07 Trojan/Dialer.gnc
Kaspersky 5.5.10 2009.06.05 2009-06-05 0.08 not-a-virus:Porn-Dialer.Win32.Agent.fi
KingSoft 2009.2.5.15 2009.6.4.21 2009-06-04 0.51 Win32.Hack.ReSSDT.c.716800
McAfee 5.3.00 5636 2009-06-04 2.97 BackDoor-DSQ
Microsoft 1.4701 2009.06.04 2009-06-04 4.29 Backdoor:Win32/Farfli.J
mks_vir 2.01 2009.06.05 2009-06-05 3.35 -
Norman 6.01.05 6.01.00 2009-06-02 4.01 W32/Dialer.DHRP
Panda 9.05.01 2009.06.04 2009-06-04 1.86 -
Trend Micro 8.700-1004 6.170.08 2009-06-04 0.06 TROJ_DIAL.RHB
Quick Heal 10.00 2009.06.05 2009-06-05 1.37 -
Rising 20.0 21.32.34.00 2009-06-04 0.99 Backdoor.Win32.Drwolf.axh
Sophos 2.87.1 4.42 2009-06-05 2.44 Mal/Whybo-A
Sunbelt 5170 5170 2009-06-04 0.94 Porn-Dialer.Win32.Agent.fi
Symantec 1.3.0.24 20090604.002 2009-06-04 0.06 -
nProtect 20090604.01 4070376 2009-06-04 5.23 Trojan/W32.Dialer.712704
The Hacker 6.3.4.3 v00340 2009-06-04 0.63 Trojan/Dialer.Agent.fi
VBA32 3.12.10.6 20090604.1412 2009-06-04 1.96 Porn-Dialer.Win32.Agent.fi
VirusBuster 4.5.11.10 10.107.2/1575686 2009-06-04 1.90 Dialer.Agent.IFEU

[heir]

File Name : 1.html

That was for a different file.

Do it again and choose Rescan this time.

[Mahocker]

Sorry for the delay in response, I just got home from work. Below is the file:

VirSCAN.org Scanned Report :
Scanned time : 2009/10/08 17:29:14 (CDT)
Scanner results: All Scanners reported not find malware!
File Name : tcpip.sys
File Size : 361600 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 9425b72f40257b45d45d24773273dad0
SHA1 : 0668a9335026b7c84073bbef8ee2b9d19e80d335
Online report : http://virscan.org/r...f05778cf65.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091008223330 2009-10-08 4.11 -
AhnLab V3 2009.10.09.00 2009.10.09 2009-10-09 0.86 -
AntiVir 8.2.1.35 7.1.6.90 2009-10-08 0.30 -
Antiy 2.0.18 20091008.2980424 2009-10-08 0.28 -
Arcavir 2009 200910071802 2009-10-07 0.29 -
Authentium 5.1.1 200910081746 2009-10-08 2.37 -
AVAST! 4.7.4 091008-0 2009-10-08 0.24 -
AVG 8.5.288 270.14.8/2423 2009-10-09 0.68 -
BitDefender 7.81008.4325018 7.28175 2009-10-09 3.85 -
CA (VET) 9.0.0.143 35.1.7057 2009-10-09 3.51 -
ClamAV 0.95.2 9874 2009-10-08 0.10 -
Comodo 3.12 2539 2009-10-08 0.75 -
CP Secure 1.3.0.5 2009.10.09 2009-10-09 0.09 -
Dr.Web 4.44.0.9170 2009.10.08 2009-10-08 6.24 -
F-Prot 4.4.4.56 20091008 2009-10-08 2.25 -
F-Secure 7.02.73807 2009.10.08.11 2009-10-08 0.11 -
Fortinet 2.81-3.120 10.919 2009-10-08 0.23 -
GData 19.8296/19.504 20091008 2009-10-08 4.46 -
ViRobot 20091008 2009.10.08 2009-10-08 0.42 -
Ikarus T3.1.01.72 2009.10.08.74009 2009-10-08 4.15 -
JiangMin 11.0.800 2009.10.08 2009-10-08 5.50 -
Kaspersky 5.5.10 2009.10.08 2009-10-08 0.08 -
KingSoft 2009.2.5.15 2009.10.8.18 2009-10-08 0.57 -
McAfee 5.3.00 5765 2009-10-08 3.67 -
Microsoft 1.5101 2009.10.08 2009-10-08 5.68 -
Norman 6.01.09 6.01.00 2009-10-08 2.01 -
Panda 9.05.01 2009.10.08 2009-10-08 2.30 -
Trend Micro 8.700-1004 6.519.00 2009-10-07 0.04 -
Quick Heal 10.00 2009.10.08 2009-10-08 1.32 -
Rising 20.0 21.49.22.00 2009-09-30 0.82 -
Sophos 2.90.1 4.45 2009-10-09 3.67 -
Sunbelt 5437 5437 2009-10-08 1.78 -
Symantec 1.3.0.24 20091008.003 2009-10-08 0.16 -
nProtect 20091008.02 5754855 2009-10-08 7.72 -
The Hacker 6.5.0.2 v00033 2009-10-07 0.76 -
VBA32 3.12.10.11 20091007.1940 2009-10-07 2.88 -
VirusBuster 4.5.11.10 10.112.62/2570460 2009-10-08 2.65 -