TDLCMD.DLL problem

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

mergatroid

Thread Starter
Joined
Apr 15, 2010
Messages
22
My son's computer is infected with malware. Avira AntiVir identifies tdlcmd.dll in C:\windows\system32\, which keeps coming back.

I have seen other posts related to this problem, but unless things have changed, it appears the solution must tailored to each individual computer.

I would be grateful for help in removing this.
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Please do the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.pif to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT


Download GMER Rootkit Scanner from herehttp://www.gmer.net/download.phphttp://www.gmer.net/download.php to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
 

mergatroid

Thread Starter
Joined
Apr 15, 2010
Messages
22
Using the links above, I have downloaded both dds.com and dds.scr to the desktop. Clicking on either causes a command window to flash by and close again, and that's all -- no further messages, and no log files. Vista is the OS.
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Please run this program instead:


Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your next reply.
 

mergatroid

Thread Starter
Joined
Apr 15, 2010
Messages
22
thank you. Here are the results:

OTL.txt

OTL logfile created on: 16/04/2010 1:42:50 AM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Users\Erik\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 50.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 64.00% Paging File free
Paging file location(s): c:\pagefile.sys 900 1800 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 220.95 Gb Total Space | 72.39 Gb Free Space | 32.76% Space Free | Partition Type: NTFS
Drive D: | 11.93 Gb Total Space | 1.86 Gb Free Space | 15.58% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ERIK-PC
Current User Name: Erik
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Users\Erik\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
PRC - C:\Users\Erik\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\conime.exe (Microsoft Corporation)
PRC - C:\Windows\System32\audiodg.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\Erik\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (Vongo Service) -- C:\Program Files\Vongo\VongoService.exe (Starz Entertainment Group LLC)
SRV - (Com4Qlb) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe (Hewlett-Packard Development Company, L.P.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Search
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://internetsearchservice.com/search?q={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
IE - HKLM\Software\Microsoft\Internet Explorer\SearchURL\w, = http://internetsearchservice.com/search?q=%s
IE - HKLM\..\URLSearchHook: {edf6ed5f-bec3-4387-bbcc-b1f01c403b9b} - C:\Program Files\ONLYUSEmeBLADE\tbONLY.dll (Conduit Ltd.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://internetsearchservice.com/search?q={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://flvdirect.iamwired.net/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
IE - HKCU\..\URLSearchHook: {edf6ed5f-bec3-4387-bbcc-b1f01c403b9b} - C:\Program Files\ONLYUSEmeBLADE\tbONLY.dll (Conduit Ltd.)
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Search"
FF - prefs.js..browser.search.defaulturl: "http://flvdirect.iamwired.net/websearch.php?src=tops&search="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {14294f1e-e2e4-6f57-9bd7-0bbc5e003e02}:4.6.6.4
FF - prefs.js..extensions.enabledItems: {9c51bd27-6ed8-4000-a2bf-36cb95c0c947}:10.1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.5.2.20080717
FF - prefs.js..extensions.enabledItems: [email protected]:1.03.01
FF - prefs.js..keyword.URL: "http://flvdirect.iamwired.net/websearch.php?src=tops&search="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"


FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/04/15 17:40:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/14 22:15:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/14 22:15:52 | 000,000,000 | ---D | M]

[2009/05/22 17:50:34 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Mozilla\Extensions
[2009/05/22 17:50:34 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Mozilla\Extensions\[email protected]
[2010/04/15 19:03:52 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Mozilla\Firefox\Profiles\gxdqtm07.default\extensions
[2009/09/09 19:53:16 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Erik\AppData\Roaming\Mozilla\Firefox\Profiles\gxdqtm07.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/12/03 09:13:34 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Erik\AppData\Roaming\Mozilla\Firefox\Profiles\gxdqtm07.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2008/12/30 16:13:28 | 000,000,000 | ---D | M] (Tamper Data) -- C:\Users\Erik\AppData\Roaming\Mozilla\Firefox\Profiles\gxdqtm07.default\extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}
[2009/03/19 12:00:33 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Mozilla\Firefox\Profiles\gxdqtm07.default\extensions\[email protected]
[2008/06/21 20:38:05 | 000,000,271 | ---- | M] () -- C:\Users\Erik\AppData\Roaming\Mozilla\Firefox\Profiles\gxdqtm07.default\searchplugins\search.xml
[2010/04/15 19:03:52 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/02/27 16:34:38 | 000,000,000 | ---D | M] (LoudMo Contextual Ad Assistant) -- C:\Program Files\Mozilla Firefox\extensions\{14294f1e-e2e4-6f57-9bd7-0bbc5e003e02}
[2008/06/21 20:37:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2008/09/12 21:46:58 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2008/09/03 20:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
[2008/05/26 18:51:43 | 000,024,684 | ---- | M] (MyWebSearch.com) -- C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
[2007/03/09 19:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll
[2010/04/14 22:15:58 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/04/14 22:15:58 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml.moz-backup
[2010/04/14 22:15:58 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/04/14 22:15:58 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml.moz-backup
[2010/04/14 22:15:58 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/04/14 22:15:58 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml.moz-backup
[2010/04/14 22:15:58 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml
[2010/04/14 22:15:58 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml.moz-backup

O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (ONLYUSEmeBLADE Toolbar) - {edf6ed5f-bec3-4387-bbcc-b1f01c403b9b} - C:\Program Files\ONLYUSEmeBLADE\tbONLY.dll (Conduit Ltd.)
O2 - BHO: (Ask Toolbar BHO) - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (Ask.com)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKLM\..\Toolbar: (ONLYUSEmeBLADE Toolbar) - {edf6ed5f-bec3-4387-bbcc-b1f01c403b9b} - C:\Program Files\ONLYUSEmeBLADE\tbONLY.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (ONLYUSEmeBLADE Toolbar) - {EDF6ED5F-BEC3-4387-BBCC-B1F01C403B9B} - C:\Program Files\ONLYUSEmeBLADE\tbONLY.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {F4D76F09-7896-458A-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (Ask.com)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: //@[email protected]/ ([]msni in Computer)
O15 - HKCU\..Trusted Domains: //@[email protected]/ ([]msni in Local intranet)
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 192.168.2.1 192.168.1.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\MCPClient: DllName - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll - C:\Program Files\Common Files\Stardock\MCPStub.dll (Stardock)
O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - C:\Program Files\Common Files\Stardock\MCPCore.dll (Stardock)
O24 - Desktop WallPaper: C:\Users\Erik\Pictures\cat-adoption-team.jpg
O24 - Desktop BackupWallPaper: C:\Users\Erik\Pictures\cat-adoption-team.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/02 05:06:03 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 11:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/12/02 17:44:01 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 14 Days ==========

[2010/04/16 00:44:10 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Users\Erik\Desktop\OTL.exe
[2010/04/15 23:57:15 | 000,000,000 | -H-D | C] -- C:\Windows\PIF
[2010/04/15 19:08:16 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/15 19:07:38 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Users\Erik\Desktop\HJTsetup.exe
[2010/04/15 18:46:48 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/04/15 18:09:30 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/04/15 18:08:43 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/04/15 17:56:42 | 000,638,464 | ---- | C] (OldTimer Tools) -- C:\Users\Erik\Desktop\OTS.exe
[2010/04/15 17:29:44 | 000,000,000 | ---D | C] -- C:\ProgramData\HP Product Assistant
[2010/04/11 16:07:19 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/04/11 16:06:57 | 000,000,000 | ---D | C] -- C:\Users\Erik\AppData\Roaming\SUPERAntiSpyware.com
[2010/04/11 16:06:57 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/11 16:05:23 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/04/11 16:00:19 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/04/11 11:59:22 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/04/11 11:59:22 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/04/11 11:59:22 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/04/11 11:58:58 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/04/11 11:58:08 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/11 11:57:19 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Users\Erik\Desktop\TFC.exe
[2010/04/11 10:13:42 | 000,000,000 | ---D | C] -- C:\Program Files\Eusing Free Registry Cleaner
[2010/04/11 01:57:52 | 000,000,000 | ---D | C] -- C:\Users\Erik\AppData\Roaming\Avira
[2010/04/11 01:29:18 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys
[2010/04/11 01:29:17 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2010/04/11 01:29:17 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2010/04/11 01:29:17 | 000,051,992 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntdd.sys
[2010/04/11 01:29:17 | 000,017,016 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntmgr.sys
[2010/04/11 01:29:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2010/04/11 01:29:15 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/04/06 17:25:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/04/06 17:25:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/05 01:19:07 | 000,000,000 | ---D | C] -- C:\Users\Erik\AppData\Local\Blizzard Entertainment
[2 C:\Users\Erik\Documents\*.tmp files -> C:\Users\Erik\Documents\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/16 01:41:00 | 004,980,736 | -HS- | M] () -- C:\Users\Erik\ntuser.dat
[2010/04/16 01:39:06 | 000,020,992 | ---- | M] () -- C:\Windows\System32\tdlcmd.dll
[2010/04/16 01:33:45 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/16 01:33:45 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/16 01:15:01 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4115463262-510367102-684270071-1000UA.job
[2010/04/16 00:44:12 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Erik\Desktop\OTL.exe
[2010/04/16 00:21:56 | 000,525,824 | ---- | M] () -- C:\Users\Erik\Desktop\dds.scr
[2010/04/15 23:52:04 | 000,293,376 | ---- | M] () -- C:\Users\Erik\Desktop\9tqp9vcj.exe
[2010/04/15 23:50:47 | 000,525,824 | ---- | M] () -- C:\Users\Erik\Desktop\dds.com
[2010/04/15 19:08:16 | 000,001,874 | ---- | M] () -- C:\Users\Erik\Desktop\HijackThis.lnk
[2010/04/15 19:07:35 | 000,027,240 | ---- | M] () -- C:\Users\Erik\AppData\Roaming\nvModes.001
[2010/04/15 19:06:37 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Users\Erik\Desktop\HJTsetup.exe
[2010/04/15 18:37:40 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/04/15 18:08:30 | 003,916,476 | R--- | M] () -- C:\Users\Erik\Desktop\ComboFix.exe
[2010/04/15 17:59:24 | 000,354,396 | ---- | M] () -- C:\Users\Erik\Desktop\SysProt.zip
[2010/04/15 17:56:44 | 000,638,464 | ---- | M] (OldTimer Tools) -- C:\Users\Erik\Desktop\OTS.exe
[2010/04/15 17:41:06 | 000,023,111 | ---- | M] () -- C:\Windows\hpqins15.dat
[2010/04/15 17:35:52 | 000,077,375 | ---- | M] () -- C:\Windows\hpqins05.dat
[2010/04/15 17:35:12 | 000,088,960 | ---- | M] () -- C:\Users\Erik\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/04/15 17:33:49 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/15 17:33:20 | 000,350,984 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/04/15 17:33:05 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/15 17:30:58 | 000,524,288 | -HS- | M] () -- C:\Users\Erik\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/04/15 17:30:58 | 000,065,536 | -HS- | M] () -- C:\Users\Erik\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/04/15 17:30:51 | 002,017,988 | -H-- | M] () -- C:\Users\Erik\AppData\Local\IconCache.db
[2010/04/15 17:28:39 | 000,001,176 | ---- | M] () -- C:\Users\Public\Desktop\HP Solution Center.lnk
[2010/04/15 09:18:16 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{075B6966-1ACD-46E2-9763-09F6E8050C58}.job
[2010/04/14 20:43:12 | 000,027,240 | ---- | M] () -- C:\Users\Erik\AppData\Roaming\nvModes.dat
[2010/04/14 20:00:49 | 000,108,573 | ---- | M] () -- C:\Users\Erik\Documents\stomach cancer.docx
[2010/04/13 02:15:01 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4115463262-510367102-684270071-1000Core.job
[2010/04/11 22:34:24 | 000,100,908 | ---- | M] () -- C:\Users\Erik\Desktop\SystemLook.exe
[2010/04/11 17:13:35 | 000,284,915 | ---- | M] () -- C:\Users\Erik\Desktop\gmer.zip
[2010/04/11 16:48:28 | 000,000,902 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/11 11:55:19 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Users\Erik\Desktop\TFC.exe
[2010/04/11 11:50:55 | 003,911,676 | R--- | M] () -- C:\Users\Erik\Desktop\123out.exe
[2010/04/11 11:22:07 | 000,016,896 | ---- | M] () -- C:\Users\Erik\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/11 10:54:54 | 000,003,766 | -HS- | M] () -- C:\Windows\System32\KGyGaAvL.sys
[2010/04/11 10:13:45 | 000,000,862 | ---- | M] () -- C:\Users\Erik\Desktop\Eusing Free Registry Cleaner.lnk
[2010/04/11 01:29:39 | 000,001,847 | ---- | M] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
[2010/04/11 01:14:16 | 000,000,680 | ---- | M] () -- C:\Users\Erik\AppData\Local\d3d9caps.dat
[2010/04/07 22:17:14 | 000,000,806 | ---- | M] () -- C:\Users\Erik\Desktop\uhmmm,.lnk
[2010/04/06 17:34:06 | 000,002,560 | ---- | M] () -- C:\Windows\_MSRSTRT.EXE
[2010/04/06 17:17:59 | 000,048,287 | ---- | M] () -- C:\Windows\System32\hrjysvzimagux.exe
[2010/04/03 14:26:50 | 000,010,990 | ---- | M] () -- C:\Users\Erik\Documents\Epic fail..docx
[2 C:\Users\Erik\Documents\*.tmp files -> C:\Users\Erik\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/16 01:39:06 | 000,020,992 | ---- | C] () -- C:\Windows\System32\tdlcmd.dll
[2010/04/16 00:21:56 | 000,525,824 | ---- | C] () -- C:\Users\Erik\Desktop\dds.scr
[2010/04/15 23:52:01 | 000,293,376 | ---- | C] () -- C:\Users\Erik\Desktop\9tqp9vcj.exe
[2010/04/15 23:50:45 | 000,525,824 | ---- | C] () -- C:\Users\Erik\Desktop\dds.com
[2010/04/15 19:08:16 | 000,001,874 | ---- | C] () -- C:\Users\Erik\Desktop\HijackThis.lnk
[2010/04/15 17:59:22 | 000,354,396 | ---- | C] () -- C:\Users\Erik\Desktop\SysProt.zip
[2010/04/15 17:39:02 | 000,023,111 | ---- | C] () -- C:\Windows\hpqins15.dat
[2010/04/15 17:28:39 | 000,001,176 | ---- | C] () -- C:\Users\Public\Desktop\HP Solution Center.lnk
[2010/04/15 17:27:15 | 000,077,375 | ---- | C] () -- C:\Windows\hpqins05.dat
[2010/04/14 19:48:33 | 000,108,573 | ---- | C] () -- C:\Users\Erik\Documents\stomach cancer.docx
[2010/04/11 22:34:23 | 000,100,908 | ---- | C] () -- C:\Users\Erik\Desktop\SystemLook.exe
[2010/04/11 22:32:18 | 003,916,476 | R--- | C] () -- C:\Users\Erik\Desktop\ComboFix.exe
[2010/04/11 17:13:34 | 000,284,915 | ---- | C] () -- C:\Users\Erik\Desktop\gmer.zip
[2010/04/11 16:07:01 | 000,000,902 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/11 11:59:22 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/04/11 11:59:22 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/04/11 11:59:22 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/04/11 11:59:22 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/04/11 11:59:22 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/04/11 11:57:10 | 003,911,676 | R--- | C] () -- C:\Users\Erik\Desktop\123out.exe
[2010/04/11 10:13:45 | 000,000,862 | ---- | C] () -- C:\Users\Erik\Desktop\Eusing Free Registry Cleaner.lnk
[2010/04/11 01:29:39 | 000,001,847 | ---- | C] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
[2010/04/11 01:14:16 | 000,000,680 | ---- | C] () -- C:\Users\Erik\AppData\Local\d3d9caps.dat
[2010/04/06 17:34:04 | 000,002,560 | ---- | C] () -- C:\Windows\_MSRSTRT.EXE
[2010/04/06 17:17:59 | 000,048,287 | ---- | C] () -- C:\Windows\System32\hrjysvzimagux.exe
[2010/04/03 14:26:50 | 000,010,990 | ---- | C] () -- C:\Users\Erik\Documents\Epic fail..docx
[2010/04/01 08:53:05 | 000,011,268 | -HS- | C] () -- C:\ProgramData\7VJ5
[2010/03/24 17:12:00 | 000,009,980 | -HS- | C] () -- C:\ProgramData\20xYJkS83BHk4
[2009/10/25 00:27:03 | 001,970,176 | ---- | C] () -- C:\Windows\System32\d3dx9.dll
[2009/09/11 02:32:44 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/02/26 15:44:38 | 000,020,000 | -H-- | C] () -- C:\ProgramData\T09F8
[2009/02/03 19:42:47 | 000,016,384 | -HS- | C] () -- C:\Users\Erik\Thumbs.db
[2009/01/02 19:40:23 | 002,255,360 | ---- | C] () -- C:\Windows\System32\libavcodec.dll
[2008/12/21 15:55:34 | 000,395,776 | ---- | C] () -- C:\Windows\System32\libmplayer.dll
[2008/12/21 15:55:34 | 000,262,144 | ---- | C] () -- C:\Windows\System32\TomsMoComp_ff.dll
[2008/12/21 15:55:34 | 000,112,640 | ---- | C] () -- C:\Windows\System32\libmpeg2_ff.dll
[2008/12/18 18:51:32 | 000,000,196 | ---- | C] () -- C:\Windows\ulead32.ini
[2008/12/02 10:59:51 | 000,000,197 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2008/06/29 20:52:26 | 000,000,600 | ---- | C] () -- C:\Users\Erik\PUTTY.RND
[2008/06/22 22:20:57 | 000,159,760 | ---- | C] () -- C:\ProgramData\BallAudioAudio.20oyyt
[2008/06/22 21:57:56 | 000,348,176 | ---- | C] () -- C:\ProgramData\BallAudioAudio.fqclia9
[2008/06/22 21:32:53 | 000,274,448 | ---- | C] () -- C:\ProgramData\BallAudioAudio.f1gh6n
[2008/06/22 21:10:03 | 000,118,800 | ---- | C] () -- C:\ProgramData\BallAudioAudio.e2qu0
[2008/06/22 20:47:52 | 000,102,416 | ---- | C] () -- C:\ProgramData\BallAudioAudio.laq25
[2008/06/22 20:25:19 | 000,208,912 | ---- | C] () -- C:\ProgramData\BallAudioAudio.plov6l
[2008/06/22 20:03:14 | 000,339,984 | ---- | C] () -- C:\ProgramData\BallAudioAudio.ulcytj
[2008/06/22 19:41:07 | 000,278,544 | ---- | C] () -- C:\ProgramData\BallAudioAudio.jvxzjs
[2008/06/22 19:18:19 | 000,262,160 | ---- | C] () -- C:\ProgramData\BallAudioAudio.gyjaz9
[2008/06/22 18:56:10 | 000,110,608 | ---- | C] () -- C:\ProgramData\BallAudioAudio.b95l9
[2008/06/22 18:33:39 | 000,225,296 | ---- | C] () -- C:\ProgramData\BallAudioAudio.hwys682
[2008/06/22 18:11:36 | 000,249,872 | ---- | C] () -- C:\ProgramData\BallAudioAudio.m67gkn
[2008/06/22 17:49:27 | 000,213,008 | ---- | C] () -- C:\ProgramData\BallAudioAudio.4iopj2
[2008/06/22 17:26:55 | 000,192,528 | ---- | C] () -- C:\ProgramData\BallAudioAudio.usv9jbi
[2008/06/22 17:04:47 | 000,016,400 | ---- | C] () -- C:\ProgramData\BallAudioAudio.4e175
[2008/06/22 16:42:36 | 000,327,696 | ---- | C] () -- C:\ProgramData\BallAudioAudio.7pnej
[2008/06/22 16:19:47 | 000,172,048 | ---- | C] () -- C:\ProgramData\BallAudioAudio.hv9ufya
[2008/06/22 15:57:40 | 000,028,688 | ---- | C] () -- C:\ProgramData\BallAudioAudio.ygls2z
[2008/06/22 15:35:30 | 000,245,776 | ---- | C] () -- C:\ProgramData\BallAudioAudio.hkpn4
[2008/06/22 15:12:54 | 000,208,912 | ---- | C] () -- C:\ProgramData\BallAudioAudio.dmp3vk
[2008/06/22 14:50:44 | 000,192,528 | ---- | C] () -- C:\ProgramData\BallAudioAudio.ffznv
[2008/06/22 14:27:51 | 000,331,792 | ---- | C] () -- C:\ProgramData\BallAudioAudio.gu1rpfm
[2008/06/22 14:05:42 | 000,405,520 | ---- | C] () -- C:\ProgramData\BallAudioAudio.zi2zi
[2008/06/22 13:43:31 | 000,094,224 | ---- | C] () -- C:\ProgramData\BallAudioAudio.gteskk
[2008/06/22 13:20:53 | 000,110,608 | ---- | C] () -- C:\ProgramData\BallAudioAudio.uefjt
[2008/06/22 12:58:32 | 000,352,272 | ---- | C] () -- C:\ProgramData\BallAudioAudio.k53lq
[2008/06/22 12:35:18 | 000,385,040 | ---- | C] () -- C:\ProgramData\BallAudioAudio.xxzm9da
[2008/06/22 12:12:40 | 000,163,856 | ---- | C] () -- C:\ProgramData\BallAudioAudio.obrsc
[2008/06/22 11:50:25 | 000,049,168 | ---- | C] () -- C:\ProgramData\BallAudioAudio.jcwt4
[2008/06/22 11:27:47 | 000,131,088 | ---- | C] () -- C:\ProgramData\BallAudioAudio.w9115
[2008/06/22 11:05:38 | 000,020,496 | ---- | C] () -- C:\ProgramData\BallAudioAudio.qo75w7y
[2008/06/22 10:43:15 | 000,004,112 | ---- | C] () -- C:\ProgramData\BallAudioAudio.qswkx3s
[2008/06/22 10:21:00 | 000,028,688 | ---- | C] () -- C:\ProgramData\BallAudioAudio.l1dz55b
[2008/06/22 09:58:51 | 000,167,952 | ---- | C] () -- C:\ProgramData\BallAudioAudio.n0od7
[2008/06/22 09:36:14 | 000,303,120 | ---- | C] () -- C:\ProgramData\BallAudioAudio.71plwad
[2008/06/22 09:14:07 | 000,200,720 | ---- | C] () -- C:\ProgramData\BallAudioAudio.6vowc
[2008/06/22 08:51:35 | 000,364,560 | ---- | C] () -- C:\ProgramData\BallAudioAudio.sftdol
[2008/06/22 08:28:44 | 000,036,880 | ---- | C] () -- C:\ProgramData\BallAudioAudio.xs4rop
[2008/06/22 08:06:36 | 000,073,744 | ---- | C] () -- C:\ProgramData\BallAudioAudio.ke6g9b
[2008/06/22 07:44:25 | 000,229,392 | ---- | C] () -- C:\ProgramData\BallAudioAudio.yd56z92
[2008/06/22 07:21:57 | 000,270,352 | ---- | C] () -- C:\ProgramData\BallAudioAudio.fowlq
[2008/06/22 06:59:46 | 000,073,744 | ---- | C] () -- C:\ProgramData\BallAudioAudio.2xb9rl
[2008/06/22 06:37:20 | 000,368,656 | ---- | C] () -- C:\ProgramData\BallAudioAudio.94uej2r
[2008/06/22 06:15:10 | 000,376,848 | ---- | C] () -- C:\ProgramData\BallAudioAudio.ogjuo
[2008/06/22 05:53:03 | 000,184,336 | ---- | C] () -- C:\ProgramData\BallAudioAudio.o432s2
[2008/06/22 05:30:24 | 000,356,368 | ---- | C] () -- C:\ProgramData\BallAudioAudio.dav854v
[2008/06/22 05:08:06 | 000,135,184 | ---- | C] () -- C:\ProgramData\BallAudioAudio.kjlu0i
[2008/06/22 04:45:51 | 000,114,704 | ---- | C] () -- C:\ProgramData\BallAudioAudio.mwphrh
[2008/06/22 04:23:09 | 000,397,328 | ---- | C] () -- C:\ProgramData\BallAudioAudio.w9mlbo
[2008/06/22 04:00:49 | 000,094,224 | ---- | C] () -- C:\ProgramData\BallAudioAudio.c747bj
[2008/06/22 03:38:29 | 000,286,736 | ---- | C] () -- C:\ProgramData\BallAudioAudio.r126kw
[2008/06/22 03:15:24 | 000,262,160 | ---- | C] () -- C:\ProgramData\BallAudioAudio.b0b9yy
[2008/06/22 02:52:46 | 000,028,688 | ---- | C] () -- C:\ProgramData\BallAudioAudio.sfc9g
[2008/06/22 02:30:41 | 000,020,496 | ---- | C] () -- C:\ProgramData\BallAudioAudio.hexf5f
[2008/06/22 02:08:39 | 000,274,448 | ---- | C] () -- C:\ProgramData\BallAudioAudio.y1702n
[2008/06/22 01:46:42 | 000,237,584 | ---- | C] () -- C:\ProgramData\BallAudioAudio.v8ha7
[2008/06/22 01:24:50 | 000,208,912 | ---- | C] () -- C:\ProgramData\BallAudioAudio.a5lxj
[2008/06/22 01:03:00 | 000,278,544 | ---- | C] () -- C:\ProgramData\BallAudioAudio.aieyak
[2008/06/22 00:41:08 | 000,081,936 | ---- | C] () -- C:\ProgramData\BallAudioAudio.7jz5bv0
[2008/05/26 22:45:14 | 000,058,792 | ---- | C] () -- C:\Windows\System32\wbload.dll
[2008/04/16 18:31:09 | 000,003,766 | -HS- | C] () -- C:\Windows\System32\KGyGaAvL.sys
[2008/04/16 18:31:09 | 000,000,088 | RHS- | C] () -- C:\Windows\System32\AED9B54B09.sys
[2008/04/16 16:54:37 | 000,260,645 | ---- | C] () -- C:\Users\Erik\water background.gif
[2008/04/16 16:30:07 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/03/11 09:34:25 | 000,000,000 | ---- | C] () -- C:\Users\Erik\AppData\Local\FnF4.txt
[2008/02/23 16:58:57 | 000,016,896 | ---- | C] () -- C:\Users\Erik\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/18 16:50:18 | 000,102,416 | ---- | C] () -- C:\ProgramData\clock coal beep.4vz7xc
[2008/02/18 16:50:02 | 000,372,752 | ---- | C] () -- C:\ProgramData\BallAudioAudio.46rrza
[2008/02/18 16:50:02 | 000,335,888 | ---- | C] () -- C:\ProgramData\BallAudioAudio.dtdeb7
[2008/02/17 20:04:28 | 000,027,240 | ---- | C] () -- C:\Users\Erik\AppData\Roaming\nvModes.001
[2008/02/17 20:03:03 | 000,027,240 | ---- | C] () -- C:\Users\Erik\AppData\Roaming\nvModes.dat
[2008/02/17 19:56:49 | 000,000,000 | ---- | C] () -- C:\Users\Erik\AppData\Local\QSwitch.txt
[2008/02/17 19:56:49 | 000,000,000 | ---- | C] () -- C:\Users\Erik\AppData\Local\DSwitch.txt
[2008/02/17 19:56:49 | 000,000,000 | ---- | C] () -- C:\Users\Erik\AppData\Local\AtStart.txt
[2008/02/17 19:22:05 | 000,000,020 | -HS- | C] () -- C:\Users\Erik\ntuser.ini
[2008/02/17 19:22:04 | 004,980,736 | -HS- | C] () -- C:\Users\Erik\ntuser.dat
[2008/02/17 19:22:04 | 000,524,288 | -HS- | C] () -- C:\Users\Erik\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms
[2008/02/17 19:22:04 | 000,524,288 | -HS- | C] () -- C:\Users\Erik\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2008/02/17 19:22:04 | 000,262,144 | -H-- | C] () -- C:\Users\Erik\ntuser.dat.LOG2
[2008/02/17 19:22:04 | 000,262,144 | -H-- | C] () -- C:\Users\Erik\ntuser.dat.LOG1
[2008/02/17 19:22:04 | 000,065,536 | -HS- | C] () -- C:\Users\Erik\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2007/12/30 13:07:42 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2007/11/02 05:21:25 | 000,004,253 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:25:21 | 000,061,440 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2009/01/11 23:09:39 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Acreon
[2008/11/24 18:44:05 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Azureus
[2010/04/01 07:14:48 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\BitTorrent
[2008/12/20 01:35:11 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\cmw
[2010/04/16 01:45:23 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\DNA
[2008/03/21 21:38:23 | 000,000,000 | -H-D | M] -- C:\Users\Erik\AppData\Roaming\ijjigame
[2009/02/26 15:45:00 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Lasersoft Imaging
[2008/11/27 08:53:33 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Launchy
[2009/06/15 23:46:43 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\LimeWire
[2008/04/16 22:53:46 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Publish Providers
[2008/04/16 22:48:13 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\Sony
[2009/08/01 22:06:01 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\SystemRequirementsLab
[2008/02/17 20:01:37 | 000,000,000 | ---D | M] -- C:\Users\Erik\AppData\Roaming\WildTangent
[2010/04/15 17:31:03 | 000,032,592 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/04/15 09:18:16 | 000,000,416 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{075B6966-1ACD-46E2-9763-09F6E8050C58}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/19 03:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/19 03:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/19 03:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/19 03:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2007/11/02 05:39:53 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=313FF294978EA6AF715722D708FB249F -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.20494_none_b858f78adaed51b3\AGP440.sys
[2007/11/02 05:39:53 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=CE71AFD6738AA025D742CDBCFBDC8B9C -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f2490cb0\AGP440.sys
[2007/11/02 05:39:53 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=CE71AFD6738AA025D742CDBCFBDC8B9C -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.16399_none_b7d45c31c1cb309c\AGP440.sys
[2006/11/02 05:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\ERDNT\cache\AGP440.sys
[2006/11/02 05:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
[2006/11/02 05:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\ERDNT\cache\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/19 03:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/19 03:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 05:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/02/18 15:53:46 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2008/02/18 15:53:46 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008/02/18 15:53:45 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\drivers\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll
[2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: EVENTLOG.DLL >
[2007/01/13 01:30:08 | 000,007,216 | ---- | M] () MD5=C2A279A458A06DE2C83D842AA042B5A8 -- C:\Program Files\CyberLink\PowerDirector\EventLog.dll

< MD5 for: IASTORV.SYS >
[2008/01/19 03:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/19 03:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2006/11/02 05:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\ERDNT\cache\netlogon.dll
[2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/19 03:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/19 03:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/19 03:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/19 03:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2006/11/02 05:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll
[2009/04/11 02:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\ERDNT\cache\scecli.dll
[2009/04/11 02:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2009/04/11 02:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/04/11 02:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009/04/11 02:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll
[2009/04/11 02:28:25 | 000,443,392 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\win32spl.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 06:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 06:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 06:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /90 >
[2010/02/16 13:24:01 | 000,060,936 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2010/03/01 09:05:24 | 000,124,784 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2010/02/20 16:53:34 | 000,411,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\http.sys
[2010/04/03 01:46:45 | 000,030,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tgqvhnos.sys

========== Files - Unicode (All) ==========
[2009/08/09 14:13:20 | 000,000,368 | -H-- | C] ()(C:\Users\Erik\Documents\._.QT-0106-c2591ec8-bfffe4ec-00?) -- C:\Users\Erik\Documents\._.QT-0106-c2591ec8-bfffe4ec-00&#61459;
[2009/08/09 14:13:20 | 000,000,368 | -H-- | C] ()(C:\Users\Erik\Documents\._.QT-0106-c2591af2-bfffe4ec-00?) -- C:\Users\Erik\Documents\._.QT-0106-c2591af2-bfffe4ec-00&#61459;
[2009/08/09 14:13:20 | 000,000,000 | -H-- | C] ()(C:\Users\Erik\Documents\.QT-0106-c2591ec8-bfffe4ec-00?) -- C:\Users\Erik\Documents\.QT-0106-c2591ec8-bfffe4ec-00&#61459;
[2009/08/09 14:13:20 | 000,000,000 | -H-- | C] ()(C:\Users\Erik\Documents\.QT-0106-c2591af2-bfffe4ec-00?) -- C:\Users\Erik\Documents\.QT-0106-c2591af2-bfffe4ec-00&#61459;
[2007/04/28 15:54:48 | 000,000,368 | -H-- | M] ()(C:\Users\Erik\Documents\._.QT-0106-c2591ec8-bfffe4ec-00?) -- C:\Users\Erik\Documents\._.QT-0106-c2591ec8-bfffe4ec-00&#61459;
[2007/04/28 15:54:48 | 000,000,000 | -H-- | M] ()(C:\Users\Erik\Documents\.QT-0106-c2591ec8-bfffe4ec-00?) -- C:\Users\Erik\Documents\.QT-0106-c2591ec8-bfffe4ec-00&#61459;
[2007/04/28 15:38:26 | 000,000,368 | -H-- | M] ()(C:\Users\Erik\Documents\._.QT-0106-c2591af2-bfffe4ec-00?) -- C:\Users\Erik\Documents\._.QT-0106-c2591af2-bfffe4ec-00&#61459;
[2007/04/28 15:38:26 | 000,000,000 | -H-- | M] ()(C:\Users\Erik\Documents\.QT-0106-c2591af2-bfffe4ec-00?) -- C:\Users\Erik\Documents\.QT-0106-c2591af2-bfffe4ec-00&#61459;

========== Alternate Data Streams ==========

@Alternate Data Stream - 278 bytes -> C:\Windows\System32\drivers\tgqvhnos.sys:changelist
< End of report >



Extras.txt
OTL Extras logfile created on: 16/04/2010 1:42:50 AM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Users\Erik\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 50.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 64.00% Paging File free
Paging file location(s): c:\pagefile.sys 900 1800 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 220.95 Gb Total Space | 72.39 Gb Free Space | 32.76% Space Free | Partition Type: NTFS
Drive D: | 11.93 Gb Total Space | 1.86 Gb Free Space | 15.58% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ERIK-PC
Current User Name: Erik
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- C:\Users\Erik\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4115463262-510367102-684270071-1000]
"EnableNotifications" = 1
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"" =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"" =
"C:\Program Files\Vongo\VongoService.exe" = C:\Program Files\Vongo\VongoService.exe:*:enabled:VongoService -- (Starz Entertainment Group LLC)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- (EarthLink, Inc.)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{092B9662-783A-480F-AFEA-CC2BAC8C9424}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{2EC933B5-A76D-4BF5-A02D-F5D48A0C07D2}" = rport=139 | protocol=6 | dir=out | app=system |
"{614ACE39-C3D3-49D8-9130-CBD7CCF51B53}" = lport=427 | protocol=17 | dir=in | name=hp 8000 |
"{67A95B99-7283-47E6-829E-ECFDF860ACB5}" = lport=2869 | protocol=6 | dir=in | app=system |
"{7D192D70-C3EC-4542-8F25-940CEF8244AD}" = rport=137 | protocol=17 | dir=out | app=system |
"{9EF41771-146E-4C55-BC26-65D4403C0977}" = lport=445 | protocol=6 | dir=in | app=system |
"{9FB6ED8A-FFC9-474B-9A53-B3DA44BE7BD2}" = lport=137 | protocol=17 | dir=in | app=system |
"{A4F87D3D-AEE9-4862-B372-B8333DD616FD}" = rport=138 | protocol=17 | dir=out | app=system |
"{AA954BD3-0C60-4C41-A7A2-400A7FC839F0}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{ACF5A059-79A2-41AD-8B76-B2F3EBB73411}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{D7B11254-2BAD-4F03-8F62-FFFAEB0C3A37}" = rport=427 | protocol=17 | dir=in | svc=hpslpsvc | app=c:\windows\system32\svchost.exe |
"{E66067D8-C5A2-4786-A1AD-C7D72BE17F6C}" = lport=138 | protocol=17 | dir=in | app=system |
"{E89F5666-0423-4423-BF2A-E0D642AE40EF}" = lport=139 | protocol=6 | dir=in | app=system |
"{F1A20D75-799C-4D36-867F-3B0783BF1F97}" = rport=445 | protocol=6 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0AD5B223-8147-4E9A-B40B-8DF3ECAA4298}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{0C208782-B442-4D83-9221-9EAEF3AB3B7D}" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{0C25BB61-4330-436E-92C7-3C7FEA6CF5D0}" = protocol=58 | dir=in | [email protected],-28545 |
"{0CCDC1AC-6337-4C3E-AB14-E9689E5BBA9A}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{0D1A302D-8F2B-415C-86F9-DA1542419F2D}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{192D8781-D70A-4038-9645-E201198EABA4}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |
"{20BE8EE1-3EF4-4FE7-BA55-6C7E1182BD10}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{261606FF-8AE4-4561-8DEC-6EFD4FBE36A8}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{28C3ABFA-31CF-4625-9894-78C32C773282}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{2A3C5DB9-18C7-48ED-A9D0-B022428F2CED}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgh.exe |
"{30A91DA5-382A-4537-B28C-70AF2725CEED}" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
"{32877ECA-1F5C-4682-9971-52DB39F1335B}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpsapp.exe |
"{330FC065-E195-4435-ABA5-028FA3A6A5CE}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposid01.exe |
"{35D90C6A-D0CC-4FCA-9146-CAEDFA199A5B}" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
"{3DE0ABA3-E78B-42C5-889F-7D1A8F7DC70D}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpse.exe |
"{3FF634D1-7EEC-4C6E-BDF0-873E852109EA}" = protocol=1 | dir=in | [email protected],-28543 |
"{45AEBAB3-743C-4A9F-A278-BA597C8B0134}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{4B9EB990-86F0-43F7-81D0-BA29D3950E06}" = protocol=17 | dir=in | app=c:\program files\curse\curseclient.exe |
"{4D630C61-B791-4168-9D33-4A64A5F7450F}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{57A55DCB-2730-478E-98EB-6CC3C4E96661}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{5A7D99B7-97E0-4139-A2A2-7E0C17508472}" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
"{5C66D3FE-2644-4A87-A654-2D25B9B2FEB7}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqsudi.exe |
"{5FC7A52A-1852-4B1A-90A1-E64EB586ACB1}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgplgtupl.exe |
"{64F45406-717E-462B-B5D2-8F0F5A380D00}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqste08.exe |
"{6D37C2B0-A2FD-4C73-810D-A1DBFC3D471E}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpoews01.exe |
"{7464CE9C-5955-4FA8-BFE9-03EDF84385E2}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{757DB4D6-1C88-44FE-93C1-82AD0B973898}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{78CC0779-B61C-4F1C-8738-5B67B2212015}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqtra08.exe |
"{7CC8B0C3-6826-4D7A-8134-B8F585CB57EE}" = protocol=6 | dir=in | app=c:\program files\dna\btdna.exe |
"{7F4D586F-1FB1-4F87-978D-12AB0058D589}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{824A26A1-9385-4637-90B9-8390B016B07B}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgpc01.exe |
"{8F96A033-C107-4059-B309-EF34092D92F5}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{91D340FD-2951-4E5B-87C2-57F25A5923BC}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{92F0F901-19D1-4836-A785-72AE8B47FF56}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{97FC2888-0F83-456D-B694-B39264C88932}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{A9063885-CAFA-4238-9735-8C3A4913DCC3}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{B051661C-AEE6-4BA6-AAB8-A3541CC232D7}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{C1B50C45-D47B-4F6C-9BE6-C2C86F45AE3B}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |
"{C3E62D50-5CDE-4628-B58F-8070DBF738F4}" = dir=in | app=c:\program files\hp\digital imaging\smart web printing\smartwebprintexe.exe |
"{C75841FE-E610-4ACE-AA02-DC6D30B70375}" = protocol=6 | dir=in | app=c:\program files\curse\curseclient.exe |
"{CAB80EF1-0A47-41A9-91DE-2CA753F244B0}" = dir=in | app=c:\program files\hp\hp software update\hpwucli.exe |
"{CB4FFD26-A463-4E5F-980E-E001372BB2EB}" = dir=in | app=e:\setup\hpznui01.exe |
"{CDB9E6ED-5B48-40A5-B1F9-96DF1FF44927}" = dir=in | app=c:\program files\common files\hp\digital imaging\bin\hpqphotocrm.exe |
"{D03E6D96-2E82-4B3C-B1C8-48029A001DF0}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{D55FE685-66EF-47DA-8D02-716E16C2AA39}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{D7973FA8-6161-4B9F-BCFB-5EEEF98E4C97}" = protocol=17 | dir=in | app=c:\program files\dna\btdna.exe |
"{DE4D7AAC-00C2-4B2C-941F-5CB6A46CABE2}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{DF612F82-EAC2-4937-9B2A-0F2876A4211C}" = protocol=17 | dir=in | app=c:\program files\dna\btdna.exe |
"{EEC94B8B-AE20-4821-9A5E-7BBAD14CFE16}" = protocol=6 | dir=in | app=c:\program files\dna\btdna.exe |
"{F15558E4-09CB-4076-BA84-D1032A1F9F79}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{F39842AD-AD87-426D-8B64-880FAC50522E}" = protocol=1 | dir=out | [email protected],-28544 |
"{F5905EA4-B10B-4FAC-82FE-D3D4E98D8057}" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{F646D18C-B9B4-4BD9-B299-0B73AB90F6B2}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgm.exe |
"{F793C491-C7DD-46FE-8F3D-8632A53CBFB7}" = protocol=58 | dir=out | [email protected],-28546 |
"{FD4D9A64-7CEF-45F1-907D-AA3E204CDEB0}" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
"TCP Query User{2455F499-9214-45E1-A3E5-E8F262F9CB70}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"TCP Query User{3247E2E4-5BBB-41F6-AC09-C9B0194797A2}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{574BA128-1DB1-4918-AD46-323E63C26745}C:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-enus-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-enus-downloader.exe |
"TCP Query User{5F203965-518E-4F27-84C3-8F095D3BBA82}C:\program files\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"TCP Query User{69CA9514-99DD-45CA-BC93-C7703B08C910}C:\users\erik\program files\dna\btdna.exe" = protocol=6 | dir=in | app=c:\users\erik\program files\dna\btdna.exe |
"TCP Query User{8DE452B6-B539-4FEE-A1E6-BEA72CE963EA}C:\users\erik\program files\bittorrent\bittorrent.exe" = protocol=6 | dir=in | app=c:\users\erik\program files\bittorrent\bittorrent.exe |
"TCP Query User{96A57661-CAF2-491A-9721-3D5D8BB86C00}C:\users\public\games\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-enus-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-enus-downloader.exe |
"TCP Query User{A26E073C-7CD5-4E08-899A-EB9FD21C74DB}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"TCP Query User{B6B4EF75-2BD7-48AB-A330-6D6B44F34285}C:\users\erik\program files\bittorrent\bittorrent.exe" = protocol=6 | dir=in | app=c:\users\erik\program files\bittorrent\bittorrent.exe |
"TCP Query User{C7D6CB27-8D62-48AA-A3C6-3659F8BBC23F}C:\program files\curse\curseclient.exe" = protocol=6 | dir=in | app=c:\program files\curse\curseclient.exe |
"TCP Query User{E3CE66EF-BF2E-46D6-91AB-C7769C3DB28B}C:\users\erik\program files\dna\btdna.exe" = protocol=6 | dir=in | app=c:\users\erik\program files\dna\btdna.exe |
"TCP Query User{FDAE2A43-EDB3-427C-B692-226F229AACCC}C:\program files\bittorrent\bittorrent.exe" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"UDP Query User{0C7795CE-CA5B-4939-9373-ABF5FB01E7A8}C:\users\erik\program files\bittorrent\bittorrent.exe" = protocol=17 | dir=in | app=c:\users\erik\program files\bittorrent\bittorrent.exe |
"UDP Query User{0D5AE96B-3DED-4B06-A2BB-72AB7D8481B1}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"UDP Query User{3159A116-9BAF-40F6-9F01-335FF7D2E70F}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"UDP Query User{3EC8EBB2-1830-43E6-8E7B-ADECAB547A5C}C:\users\erik\program files\dna\btdna.exe" = protocol=17 | dir=in | app=c:\users\erik\program files\dna\btdna.exe |
"UDP Query User{3F73D53B-0B53-41EF-8F24-DCF2888FA411}C:\program files\curse\curseclient.exe" = protocol=17 | dir=in | app=c:\program files\curse\curseclient.exe |
"UDP Query User{5A35CE7A-3123-448D-AD03-532801976BF7}C:\users\public\games\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-enus-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.3.11685-to-3.3.3.11723-enus-downloader.exe |
"UDP Query User{765713D2-7DDD-4B8B-95F5-8339CB83A512}C:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-enus-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-enus-downloader.exe |
"UDP Query User{A4A16790-89CB-4E27-BD6B-C37457B0B051}C:\program files\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{B183308F-4136-40C0-9FA6-D337DA735094}C:\program files\bittorrent\bittorrent.exe" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"UDP Query User{D5579808-FA27-47DE-A958-613B66B5460B}C:\users\erik\program files\dna\btdna.exe" = protocol=17 | dir=in | app=c:\users\erik\program files\dna\btdna.exe |
"UDP Query User{E454E1E8-EAE1-4C9B-8C97-C191C81A9E8E}C:\users\erik\program files\bittorrent\bittorrent.exe" = protocol=17 | dir=in | app=c:\users\erik\program files\bittorrent\bittorrent.exe |
"UDP Query User{F97437AD-AFC0-4C1E-B7A7-007014F085FB}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Disc 2
"{004B0DCB-4C60-465B-8F01-44B0A4111187}" = SlingPlayer
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{03A7C57A-B2C8-409b-92E5-524A0DFD0DD3}" = Status
"{06E74B9B-631F-4378-BF3A-40D868450C05}" = HPPhotoSmartPhotobookHolidayPack1
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{087A66B8-1F0F-4a8d-A649-0CFE276AA7C0}" = WebReg
"{0EE4030A-8FD4-4798-A21D-17E525B1F7CF}" = Corel Snapfire
"{11BB336F-0E58-4977-B866-F24FA334616B}" = HP Active Support Library
"{12A76360-388E-4B27-ABEB-D5FC5378DD2A}" = HPPhotoSmartPhotobookWebPack1
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{15AC0C5D-A6FB-4CE2-8CD0-28179EEB5625}" = Nokia Connectivity Cable Driver
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{172AEB5E-CBB2-4CDD-A4CF-388600825839}" = HPPhotoSmartPhotobookPlayfulPack1
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}" = Adobe Shockwave Player
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{209CDA54-D390-46A2-A97C-7BF61734418D}" = WeatherBug Gadget
"{2284D904-C138-4B58-93EC-5C362AB5130A}" = The Sims&#8482; Life Stories
"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{240556C4-80D1-465F-81D8-E0B9D108548A}" = 5300_5400_Help
"{250E9609-E830-43EB-B379-DAB7546A2422}" = muvee autoProducer 6.1
"{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(TM) 6 Update 19
"{28EDCE9C-3304-4331-8AB3-F3EBE94C35B4}" = HP Help and Support
"{2A329FB6-389D-4396-A974-29656D6864AE}" = MarketResearch
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.30 E1
"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 3.6
"{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer
"{48B82226-75E3-4E90-92CC-D30F79EA6380}" = Norton Security Scan
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4CACFCD9-F71B-413A-8DF5-1A6419D5CDC6}" = Cards_Calendar_OrderGift_DoMorePlugout
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4D304678-738E-42a0-931A-2B022F49DEB8}" = TrayApp
"{542C0F0B-FBDF-45d9-AF8A-345C1A9B5AE3}" = 8000A809
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{671B4BAD-D681-4d29-9498-D8BF3F1A389D}" = BPDSoftware
"{681B698F-C997-42C3-B184-B489C6CA24C9}" = HPPhotoSmartDiscLabelContent1
"{68471BF2-F1F7-4C89-BBBA-400B94996596}" = ESU for Microsoft Vista
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6A3F98BA-338E-49a1-9D79-D786A83E6621}" = HP Officejet Pro 8000 A809 Series
"{6E4EE9B5-F69D-4455-B430-40FA5F0DC988}" = ProductContext
"{6EED4269-588D-45b8-A80C-26A9CA62EE4E}" = HPSSupply
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7059BDA7-E1DB-442C-B7A1-6144596720A4}" = HP Update
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)
"{77B3331C-1644-4C9E-9F1C-7D2A5517102E}" = BPDSoftware_Ini_CCR_Vista
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
"{7ABD82AD-E13E-4673-A450-0890D43C8F9D}" = MPM
"{7DC4A410-9986-4329-9E5D-687B2C42CA39}" = HP QuickTouch 1.00 C4
"{7F94FB03-6617-4442-9817-CDDB36EAE529}" = 8000A809_eDocs
"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84C34368-0C06-4880-9095-474609A8E770}" = Sony Preset Manager 2.0e
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{86BC184E-CFCD-48D5-829A-666A36C6ACC9}" = 8000A809_Help
"{87A9A9A9-FAB7-4224-9328-0FA2058C0FD5}" = Network
"{89E052B2-5CA5-4B7A-AF0C-28CA2836B030}" = HPPhotoSmartPhotobookModernPack1
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}" = Vongo
"{8D2C1E44-7685-4D05-8342-B0DC6422FA47}" = Ulead Straight-to-Disc SDK
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9885A11E-60E4-417C-B58B-8B31B21C0B8A}" = HP Easy Setup - Frontend
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Touch Pad Driver
"{A07840FC-CE63-4CB8-8030-EF4B9805925A}" = HPPhotoSmartDiscLabel_PaperLabel
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC13BA3A-336B-45a4-B3FE-2D3058A7B533}" = Toolbox
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AC95121F-1576-45B8-82F7-3911D27882E6}" = HPPhotoSmartPhotobookScrapbookPack1
"{AD277ED4-7E41-4074-911D-D34AF41B9D49}" = HP Officejet Pro K5300/5400 Series
"{ADFB9653-F44C-460C-BF58-189CC552DFFE}" = hpphotosmartdisclabelplugin
"{AFB69549-3AAE-4433-A99B-673B8A513379}" = BPDSoftware_Ini
"{b02df929-29a7-4fd2-9a70-81a644b635f7}" = HP Total Care Advisor
"{B10A30CF-CCFF-4056-9ABC-F8D42BDF141F}" = myPrintMileage (Officejet Pro 8000 A809)
"{B40DCEFF-9B7B-4c36-B4FA-6CE7EABFB4B8}" = K5400
"{B4E91E95-A5BA-4E50-A465-DB7EFEB176E8}" = HPPhotoSmartDiscLabel_PrintOnDisc
"{B53620C0-3A83-4F50-A7AB-175DB64C1CE3}" = HP User Guides 0090
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{BD0E2B92-3814-46F0-893B-4612EA010C7E}" = HP Customer Experience Enhancements
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C716522C-3731-4667-8579-40B098294500}" = Toolbox
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CBAE4F50-9FC9-4557-AB36-9826DF3C103C}" = HP Wireless Assistant
"{CC4A73BF-938E-4C19-A553-853C035C9BA1}" = LightScribe System Software 1.10.13.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D49EE5B7-1AEB-49C9-B77D-4AEE7249F505}" = BPD_HPSU
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D79113E7-274C-470B-BD46-01B10219DF6A}" = HPPhotosmartEssential
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{ECAD4F6A-0BF3-4028-9C81-E5D9F9606CBA}" = BPDSoftware
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F5577101-33CC-4711-8235-3A95BCD49DB0}" = EA Link
"{F636EE9A-F9EC-4606-BCFA-77DD0E210788}" = HPPhotoSmartDiscLabel_Tattoo
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F769B78E-FF0E-4db5-95E2-9F4C8D6352FE}" = DeviceDiscovery
"{F7F3B252-E772-48AA-93EB-7964BC326067}" = MSCU for Microsoft Vista
"{FA0CE30A-B8EF-4b6b-85BF-D2B2C354A32C}" = ProductContext
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FBA70FCC-BD23-4120-BA30-3E0DDF66AE82}" = 5300_5400_Readme
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"ADS Tech Master Installer V3.8" = ADS Tech Master Installer V3.8
"ADS Tech V3.8 DVD Xpress DX2 CapWiz" = ADS Tech V3.8 DVD Xpress DX2 CapWiz
"AIM_6" = AIM 6
"AskPBar Uninstall" = Ask Toolbar
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"Cheat Engine 5.5_is1" = Cheat Engine 5.5
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"DesktopX" = DesktopX
"Epson-SE TWAIN_is1" = Epson-SE TWAIN
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"Hauppauge MCE2005 Software Encoder" = Hauppauge MCE XP/Vista Software Encoder (2.0.25149)
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"HP Imaging Device Functions" = HP Imaging Device Functions 12.0
"HP Photosmart Essential" = HP Photosmart Essential 3.5
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 12.0
"hrjysvzimagux" = Performance Maximizer Profitizeme
"InstallShield_{004B0DCB-4C60-465B-8F01-44B0A4111187}" = SlingPlayer
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"InstallShield_{F5577101-33CC-4711-8235-3A95BCD49DB0}" = EA Link
"Messenger Plus! Live" = Messenger Plus! Live & Sponsor (CiD)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.18)" = Mozilla Firefox (3.0.18)
"MSNINST" = MSN
"NVIDIA Drivers" = NVIDIA Drivers
"ObjectBar" = ObjectBar
"ONLYUSEmeBLADE Toolbar" = ONLYUSEmeBLADE Toolbar
"Shop for HP Supplies" = Shop for HP Supplies
"SlingMedia.QPSlingPlayer_is1" = QuickPlay SlingPlayer 0.4.4
"Sony Vocal Eraser_is1" = Sony Vocal Eraser
"SystemRequirementsLab" = System Requirements Lab
"ViewpointMediaPlayer" = Viewpoint Media Player
"WildTangent hp Master Uninstall" = My HP Games
"WinLiveSuite_Wave3" = Windows Live Essentials
"World of Warcraft" = World of Warcraft
"Yahoo! Companion" = Yahoo! Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"BitTorrent DNA" = DNA
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >
 

mergatroid

Thread Starter
Joined
Apr 15, 2010
Messages
22
Here is gmer result:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-11 23:22:52
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Erik\AppData\Local\Temp\kxldapoc.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 [8071D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 [8071D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort0 [8071D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort1 [8071D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort2 [8071D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort3 [8071D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Officejet Pro 8000 A809 [email protected] 631928

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Hi,

Please do the following:

Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2



**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.
 

mergatroid

Thread Starter
Joined
Apr 15, 2010
Messages
22
Thank you.

Combofix cannot complete. I ran it three times. The first time resulted in BSOD, and the second and third times the computer rebooted mid scan.
 

mergatroid

Thread Starter
Joined
Apr 15, 2010
Messages
22
PS - the stop code on the blue screen was: 0x0000007E (0xc0000005, 0x84911305, 0x8AB6BC78, 0x8AB6B974)
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Hi,

Delete the copy that you have on your desktop and download a fresh copy

rename it to combo.com before saving it to your desktop

Make certain all your security programs are disabled before running it, and all other windows are closed.

Please try booting into safe mode and running it from safe mode if it still won't run.
 

mergatroid

Thread Starter
Joined
Apr 15, 2010
Messages
22
Excellent -- it worked after renaming the file.
Here is the combofix log:

ComboFix 10-04-15.05 - Erik 16/04/2010 14:27:17.6.2 - x86
Microsoft® Windows Vista&#8482; Home Premium 6.0.6002.2.1252.2.1033.18.3006.2037 [GMT -4:00]
Running from: c:\users\Erik\Desktop\ComboFix.com
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tdlcmd.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-16 18:47 . 2010-04-16 18:47 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-16 18:47 . 2010-04-16 18:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-16 18:44 . 2010-04-16 18:44 49032 ----a-w- C:\ComboFix_error.dat
2010-04-16 03:57 . 2010-04-16 03:57 -------- d--h--w- c:\windows\PIF
2010-04-15 23:08 . 2010-04-15 23:08 -------- d-----w- c:\program files\Trend Micro
2010-04-15 21:39 . 2010-04-15 21:41 23111 ----a-w- c:\windows\hpqins15.dat
2010-04-15 21:29 . 2010-04-15 21:29 -------- d-----w- c:\programdata\HP Product Assistant
2010-04-15 21:27 . 2010-04-15 21:35 77375 ----a-w- c:\windows\hpqins05.dat
2010-04-15 11:37 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 11:37 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 11:37 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-15 11:37 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-15 11:37 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-15 11:37 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-15 11:37 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 00:41 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 00:41 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-11 20:08 . 2010-04-11 20:08 52224 ----a-w- c:\users\Erik\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-11 20:07 . 2010-04-11 20:07 117760 ----a-w- c:\users\Erik\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-11 20:07 . 2010-04-11 20:07 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-11 20:06 . 2010-04-11 20:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-11 20:06 . 2010-04-11 20:06 -------- d-----w- c:\users\Erik\AppData\Roaming\SUPERAntiSpyware.com
2010-04-11 20:05 . 2010-04-11 20:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-11 14:13 . 2010-04-11 14:23 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-04-11 05:57 . 2010-04-11 05:57 -------- d-----w- c:\users\Erik\AppData\Roaming\Avira
2010-04-11 05:29 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-11 05:29 . 2010-02-16 17:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-11 05:29 . 2009-05-11 15:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-11 05:29 . 2009-05-11 15:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-11 05:29 . 2010-04-11 05:29 -------- d-----w- c:\programdata\Avira
2010-04-11 05:29 . 2010-04-11 05:29 -------- d-----w- c:\program files\Avira
2010-04-11 05:14 . 2010-04-11 05:14 680 ----a-w- c:\users\Erik\AppData\Local\d3d9caps.dat
2010-04-06 21:34 . 2010-04-06 21:34 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-04-06 21:25 . 2010-04-06 21:25 -------- d-----w- c:\program files\Common Files\Java
2010-04-06 21:17 . 2010-04-06 21:17 48287 ----a-w- c:\windows\system32\hrjysvzimagux.exe
2010-04-05 05:19 . 2010-04-05 05:19 -------- d-----w- c:\users\Erik\AppData\Local\Blizzard Entertainment
2010-04-03 05:46 . 2010-04-03 05:46 30784 ----a-w- c:\windows\system32\drivers\tgqvhnos.sys
2010-03-30 22:34 . 2010-03-09 15:42 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-30 22:34 . 2010-03-09 16:25 78336 ----a-w- c:\windows\system32\ieencode.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 18:48 . 2008-06-03 23:06 -------- d-----w- c:\users\Erik\AppData\Roaming\DNA
2010-04-16 17:58 . 2008-06-03 23:06 -------- d-----w- c:\program files\DNA
2010-04-16 11:23 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-16 11:12 . 2007-11-02 09:16 -------- d-----w- c:\programdata\Microsoft Help
2010-04-15 22:33 . 2008-06-07 18:18 -------- d-----w- c:\program files\Cheat Engine
2010-04-15 21:38 . 2007-11-02 09:21 -------- d-----w- c:\programdata\HP
2010-04-15 21:35 . 2008-02-17 23:56 88960 ----a-w- c:\users\Erik\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-15 00:43 . 2008-02-18 00:03 27240 ----a-w- c:\users\Erik\AppData\Roaming\nvModes.dat
2010-04-11 14:54 . 2008-04-16 22:31 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-11 14:54 . 2008-04-16 22:31 -------- d-----w- c:\users\Erik\AppData\Roaming\Corel
2010-04-11 14:44 . 2007-12-30 17:26 -------- d-----w- c:\programdata\NVIDIA
2010-04-06 21:24 . 2007-11-02 09:49 -------- d-----w- c:\program files\Java
2010-04-01 11:14 . 2008-06-03 23:06 -------- d-----w- c:\users\Erik\AppData\Roaming\BitTorrent
2010-03-09 08:28 . 2008-12-02 15:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 14:16 . 2009-10-02 16:58 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-21 16:52 . 2010-02-21 16:51 -------- d-----w- c:\program files\iTunes
2010-02-21 16:51 . 2010-02-21 16:51 -------- d-----w- c:\program files\iPod
2010-02-21 16:51 . 2008-02-18 20:28 -------- d-----w- c:\program files\Common Files\Apple
2010-02-21 16:48 . 2010-02-21 16:47 -------- d-----w- c:\program files\QuickTime
2010-02-21 16:43 . 2010-02-21 16:43 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-20 23:06 . 2010-03-10 08:08 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 08:07 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 08:07 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-17 01:51 . 2010-02-17 01:51 -------- d-----w- c:\programdata\Yahoo! Companion
2010-02-17 01:50 . 2010-02-17 01:50 -------- d-----w- c:\program files\ONLYUSEmeBLADE
2010-02-17 01:50 . 2010-02-17 01:50 -------- d-----w- c:\program files\Conduit
2010-01-25 12:00 . 2010-02-23 19:18 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-23 19:18 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-23 19:18 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-23 19:18 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-23 19:18 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-23 19:18 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-23 19:18 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-23 19:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-23 19:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-23 19:18 2048 ----a-w- c:\windows\system32\tzres.dll
2008-04-16 22:31 . 2008-04-16 22:31 88 --sha-r- c:\windows\System32\AED9B54B09.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{edf6ed5f-bec3-4387-bbcc-b1f01c403b9b}"= "c:\program files\ONLYUSEmeBLADE\tbONLY.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{edf6ed5f-bec3-4387-bbcc-b1f01c403b9b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{edf6ed5f-bec3-4387-bbcc-b1f01c403b9b}]
2009-12-31 16:53 2349080 ----a-w- c:\program files\ONLYUSEmeBLADE\tbONLY.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{edf6ed5f-bec3-4387-bbcc-b1f01c403b9b}"= "c:\program files\ONLYUSEmeBLADE\tbONLY.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{edf6ed5f-bec3-4387-bbcc-b1f01c403b9b}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EDF6ED5F-BEC3-4387-BBCC-B1F01C403B9B}"= "c:\program files\ONLYUSEmeBLADE\tbONLY.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{edf6ed5f-bec3-4387-bbcc-b1f01c403b9b}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-04-11 323392]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Google Update"="c:\users\Erik\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-06-28 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-09 159744]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 19:13 49152 ----a-w- c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Launchy.lnk]
backup=c:\windows\pss\Launchy.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Erik^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
backup=c:\windows\pss\Stardock ObjectDock.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Erik^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
backup=c:\windows\pss\Yahoo! Widgets.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vc log bows face]
c:\programdata\clock coal beep.4vz7xc [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Web Help]
c:\programdata\BallAudioAudio.20oyyt [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 19:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2006-08-04 15:00 462336 ----a-w- c:\program files\Corel\Corel Snapfire\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 14:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-08-24 01:36 455968 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
2007-09-04 21:54 554320 ----a-w- c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-19 22:31 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-08-17 07:13 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):98,55,fb,e1,dd,34,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4115463262-510367102-684270071-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

R3 MUSTechVIDCAP;ADS DVD XPRESS DX2;c:\windows\system32\drivers\musgostrm.sys [2007-02-16 252160]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 01:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4115463262-510367102-684270071-1000Core.job
- c:\users\Erik\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-28 20:21]

2010-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4115463262-510367102-684270071-1000UA.job
- c:\users\Erik\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-28 20:21]

2010-04-16 c:\windows\Tasks\User_Feed_Synchronization-{075B6966-1ACD-46E2-9763-09F6E8050C58}.job
- c:\windows\system32\msfeedssync.exe [2008-09-10 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://flvdirect.iamwired.net/
uSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uDefault_Search_URL = hxxp://internetsearchservice.com
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
mSearch Bar = hxxp://internetsearchservice.com/ie6.html
mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://internetsearchservice.com
mSearchURL = hxxp://internetsearchservice.com
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Erik\AppData\Roaming\Mozilla\Firefox\Profiles\gxdqtm07.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - component: c:\program files\Mozilla Firefox\extensions\{14294f1e-e2e4-6f57-9bd7-0bbc5e003e02}\components\Z_nuI-aQ-.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np32dsw.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Erik\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-16 14:47
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll atapi.sys >>UNKNOWN [0x87784F61]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8a3acd24
\Driver\ACPI -> acpi.sys @ 0x82613d68
\Driver\atapi -> atapi.sys @ 0x827259b0
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-16 14:58:34
ComboFix-quarantined-files.txt 2010-04-16 18:58
ComboFix2.txt 2010-04-15 22:46

Pre-Run: 76,772,438,016 bytes free
Post-Run: 76,744,691,712 bytes free

- - End Of File - - 84CCBFD8CC35EAE3018AAE8C4105E9BE
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
ComboFix requested a file be uploaded - could you please do that,

Insert this link where it requests you to do so:

http://forums.techguy.org/malware-removal-hijackthis-logs/917172-tdlcmd-dll-problem.html#post7333454

ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4

NEXT


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:
http://forums.techguy.org/7333454-post11.html

Collect::
c:\windows\system32\hrjysvzimagux.exe
c:\windows\system32\drivers\tgqvhnos.sys

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vc log bows face]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Web Help]
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


NEXT


We still have work to do, there is an infected driver still that we need to identify

please re-run GMER and check the box beside "sections" and the C:\ drive only, leave all other choices blank.

post the resulting log.
 

mergatroid

Thread Starter
Joined
Apr 15, 2010
Messages
22
I dragged the script to combofix.com, and combofix launched but didn't complete -- or at least it rebooted the system at some point, but no log file was generated that I could find. It wasn't like before when it went through all 50 stages and notepad popped up at the end with the log file.

Meanwhile, in terms of uploading combfix_error.dat, should I just attach it to my reply? If not, how do I upload it to the link you provided?

Shall I continue on with gmer?

Thank you so much for your help so far.
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
this is the link you upload the file to
http://www.bleepingcomputer.com/submit-malware.php?channel=4

when you open that page

there is a section there to put in a link to this topic

that's where you put this link

http://forums.techguy.org/malware-removal-hijackthis-logs/917172-tdlcmd-dll-problem.html#post7333454

now use the brose button to locate the file ComboFix wants you to update:

which is this file: C:\ComboFix_error.dat

then press the upload button.


Now go to C:\Combofix and see if a log was generated

it will be called C:\combofix.txt
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top